Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google redirects, problematic atapi.sys, random iexplorer.exe popups


  • This topic is locked This topic is locked
13 replies to this topic

#1 plainoldconnor

plainoldconnor

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:29 AM

Posted 16 April 2010 - 05:04 PM

Greetings,

First off, thanks for any assistance you can provide. The situation has been worse before I make this post, but I've managed to kill most of the infection through other help sites. The problem that has been getting me is what came with the malware- a rootkit, as far as I can tell. MBAM and AVG both don't seem to detect any problems, but GMER detects problems with atapi.sys. I've already tried to fix it by using recovery console and a spare copy of atapi.sys, but as far as I can tell, it hasn't done a thing.

The source of the original infection was ave.exe. As far as I can tell, it's been taken care of, but the rootkit might be preventing me from cleaning up any remnants.

Symptoms (from what I've experienced already) are redirects from google, random new tabs leading to ad sites when firefox is up, and iexplorer occasionally popping up by itself (hasn't happened lately, though). In the beginning of this fiasco, pages have been closing by themselves for no foreseeable reason. Before that, due to the remnants of a previous infection, my address bar in explorer windows will reset after typing for a couple seconds and my computer won't go into standby or hibernate.

Combofix had been run to clear the original infection, and when I discovered the rootkit and replaced atapi.sys with a clean copy, I ran it again and it deleted some stuff, but the symptoms persist. I'll attach the last log I got from it with my other stuff, if it helps. TDSS Killer has been run several times, to no avail.

I'll acknowledge this infection is completely my fault, with my lax security updates and use of P2P programs. Sorry to cause you folks trouble with my irresponsibility, but I don't really have any where else to turn.

Again, thank you for anything you can help with.

-plainoldconnor

Attached Files


Edited by plainoldconnor, 16 April 2010 - 05:22 PM.


BC AdBot (Login to Remove)

 


#2 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:29 AM

Posted 21 April 2010 - 10:59 AM


Hello plainoldconnor smile.gif Welcome to the BC HijackThis Log and Analysis forum. I will be assisting you in cleaning up your system.


I ask that you refrain from running tools other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.



In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond the your topic and facilitate the cleaning of your machine.


Please keep in mind that we have a large backlog of users just like yourself waiting to be helped so try to be as timely as possible in your replies. Since we do this on a part-time voluntary basis we are limited on how many logs we can respond to and keep open due to time restraints. If you have to be away or can't answer for some other reason just let me know. Thank you for your understanding.



After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.





I need for you to perform the following:


  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.





Note: Please post the log in the reply window and do not make it an attachment. Do this with all subsequent replies unless I ask otherwise.







Thanks,



thewall





If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#3 plainoldconnor

plainoldconnor
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:29 AM

Posted 21 April 2010 - 04:17 PM

Thanks for the help. Since I posted, my previous actions seem to have kicked in, as my browser no longer redirects and a lot of my prior symptoms have evaporated. My computer is still slow, though, and I'm not sure if it's completely gone, so I'll continue with you.

Here's the TDSS log:
19:02:45:480 2484 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04
19:02:45:480 2484 ================================================================================
19:02:45:480 2484 SystemInfo:

