Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I think I have a trojan / rootkit problem


  • Please log in to reply
1 reply to this topic

#1 andrewh

andrewh

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:01 AM

Posted 13 April 2010 - 06:48 PM

Hi,

I think I have a rootkit / trojan problem:

Whilst browsing Eset Nod keeps popping up tellingme its blocked access to this, that and the other when I'm not trying to go to them. I cannot run windowsupdate or access any websites with the words windowsupdate in them. My google results were redirecting off to random domains/search.php although that has stopped since I've run an updated Malware Bytes and Spybot.

I tried running TDSSkiller which tells me I have an infected atapi.sys and that it'll fix it on a reboot, but it doesn't seem able to. GMER tells me something similar:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-04-14 00:36:36
Windows 5.1.2600 Service Pack 3
Running: g15dib8g.exe; Driver: C:\DOCUME~1\Andrew\LOCALS~1\Temp\awlorpow.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)
AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdir.sys (ESET Antivirus Network Redirector/ESET)

Device -> \Driver\atapi \Device\Harddisk0\DR0 89C5CAC8

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

I tried booting ERP Commander and replacing the infected atapi.sys with one from the XP SP3 CD, something I have also tried in System Recovery Console but when I boot back into Windows I have the same problems.

Also I can't post this message to the forum on the PC with the problem - kCFErrorDomainWinSock:10052

Thanks for looking

Andrew

BC AdBot (Login to Remove)

 


#2 andrewh

andrewh
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:01 AM

Posted 15 April 2010 - 09:37 PM

I fixed it:

For anyone interested, did the following:

On a clean PC:

Downloaded XP SP 3 again
Extracted the atapi.sys from XP SP 3 to a usb stick
Renamed the file to andrew.txt on the stick
Copied the file to the root of my infected pc
Rebooted the PC into the recovery console
Removed c:\windows\system32\drivers\atapi.sys and c:\windows\system32\dllcache\atapi.sys
renamed andrew.txt to atapi.sys and copied to c:\windows\system32\drivers
rebooted

ran tdsskiller.exe and gmer - no errors or mentions of funny atapi.sys files, can finally browse the internet without eset telling me its blocking access to blahblah.cc every 10 seconds and windowsupdate is working again

Hope it helps someone

Andrew




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users