Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer won't shut down;site redirections


  • This topic is locked This topic is locked
58 replies to this topic

#16 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:04:01 AM

Posted 03 May 2010 - 10:33 PM

Hello, scottall.
No problem smile.gif

Let's skip combofix then, and use another program.
We need to run TDSSKiller
  1. Download TDSSKiller and save it to your Desktop.
  2. Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  3. Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks and do not include the word "Code") Then press OK.
    CODE
    "%userprofile%\Desktop\TDSSKiller.exe" -l "%userprofile%\Desktop\TDSSKiller.txt" -v

    **Note:If it says "Hidden service detected" DO NOT type anything in. Just press Enter.
  4. When it is done, a log file should be created on your desktop called "TDSSKiller.txt" please copy and paste the contents of that file here

In your next reply, please include the following:
  • TDSSKiller.txt

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


BC AdBot (Login to Remove)

 


#17 scottall

scottall
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:08:01 PM

Posted 04 May 2010 - 06:14 AM

that worked

06:44:56:578 3964 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04
06:44:56:578 3964 ================================================================================
06:44:56:578 3964 SystemInfo:

06:44:56:578 3964 OS Version: 5.1.2600 ServicePack: 3.0
06:44:56:578 3964 Product type: Workstation
06:44:56:578 3964 ComputerName: DFJDTX51
06:44:56:578 3964 UserName: Scott
06:44:56:578 3964 Windows directory: C:\WINDOWS
06:44:56:578 3964 Processor architecture: Intel x86
06:44:56:578 3964 Number of processors: 2
06:44:56:578 3964 Page size: 0x1000
06:44:56:578 3964 Boot type: Normal boot
06:44:56:578 3964 ================================================================================
06:44:56:578 3964 UnloadDriverW: NtUnloadDriver error 2
06:44:56:578 3964 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
06:44:56:718 3964 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
06:44:56:718 3964 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
06:44:56:718 3964 wfopen_ex: Trying to KLMD file open
06:44:56:718 3964 wfopen_ex: File opened ok (Flags 2)
06:44:56:718 3964 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
06:44:56:718 3964 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
06:44:56:718 3964 wfopen_ex: Trying to KLMD file open
06:44:56:718 3964 wfopen_ex: File opened ok (Flags 2)
06:44:56:718 3964 Initialize success
06:44:56:718 3964
06:44:56:718 3964 Scanning Services ...
06:44:57:187 3964 Raw services enum returned 355 services
06:44:57:187 3964
06:44:57:187 3964 Scanning Kernel memory ...
06:44:57:187 3964 Devices to scan: 4
06:44:57:187 3964
06:44:57:187 3964 Driver Name: Disk
06:44:57:187 3964 IRP_MJ_CREATE : F883EBB0
06:44:57:187 3964 IRP_MJ_CREATE_NAMED_PIPE : 804F9759
06:44:57:187 3964 IRP_MJ_CLOSE : F883EBB0
06:44:57:187 3964 IRP_MJ_READ : F8838D1F
06:44:57:187 3964 IRP_MJ_WRITE : F8838D1F
06:44:57:187 3964 IRP_MJ_QUERY_INFORMATION : 804F9759
06:44:57:187 3964 IRP_MJ_SET_INFORMATION : 804F9759
06:44:57:187 3964 IRP_MJ_QUERY_EA : 804F9759
06:44:57:187 3964 IRP_MJ_SET_EA : 804F9759
06:44:57:187 3964 IRP_MJ_FLUSH_BUFFERS : F88392E2