19:02:45:480 2484 OS Version: 5.1.2600 ServicePack: 2.0
19:02:45:480 2484 Product type: Workstation
19:02:45:480 2484 ComputerName: GAMING
19:02:45:480 2484 UserName: Conner
19:02:45:480 2484 Windows directory: C:\WINDOWS
19:02:45:480 2484 Processor architecture: Intel x86
19:02:45:480 2484 Number of processors: 2
19:02:45:480 2484 Page size: 0x1000
19:02:45:480 2484 Boot type: Normal boot
19:02:45:480 2484 ================================================================================
19:02:45:480 2484 UnloadDriverW: NtUnloadDriver error 2
19:02:45:480 2484 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
19:02:45:573 2484 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
19:02:45:573 2484 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
19:02:45:573 2484 wfopen_ex: Trying to KLMD file open
19:02:45:573 2484 wfopen_ex: File opened ok (Flags 2)
19:02:45:573 2484 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
19:02:45:573 2484 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
19:02:45:573 2484 wfopen_ex: Trying to KLMD file open
19:02:45:573 2484 wfopen_ex: File opened ok (Flags 2)
19:02:45:573 2484 Initialize success
19:02:45:573 2484
19:02:45:620 2484 Scanning Services ...
19:02:47:136 2484 Raw services enum returned 342 services
19:02:47:152 2484
19:02:47:152 2484 Scanning Kernel memory ...
19:02:47:152 2484 Devices to scan: 2
19:02:47:152 2484
19:02:47:152 2484 Driver Name: Disk
19:02:47:152 2484 IRP_MJ_CREATE : B80FEC30
19:02:47:152 2484 IRP_MJ_CREATE_NAMED_PIPE : 804F4456
19:02:47:152 2484 IRP_MJ_CLOSE : B80FEC30
19:02:47:152 2484 IRP_MJ_READ : B80F8D9B
19:02:47:152 2484 IRP_MJ_WRITE : B80F8D9B
19:02:47:152 2484 IRP_MJ_QUERY_INFORMATION : 804F4456
19:02:47:152 2484 IRP_MJ_SET_INFORMATION : 804F4456
19:02:47:152 2484 IRP_MJ_QUERY_EA : 804F4456
19:02:47:152 2484 IRP_MJ_SET_EA : 804F4456
19:02:47:152 2484 IRP_MJ_FLUSH_BUFFERS : B80F9366
19:02:47:152 2484 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4456
19:02:47:152 2484 IRP_MJ_SET_VOLUME_INFORMATION : 804F4456
19:02:47:152 2484 IRP_MJ_DIRECTORY_CONTROL : 804F4456
19:02:47:152 2484 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4456
19:02:47:152 2484 IRP_MJ_DEVICE_CONTROL : B80F944D
19:02:47:152 2484 IRP_MJ_INTERNAL_DEVICE_CONTROL : B80FCFC3
19:02:47:152 2484 IRP_MJ_SHUTDOWN : B80F9366
19:02:47:152 2484 IRP_MJ_LOCK_CONTROL : 804F4456
19:02:47:152 2484 IRP_MJ_CLEANUP : 804F4456
19:02:47:152 2484 IRP_MJ_CREATE_MAILSLOT : 804F4456
19:02:47:152 2484 IRP_MJ_QUERY_SECURITY : 804F4456
19:02:47:152 2484 IRP_MJ_SET_SECURITY : 804F4456
19:02:47:152 2484 IRP_MJ_POWER : B80FAEF3
19:02:47:152 2484 IRP_MJ_SYSTEM_CONTROL : B80FFA24
19:02:47:152 2484 IRP_MJ_DEVICE_CHANGE : 804F4456
19:02:47:152 2484 IRP_MJ_QUERY_QUOTA : 804F4456
19:02:47:152 2484 IRP_MJ_SET_QUOTA : 804F4456
19:02:47:199 2484 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
19:02:47:199 2484
19:02:47:199 2484 Driver Name: atapi
19:02:47:199 2484 IRP_MJ_CREATE : 8A445AC8
19:02:47:199 2484 IRP_MJ_CREATE_NAMED_PIPE : 8A445AC8
19:02:47:199 2484 IRP_MJ_CLOSE : 8A445AC8
19:02:47:199 2484 IRP_MJ_READ : 8A445AC8
19:02:47:199 2484 IRP_MJ_WRITE : 8A445AC8
19:02:47:199 2484 IRP_MJ_QUERY_INFORMATION : 8A445AC8
19:02:47:199 2484 IRP_MJ_SET_INFORMATION : 8A445AC8
19:02:47:199 2484 IRP_MJ_QUERY_EA : 8A445AC8
19:02:47:199 2484 IRP_MJ_SET_EA : 8A445AC8
19:02:47:199 2484 IRP_MJ_FLUSH_BUFFERS : 8A445AC8
19:02:47:199 2484 IRP_MJ_QUERY_VOLUME_INFORMATION : 8A445AC8
19:02:47:215 2484 IRP_MJ_SET_VOLUME_INFORMATION : 8A445AC8
19:02:47:215 2484 IRP_MJ_DIRECTORY_CONTROL : 8A445AC8
19:02:47:215 2484 IRP_MJ_FILE_SYSTEM_CONTROL : 8A445AC8
19:02:47:215 2484 IRP_MJ_DEVICE_CONTROL : 8A445AC8
19:02:47:215 2484 IRP_MJ_INTERNAL_DEVICE_CONTROL : 8A445AC8
19:02:47:215 2484 IRP_MJ_SHUTDOWN : 8A445AC8
19:02:47:215 2484 IRP_MJ_LOCK_CONTROL : 8A445AC8
19:02:47:215 2484 IRP_MJ_CLEANUP : 8A445AC8
19:02:47:215 2484 IRP_MJ_CREATE_MAILSLOT : 8A445AC8
19:02:47:215 2484 IRP_MJ_QUERY_SECURITY : 8A445AC8
19:02:47:215 2484 IRP_MJ_SET_SECURITY : 8A445AC8
19:02:47:215 2484 IRP_MJ_POWER : 8A445AC8
19:02:47:215 2484 IRP_MJ_SYSTEM_CONTROL : 8A445AC8
19:02:47:215 2484 IRP_MJ_DEVICE_CHANGE : 8A445AC8
19:02:47:215 2484 IRP_MJ_QUERY_QUOTA : 8A445AC8
19:02:47:215 2484 IRP_MJ_SET_QUOTA : 8A445AC8
19:02:47:215 2484 Driver "atapi" infected by TDSS rootkit!
19:02:47:261 2484 C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: 1
19:02:47:261 2484 File "C:\WINDOWS\system32\DRIVERS\atapi.sys" infected by TDSS rootkit ... 19:02:47:261 2484 Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys
19:02:47:261 2484 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\system32\DriverStore\FileRepository\*) error 3
19:02:48:027 2484 vfvi6
19:02:48:434 2484 !dsvbh1
19:02:51:122 2484 dsvbh2
19:02:51:122 2484 fdfb2
19:02:51:122 2484 Backup copy found, using it..
19:02:51:153 2484 will be cured on next reboot
19:02:51:153 2484 Reboot required for cure complete..
19:02:51:153 2484 Cure on reboot scheduled successfully
19:02:51:153 2484
19:02:51:153 2484 Completed
19:02:51:153 2484
19:02:51:153 2484 Results:
19:02:51:153 2484 Memory objects infected / cured / cured on reboot: 1 / 0 / 0
19:02:51:153 2484 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
19:02:51:153 2484 File objects infected / cured / cured on reboot: 1 / 0 / 1
19:02:51:153 2484
19:02:51:153 2484 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
19:02:51:153 2484 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
19:02:51:153 2484 UnloadDriverW: NtUnloadDriver error 1
19:02:51:153 2484 KLMD(ARK) unloaded successfully


