Google redirect/Atapi.sys problem

Hi all, I hope you can help me with this. I've been plagued by a "google redirect" virus for a few weeks now. I've scanned with malwarebytes, adaware, and many other apps. The only ones that detected anything were gmer and Hitman. Gmer reports that atapi.sys has been suspiciously modified. Hitman reports atapi.sys as a Rootkit. I didn't allow Hitman to make any changes because I'm not confident that I should be attempting to modify a .sys file, and I've read accounts of people really messing up their comps by trying to fix the atapi.sys issue. I've used HT but it doesn't really show anything wrong as far as I can tell.
I'm running XP home sp3. Firefox is my browser. I stopped using IE8 because that browser is what I was using when I first noticed the problem; now it's happening with Firefox as well. I realize this is a common problem nowadays-- many people are experiencing this redirect issue. When the problem first showed up a few weeks ago, I went through a few blue screens of death, and also my desktop was changed to a light green background with a black fake warning box in the middle, "you are infected", or whatever... I did a sys restore and that helped for a few days but now the redirect problem is back. I've also noticed that ALL the processes running in my taskmanager are taking up a LOT more memory than usual. I installed Cleanmem and it's keeping that problem in check at least....

This "virus" is not always noticeable. Sometimes I can use google without any problems, other times I'm redirected. Oh, and I do not have my XP cd anymore; I'd have to contact Dell for a new disc. (I have the drivers/utilities disc and the Application disc that's all)


So... is there a way I can fix this atapi file, which has apparently been modified? I'm assuming combofix will work, but I will need some assistance using it; I don't want to take any chances.

Update: ran a rootrepeal scan and MBR Rootkit detected. Also, something about "bootstrap.exe" and some other interesting stuff; I have a .txt file saved if you want me to post it. Also, under device manager, view hidden files, both SASDIFSV and SASKUTIL are both either not working properly or do not have correct drivers installed; not sure if this is related to the problem or not...

Update: ran Win32kDiag and all I get is: WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...

Finished!



Thanks for any help,

Mark

Edited by Marcusartist, 01 February 2010 - 11:46 PM.

another update: My situation keeps getting worse and worse... I was playing an mmorpg today and didn't even have any browser open, and suddenly a warning box popped up right over my game screen about my PC being infected (I believe the program was called "Protect my PC" or something like that, anyway, it started "scanning" and of course reported all sorts of problems, anyway I ran Hitman and got rid of several baddies, but when I rebooted I was unable to open ANYthing ending in .exe. Somehow my rundll32 was corrupted or something.. so I got online on a friend's comp and dl'd an ap called "exefix" for xp... this worked.. so far.

My system keeps getting worse and worse, and I think the main problem is that atapi.sys file...

Hello,please run this next.

Next run MBAM (MalwareBytes):

NOTE: Before saving MBAM please rename it to zztoy.exe....now save it to your desktop.

Please download Malwarebytes Anti-Malware and save it to your desktop.

alternate download link

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

• Make sure you are connected to the Internet.
• Double-click on mbam-setup.exe to install the application.
• When the installation begins, follow the prompts and do not make any changes to default settings.
• When installation has finished, make sure you leave both of these checked:
  • Update Malwarebytes' Anti-Malware
  • Launch Malwarebytes' Anti-Malware
• Then click Finish.

MBAM will automatically start and you will be asked to update the program before performing a scan.

• If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
• If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.

On the Scanner tab:

• Make sure the "Perform Quick Scan" option is selected.
• Then click on the Scan button.
• If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
• The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
• When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
• Click OK to close the message box and continue with the removal process.

Back at the main Scanner screen:

• Click on the Show Results button to see a list of any malware that was found.
• Make sure that everything is checked, and click Remove Selected.
• When removal is completed, a log report will open in Notepad.
• The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
• Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
• Exit MBAM when done.

Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.


Please download mbr.exe and save it to the root directory, usually C:\ <- (Important!).

• Go to Start > Run and type: cmd.exe
• press Ok.
• At the command prompt type: c:\mbr.exe >>"C:\mbr.log"
• press Enter.
• The process is automatic...a black DOS window will open and quickly disappear. This is normal.
• A log file named mbr.log will be created and saved to the root of the system drive (usually C:\).
• Copy and paste the results of the mbr.log in your next reply.