06:44:57:187 3964 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F9759
06:44:57:187 3964 IRP_MJ_SET_VOLUME_INFORMATION : 804F9759
06:44:57:187 3964 IRP_MJ_DIRECTORY_CONTROL : 804F9759
06:44:57:187 3964 IRP_MJ_FILE_SYSTEM_CONTROL : 804F9759
06:44:57:187 3964 IRP_MJ_DEVICE_CONTROL : F88393BB
06:44:57:187 3964 IRP_MJ_INTERNAL_DEVICE_CONTROL : F883CF28
06:44:57:187 3964 IRP_MJ_SHUTDOWN : F88392E2
06:44:57:187 3964 IRP_MJ_LOCK_CONTROL : 804F9759
06:44:57:187 3964 IRP_MJ_CLEANUP : 804F9759
06:44:57:187 3964 IRP_MJ_CREATE_MAILSLOT : 804F9759
06:44:57:187 3964 IRP_MJ_QUERY_SECURITY : 804F9759
06:44:57:187 3964 IRP_MJ_SET_SECURITY : 804F9759
06:44:57:187 3964 IRP_MJ_POWER : F883AC82
06:44:57:187 3964 IRP_MJ_SYSTEM_CONTROL : F883F99E
06:44:57:187 3964 IRP_MJ_DEVICE_CHANGE : 804F9759
06:44:57:187 3964 IRP_MJ_QUERY_QUOTA : 804F9759
06:44:57:187 3964 IRP_MJ_SET_QUOTA : 804F9759
06:44:57:203 3964 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
06:44:57:203 3964
06:44:57:203 3964 Driver Name: Disk
06:44:57:203 3964 IRP_MJ_CREATE : F883EBB0
06:44:57:203 3964 IRP_MJ_CREATE_NAMED_PIPE : 804F9759
06:44:57:203 3964 IRP_MJ_CLOSE : F883EBB0
06:44:57:203 3964 IRP_MJ_READ : F8838D1F
06:44:57:203 3964 IRP_MJ_WRITE : F8838D1F
06:44:57:203 3964 IRP_MJ_QUERY_INFORMATION : 804F9759
06:44:57:203 3964 IRP_MJ_SET_INFORMATION : 804F9759
06:44:57:203 3964 IRP_MJ_QUERY_EA : 804F9759
06:44:57:203 3964 IRP_MJ_SET_EA : 804F9759
06:44:57:203 3964 IRP_MJ_FLUSH_BUFFERS : F88392E2
06:44:57:203 3964 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F9759
06:44:57:203 3964 IRP_MJ_SET_VOLUME_INFORMATION : 804F9759
06:44:57:203 3964 IRP_MJ_DIRECTORY_CONTROL : 804F9759
06:44:57:203 3964 IRP_MJ_FILE_SYSTEM_CONTROL : 804F9759
06:44:57:203 3964 IRP_MJ_DEVICE_CONTROL : F88393BB
06:44:57:203 3964 IRP_MJ_INTERNAL_DEVICE_CONTROL : F883CF28
06:44:57:203 3964 IRP_MJ_SHUTDOWN : F88392E2
06:44:57:203 3964 IRP_MJ_LOCK_CONTROL : 804F9759
06:44:57:203 3964 IRP_MJ_CLEANUP : 804F9759
06:44:57:203 3964 IRP_MJ_CREATE_MAILSLOT : 804F9759
06:44:57:203 3964 IRP_MJ_QUERY_SECURITY : 804F9759
06:44:57:203 3964 IRP_MJ_SET_SECURITY : 804F9759
06:44:57:203 3964 IRP_MJ_POWER : F883AC82
06:44:57:203 3964 IRP_MJ_SYSTEM_CONTROL : F883F99E
06:44:57:203 3964 IRP_MJ_DEVICE_CHANGE : 804F9759
06:44:57:203 3964 IRP_MJ_QUERY_QUOTA : 804F9759
06:44:57:203 3964 IRP_MJ_SET_QUOTA : 804F9759
06:44:57:203 3964 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
06:44:57:203 3964
06:44:57:203 3964 Driver Name: Disk
06:44:57:203 3964 IRP_MJ_CREATE : F883EBB0
06:44:57:203 3964 IRP_MJ_CREATE_NAMED_PIPE : 804F9759
06:44:57:203 3964 IRP_MJ_CLOSE : F883EBB0
06:44:57:203 3964 IRP_MJ_READ : F8838D1F
06:44:57:203 3964 IRP_MJ_WRITE : F8838D1F
06:44:57:203 3964 IRP_MJ_QUERY_INFORMATION : 804F9759
06:44:57:203 3964 IRP_MJ_SET_INFORMATION : 804F9759
06:44:57:203 3964 IRP_MJ_QUERY_EA : 804F9759
06:44:57:203 3964 IRP_MJ_SET_EA : 804F9759
06:44:57:203 3964 IRP_MJ_FLUSH_BUFFERS : F88392E2
06:44:57:203 3964 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F9759
06:44:57:203 3964 IRP_MJ_SET_VOLUME_INFORMATION : 804F9759
06:44:57:203 3964 IRP_MJ_DIRECTORY_CONTROL : 804F9759
06:44:57:203 3964 IRP_MJ_FILE_SYSTEM_CONTROL : 804F9759
06:44:57:203 3964 IRP_MJ_DEVICE_CONTROL : F88393BB
06:44:57:203 3964 IRP_MJ_INTERNAL_DEVICE_CONTROL : F883CF28