#4 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:29 AM

Posted 21 April 2010 - 05:02 PM

Sounds better. Still had infection showing up in Atapi.sys so we'll check some more.

Now we want GMER to look again. If you still have in on your desktop skip the download part. Run it with instructions provided on what to uncheck.




If you have any CD emulation software such as Daemon or Alcohol please run the following before you run GMER. If you do not skip DeFogger and go right on to GMER. If you do use it let me know so we can reenable when we finish up.




Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers.
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.



Disable your antivirus along with other security programs such as Windows Defender or TeaTimer before running the following. Instructions can be found Here.






Download GMER Rootkit Scanner from here to your desktop.
  • Double click the exe file.
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO, then use the following settings for a more complete scan.



    Click the image to enlarge it


  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
Save it where you can easily find it, such as your desktop, and post it in reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries










If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#5 plainoldconnor

plainoldconnor
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:29 AM

Posted 22 April 2010 - 03:35 PM

Sorry, but my computer locks up when I'm almost done the GMER scan each time. Suggestions?

#6 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:29 AM

Posted 22 April 2010 - 03:54 PM

Give it a try in Safe Mode.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#7 plainoldconnor

plainoldconnor
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:29 AM

Posted 24 April 2010 - 03:28 PM

I just wanted to update that I've still been unable to perform a full GMER scan in safe mode, but I'm giving it another try tonight. I think it's just a problem with how old my computer is. Wish me luck.

#8 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:29 AM

Posted 24 April 2010 - 03:53 PM

See if this will help you any.

Uncheck these also:


  • Registry
  • Files




If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#9 plainoldconnor

plainoldconnor
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:29 AM

Posted 24 April 2010 - 04:06 PM

That did it. Here you go:
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2001-04-24 17:05:44
Windows 5.1.2600 Service Pack 2
Running: zomu57kl.exe; Driver: C:\DOCUME~1\Conner\LOCALS~1\Temp\awtdqpod.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----


#10 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:29 AM

Posted 24 April 2010 - 04:33 PM

Good job! I would like you to delete the version of ComboFix you have on your desktop, then download a new one from the link below and run it.



Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Instruction can be found HERE
  • Double click on ComboFix.exe & follow the prompts.


When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.



If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#11 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:29 AM

Posted 28 April 2010 - 10:20 AM

Are you still with me?
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#12 plainoldconnor

plainoldconnor
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:29 AM

Posted 28 April 2010 - 11:08 PM

Yes, I'm very sorry, I still haven't had the opportunity to run Combofix. End of the year exams have kept me beyond busy, I had poor timing with my request. I'll try to run Combofix again tomorrow, as per your request. Again, sorry about the delay.

#13 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:29 AM

Posted 29 April 2010 - 07:32 AM

OK, that will be fine.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#14 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:29 AM

Posted 07 May 2010 - 07:00 PM

Due to the lack of feedback This Topic is closed.

Should you need it reopened, please contact my by PM. Include the address of this thread in your request.

If you have a new issue, please start a New Topic.

This applies only to the original poster. Everyone else please begin a New Topic.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users