If you have a problem using the command prompt, you can just double-click on mbr.exe to run the tool.

Hi, Boopme. Thank you for taking the time to help me. Here are my MBAM and MBR logs. (FYI, during my first mbam scan the comp shutdown; BS o'Death, but it worked the second time)

Malwarebytes' Anti-Malware 1.44
Database version: 3691
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

2/4/2010 8:24:07 PM
mbam-log-2010-02-04 (20-23-24).txt

Scan type: Quick Scan
Objects scanned: 144187
Time elapsed: 20 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 8
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{77dc0baa-3235-4ba9-8be8-aa9eb678fa02} (Rogue.ASCAntispyware) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{77dc0baa-3235-4ba9-8be8-aa9eb678fa02} (Rogue.ASCAntispyware) -> No action taken.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> No action taken.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> No action taken.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> No action taken.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> No action taken.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> No action taken.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\HelpAssistant.MARCUSAR-38F8CE.001\Start Menu\Programs\Your PC Protector (Rogue.YourPCProtector) -> No action taken.

Files Infected:
C:\Documents and Settings\HelpAssistant.MARCUSAR-38F8CE.001\Start Menu\Programs\Your PC Protector\Your PC Protector.lnk (Rogue.YourPCProtector) -> No action taken.








Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
copy of MBR has been found in sector 0x06FBC03D
malicious code @ sector 0x06FBC040 !
PE file found in sector at 0x06FBC056 !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
copy of MBR has been found in sector 0x06FBC03D
malicious code @ sector 0x06FBC040 !
PE file found in sector at 0x06FBC056 !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.



Some more info: Whatever I'm infected with keeps adding more crap to my comp; yesterday I did some scans and found "sdra64.exe".... I got rid of it, but... I'm wondering how I keep getting new malware when I'm not surfing anymore... I keep getting infected with different nasties... whatever I have has opened a door, a very wide door apparently, because Hitman, Mbam, winpatrol, HJT, etc., kept finding new baddies each day...I did the scans and cleaned, rescanned and thought I was ok, then new stuff kept showing up.. I'm wondering if there's ONE bad guy (rootkit?) that keeps me wide open to new infections... Oh, something else I just remembered: I copied "atapi.sys" from my I386 folder to replace the one in sys32 drivers folder; this was a "fix" I had read about. My atapi.sys was "suspiciously modified" as I stated in my initial post, and when I checked the file it was indeed modified on Jan 18 2010 (original was 2004).. not sure if you need any of this info, just wanted to let you know..

And something else: I connect to the internet with a Netgear USB wireless adaptor; the router I have hooked up to my family's computer upstairs... I set up the router for them, but there's no security on it (they're using WindowsME and the CD that came with the router is not compatible with ME, but the router could still (obviously) be hooked up.. this was the advice the guys at Radio Shack (yeah i know...) gave me, so... how can I secure BOTH our computers??


thanks again for your help.

Edited by Marcusartist, 04 February 2010 - 11:13 PM.

Hello as you have both sdra64.exe and atapi mods... These will keep restarting and we'll need an HJT log to remove. I am concerned you have a Virut infection,
I figure you ran GMer to get that info so in the next step post it's log instead of Rootrepeal's..

You will need to run HJT/DDS.
Please follow this guide. Preparation Guide For Use Before Using Hijackthis. Then go here HijackThis Logs and Virus/Trojan/Spyware/Malware Removal ,click New Topic,give it a relevant Title and post that complete log.

Let me know if it went OK.



Avira Free is compatible with those operating systems.
http://www.free-av.de/en/trialpay_download..._antivirus.html

Hi Boopme. I've solved my problems; everything is ok now. Thanks again!

Hi, OK thanks for letting us know..
If you are sure it's clear then...

Now you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been backed up, renamed and saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:

• Go to Start > Programs > Accessories > System Tools and click "System Restore".
• Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.

• Then use Disk Cleanup to remove all but the most recently created Restore Point.
• Go to Start > Run and type: Cleanmgr
• Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
• Click the "More Options" tab, then click the "Clean up" button under System Restore.
• Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
• Click Yes, then click Ok.
• Click Yes again when prompted with "Are you sure you want to perform these actions?"
• Disk Cleanup will remove the files and close automatically.

Vista and Windows 7 users can refer to these links: Create a New Restore Point in Vista or Windows 7 and Disk Cleanup in Vista.