06:44:57:203 3964 IRP_MJ_SHUTDOWN : F88392E2
06:44:57:203 3964 IRP_MJ_LOCK_CONTROL : 804F9759
06:44:57:203 3964 IRP_MJ_CLEANUP : 804F9759
06:44:57:203 3964 IRP_MJ_CREATE_MAILSLOT : 804F9759
06:44:57:203 3964 IRP_MJ_QUERY_SECURITY : 804F9759
06:44:57:203 3964 IRP_MJ_SET_SECURITY : 804F9759
06:44:57:203 3964 IRP_MJ_POWER : F883AC82
06:44:57:203 3964 IRP_MJ_SYSTEM_CONTROL : F883F99E
06:44:57:203 3964 IRP_MJ_DEVICE_CHANGE : 804F9759
06:44:57:203 3964 IRP_MJ_QUERY_QUOTA : 804F9759
06:44:57:218 3964 IRP_MJ_SET_QUOTA : 804F9759
06:44:57:218 3964 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
06:44:57:218 3964
06:44:57:218 3964 Driver Name: atapi
06:44:57:218 3964 IRP_MJ_CREATE : 832FAAC8
06:44:57:218 3964 IRP_MJ_CREATE_NAMED_PIPE : 832FAAC8
06:44:57:218 3964 IRP_MJ_CLOSE : 832FAAC8
06:44:57:218 3964 IRP_MJ_READ : 832FAAC8
06:44:57:218 3964 IRP_MJ_WRITE : 832FAAC8
06:44:57:218 3964 IRP_MJ_QUERY_INFORMATION : 832FAAC8
06:44:57:218 3964 IRP_MJ_SET_INFORMATION : 832FAAC8
06:44:57:218 3964 IRP_MJ_QUERY_EA : 832FAAC8
06:44:57:218 3964 IRP_MJ_SET_EA : 832FAAC8
06:44:57:218 3964 IRP_MJ_FLUSH_BUFFERS : 832FAAC8
06:44:57:218 3964 IRP_MJ_QUERY_VOLUME_INFORMATION : 832FAAC8
06:44:57:218 3964 IRP_MJ_SET_VOLUME_INFORMATION : 832FAAC8
06:44:57:218 3964 IRP_MJ_DIRECTORY_CONTROL : 832FAAC8
06:44:57:218 3964 IRP_MJ_FILE_SYSTEM_CONTROL : 832FAAC8
06:44:57:218 3964 IRP_MJ_DEVICE_CONTROL : 832FAAC8
06:44:57:218 3964 IRP_MJ_INTERNAL_DEVICE_CONTROL : 832FAAC8
06:44:57:218 3964 IRP_MJ_SHUTDOWN : 832FAAC8
06:44:57:218 3964 IRP_MJ_LOCK_CONTROL : 832FAAC8
06:44:57:218 3964 IRP_MJ_CLEANUP : 832FAAC8
06:44:57:218 3964 IRP_MJ_CREATE_MAILSLOT : 832FAAC8
06:44:57:218 3964 IRP_MJ_QUERY_SECURITY : 832FAAC8
06:44:57:218 3964 IRP_MJ_SET_SECURITY : 832FAAC8
06:44:57:218 3964 IRP_MJ_POWER : 832FAAC8
06:44:57:218 3964 IRP_MJ_SYSTEM_CONTROL : 832FAAC8
06:44:57:218 3964 IRP_MJ_DEVICE_CHANGE : 832FAAC8
06:44:57:218 3964 IRP_MJ_QUERY_QUOTA : 832FAAC8
06:44:57:218 3964 IRP_MJ_SET_QUOTA : 832FAAC8
06:44:57:218 3964 Driver "atapi" infected by TDSS rootkit!
06:44:57:250 3964 C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: 1
06:44:57:250 3964 File "C:\WINDOWS\system32\DRIVERS\atapi.sys" infected by TDSS rootkit ... 06:44:57:250 3964 Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys
06:44:57:250 3964 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\system32\DriverStore\FileRepository\*) error 3
06:44:57:421 3964 vfvi6
06:44:57:687 3964 !dsvbh1
06:45:01:656 3964 dsvbh2
06:45:01:656 3964 fdfb2
06:45:01:656 3964 Backup copy found, using it..
06:45:01:718 3964 will be cured on next reboot
06:45:01:718 3964 Reboot required for cure complete..
06:45:01:812 3964 Cure on reboot scheduled successfully
06:45:01:812 3964
06:45:01:812 3964 Completed
06:45:01:812 3964
06:45:01:812 3964 Results:
06:45:01:812 3964 Memory objects infected / cured / cured on reboot: 1 / 0 / 0
06:45:01:812 3964 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
06:45:01:812 3964 File objects infected / cured / cured on reboot: 1 / 0 / 1
06:45:01:812 3964
06:45:01:812 3964 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
06:45:01:812 3964 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
06:45:01:812 3964 UnloadDriverW: NtUnloadDriver error 1
06:45:01:828 3964 KLMD(ARK) unloaded successfully


#18 scottall

scottall
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:08:01 PM

Posted 04 May 2010 - 08:00 AM

the toolbar in IE - File Edit View...etc is blacked out....


#19 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:04:01 AM

Posted 04 May 2010 - 12:30 PM

Hi!

Not sure what may have caused this, let's try fixing it:
  1. Right click anywhere on desktop.
  2. Click Properties
  3. Click the Appearance tab
  4. Click Windows and Buttons
  5. Click make "Windows XP Style"
Success?

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#20 scottall

scottall
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:08:01 PM

Posted 04 May 2010 - 12:49 PM

all set there. How did the report look?

#21 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:04:01 AM

Posted 04 May 2010 - 04:28 PM

Report looks good smile.gif

Please post up a fresh GMER log for my review

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#22 scottall

scottall
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:08:01 PM

Posted 06 May 2010 - 06:03 AM

sorry for the delay


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-06 06:58:45
Windows 5.1.2600 Service Pack 3
Running: z22gkj90.exe; Driver: C:\DOCUME~1\Scott\LOCALS~1\Temp\fxdoapob.sys


---- System - GMER 1.0.15 ----

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF884887E]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF8848BFE]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xECBEA78A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xECBEA738]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xECBEA74C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xECBEA7CA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xECBEA710]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xECBEA724]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xECBEA79E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xECBEA776]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xECBEA762]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xECBEA7F9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xECBEA7E0]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xECBEA7B4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \FileSystem\Fastfat \Fat B5890D20

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device -> \Driver\atapi \Device\Harddisk0\DR0 83302AC8

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----


#23 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:04:01 AM

Posted 06 May 2010 - 09:29 AM

Hello, scottall.
That's no problem smile.gif

Looks like TDSSKiller didn't get the file for us.
We need to run SystemLook
  1. Please download SystemLook from jpshortstuff and save it to your Desktop
    Download Mirror #1
    Download Mirror #2
  2. Double-click the SystemLook and copy/paste the following into the box. Do not copy the word "code".
    CODE
    :filefind
    atapi.sy*
  3. Hit the Look button. Let it finish the scan
  4. A log will then be saved to your Desktop.. Post the content of the log here in your next reply


In your next reply, please include the following:
  • SystemLook Log

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#24 scottall

scottall
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:08:01 PM

Posted 06 May 2010 - 06:12 PM

Thanks aommaster

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 19:06 on 06/05/2010 by Scott (Administrator - Elevation successful)

========== filefind ==========

Searching for "atapi.sy*"
C:\cmdcons\ATAPI.SY_ --a--c 49558 bytes [02:59 04/08/2004] [02:59 04/08/2004] 28541D14647BB58502D09D1CEAEE6684
C:\I386\atapi.sys --a--c 95360 bytes [20:39 06/10/2005] [03:59 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\$NtServicePackUninstall$\atapi.sys -----c 95360 bytes [17:59 31/03/2009] [03:59 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\ServicePackFiles\i386\atapi.sys ------ 96512 bytes [23:26 04/08/2008] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\SYSTEM32\DRIVERS\atapi.sys --a--- 96512 bytes [05:00 01/01/1980] [10:46 04/05/2010] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\SYSTEM32\ReinstallBackups\0002\DriverFiles\i386\atapi.sys --a--c 95360 bytes [16:43 25/10/2004] [03:59 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\SYSTEM32\ReinstallBackups\0007\DriverFiles\i386\atapi.sys --a--c 95360 bytes [16:44 25/10/2004] [03:59 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51

-=End Of File=-

#25 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:04:01 AM

Posted 06 May 2010 - 07:53 PM

Hello, scottall.
We need to run a batch file
  1. Copy the following into notepad (Start>Run>"notepad"). Do not copy the word "code".
    CODE
    @echo off
    expand C:\cmdcons\ATAPI.SY_ c:\ >c:\log.txt
    cd\
    ren atapi.sy_ atapi.sys
    dir /a c:\atapi.sys >>c:\log.txt
    start c:\log.txt
    del %0
  2. Click File, then Save As... .
  3. Click Desktop on the left.
  4. Under the Save as type dropdown, select All Files.
  5. In the box File Name, input fix.bat
  6. Hit OK.
  7. Double click fix.bat. You will see a black command prompt window open then close. It might seem like nothing is happening, but the script is running.
Please post up the results of the text file that will open up smile.gif


My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#26 scottall

scottall
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:08:01 PM

Posted 06 May 2010 - 09:35 PM

here 'tis. Thanks again

Microsoft ® File Expansion Utility Version 5.1.2600.0
Copyright © Microsoft Corp 1990-1999. All rights reserved.

Expanding c:\cmdcons\atapi.sy_ to c:\atapi.sy_.
c:\cmdcons\atapi.sy_: 49558 bytes expanded to 95360 bytes, 92% increase.

Volume in drive C has no label.
Volume Serial Number is F418-E77B

Directory of c:\

08/03/2004 10:59 PM 95,360 atapi.sys
1 File(s) 95,360 bytes
0 Dir(s) 10,810,740,736 bytes free

#27 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:04:01 AM

Posted 06 May 2010 - 09:38 PM

Hello, scottall.
Fantastic smile.gif

We need to run an Avenger script
  1. Download The Avenger by Swandog46 from here.
  2. Unzip/extract it to a folder on your desktop.
  3. Double click on avenger.exe.
  4. Click OK.
  5. Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  6. Copy all of the text in the below code box to the clipboard by highlighting it and then pressing Ctrl+C. Do not copy the word "code".
    CODE
    Files to move:
    c:\atapi.sys | C:\WINDOWS\system32\drivers\atapi.sys
  7. In the avenger window, click the Paste Script from Clipboard button.
  8. Click the Execute button.
  9. You will be asked Are you sure you want to execute the current script?.
  10. Click Yes.
  11. You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  12. Click Yes.
  13. Your PC will now be rebooted.

    Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.

  14. After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
  15. Please post this log in your next reply.

In your next reply, please include the following:
  • Avenger Log

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#28 scottall

scottall
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:08:01 PM

Posted 07 May 2010 - 07:03 AM

this kept failing until I made sure all virus protection software was diabled. Instead of the log, I was find the atapi file in the Avenger folder. ONce I disabled the protection software, it worked as instructed and only the log file is in the Avenger file.


Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: file "c:\atapi.sys" not found!
File move operation "c:\atapi.sys|C:\WINDOWS\system32\drivers\atapi.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Completed script processing.

*******************

Finished! Terminate.

#29 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:04:01 AM

Posted 07 May 2010 - 09:40 AM

Hii!

Please post up a fresh GMER log.

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#30 scottall

scottall
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:08:01 PM

Posted 07 May 2010 - 12:03 PM

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-07 12:56:49
Windows 5.1.2600 Service Pack 3
Running: z22gkj90.exe; Driver: C:\DOCUME~1\Scott\LOCALS~1\Temp\fxdoapob.sys


---- System - GMER 1.0.15 ----

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF884887E]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF8848BFE]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xEBF4078A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xEBF40738]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xEBF4074C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xEBF407CA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xEBF40710]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xEBF40724]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xEBF4079E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xEBF40776]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xEBF40762]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xEBF407F9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xEBF407E0]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xEBF407B4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \FileSystem\Fastfat \Fat B555FD20

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device -> \Driver\atapi \Device\Harddisk0\DR0 832FAAC8

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users