Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

TDSS rootkit infection atapi.sys


  • This topic is locked This topic is locked
25 replies to this topic

#1 Davemort

Davemort

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:19 AM

Posted 19 May 2010 - 09:47 AM

Hi,
I'm having problems with a rootkit virus.

TDSSkiller detects the rootkit in atapi.sys but can't get rid of it.
I've disconnected from the internet.
Cleaned up with mbam.
Uninstalled Mcafee
Run TDSSkiller
Run combofix, this detected a rootkit but would not remove it


I also tried replacing the copy of atapi.sys from another computer in system32\drivers and dllcache from recovery console
this didn't help either.

Logs attached
Please help

Dave

Attached Files



BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:19 AM

Posted 19 May 2010 - 04:30 PM

Hi,

My name is Extremeboy (or EB for short), and I will be helping you with your log.

You should not run Combofix on your own.

Please DO NOT run Combofix. ComboFix is an extremely powerful tool and you should not be using Combofix unless instructed to do so by a Malware Removal Expert. It is a powerful tool intended by its creator to be "used under the guidance and supervision of an expert", NOT for private use. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again. Please read Combofix's Disclaimer.

Further, ComboFix logs are not permitted outside the Malware Removal forum forums and then only when requested by a Malware Reponse Team member.

---
If you still require assistance we would like to see the current condition of your system so please post a new set of DDS Logs as well as a GMER log and a description of any remaining problems or symptoms you may still have please.

If for any reason you did not post a DDS log or GMER log please refer to this page and in step #6 and Step #7 and Step #8 for further instructions on downloading and running DDS & GMER. If you have any problems when running the tools or unable to produce a report for any reason, just let me know in your next reply.


For your next reply I would like to see:
-The DDS logs
---DDS.txt and Attach logs
-GMER log
-Description of any remaining problems you may still have.


With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 Davemort

Davemort
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:19 AM

Posted 20 May 2010 - 02:46 AM

Hi EB
Thanks for the quick reply
Logs attached
The problem started with a firefox redirection.
It seems to be a rootkit of some type. It overwites atapi.sys
It also seem to let other virus an trojans in.
I originaly had mcaffe running but it seemed to disable this in some way.
I disconnected from the net and unistalled mcaffe to allow the scanning programs to function correctly.
I'm using another PC to send this message
Hope you can help me solve this problem
Thanks
Dave

Attached Files



#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:19 AM

Posted 21 May 2010 - 09:47 PM

Appears to be one of the new TDL3 rootkit with the atapi.sys problem.

Please run Combofix again, but this time with a newer version. Instructions below.

Download and Run ComboFix

Note to readers of this post other than the starter of this thread:
ComboFix is a VERY POWERFUL tool which should NOT BE USED without guidance of an expert.

Download Combofix from any of the links below, and save it to your desktop.
Link 1
Link 2

Please refer to this page for full instructions on how to run ComboFix.
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click ComboFix.exe to start the program. Agree to the prompts.
  • When ComboFix is finished, a log report (C:\ComboFix.txt) will open. Post back with it.
Leave your computer alone while ComboFix is running.

ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 Davemort

Davemort
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:19 AM

Posted 28 May 2010 - 02:07 AM

Hi EB
sorry for the delay
I'm working away from home this week. sad.gif
I'll post the logs as soon as I return on Tuesday
Thanks
DAve

#6 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:19 AM

Posted 28 May 2010 - 04:44 PM

Okay. Thanks for letting me know then.
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#7 Davemort

Davemort
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:19 AM

Posted 01 June 2010 - 03:05 AM

Hi EB
Here is the Combo fix log you requested.
The program detected a rootkit and rebooted.
It then stopped after it had completed stage2 with an error message PEV.cfxxe has encountered a problem and need to close.
After clicking OK on this error box combofix continued to run completing all stages.

Thanks for your time

Dave

Attached Files



#8 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:19 AM

Posted 01 June 2010 - 08:59 PM

Hello.

Thanks for reporting to me on what happened.

From the log it appears as that Zone Alarm (one of your security program) was not disabled. Did you disable it properly?

Anyways, I would like you to run another GMER scan with the following instructions...

Download and Run GMER

We will use GMER to scan for rootkits.
  • Please download GMER from one of the following locations, and save it to your desktop:
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop. Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.

  • Close any and all open programs, as this process may crash your computer.
  • Double click or on your desktop.
  • When you have done this, close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program. Right-click and select Run As Administrator... if you are using Vista
  • Allow the gmer.sys driver to load if asked.

    If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system... Click NO.
  • In the right panel, you will see several boxes that have been checked. Please UNCHECK the following:
    • Registry
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show all (Don't miss this one!)
  • Click on and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.

If GMER doesn't work in Normal Mode try running it in Safe Mode

Note: Do Not run any program while GMER is running
*Note*: Rootkit scans often produce false positives. Do NOT take any actions on "<--- ROOKIT" entries

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#9 Davemort

Davemort
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:19 AM

Posted 02 June 2010 - 02:54 AM

Hi EB
Yes I forgot to disable Zone alarm.
I have disabled it now
Here is the GMER log file you requested
Thanks
Dave

Attached Files

  • Attached File  Gmer.log   10.91KB   12 downloads


#10 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:19 AM

Posted 02 June 2010 - 06:45 AM

Okay, could you please run Combofix once more and post the log upon completion for me.


Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#11 Davemort

Davemort
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:19 AM

Posted 02 June 2010 - 08:17 AM

Hi EB
Ran combofix again as requested
exactly the same the program detected a rootkit and rebooted.
It then stopped after it had completed stage2 with an error message PEV.cfxxe has encountered a problem and need to close.
After clicking OK on this error box combofix continued to run completing all stages.

here's the new log

Dave

Attached Files



#12 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:19 AM

Posted 02 June 2010 - 02:39 PM

Hello.

Seems we might need to deal with this manually.

Can you do the following for me...

Download and Run SystemLook

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it. (If you are using Vista, please right-click and select run as administartor)
  • A blank Windows shall open with the title "SystemLook v1.0-by Jpshortstuff".
  • Copy and Paste the content of the following codebox into the main textfield under "File":
    CODE
    :filefind
    atapi.*
  • Please Confirm everything is copied and Pasted as I have provided above
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan.
  • Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
2nd Note: The scan may take a while from several seconds to a minute or more depending on the number of files you have and how fast your computer can perform the task

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#13 Davemort

Davemort
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:19 AM

Posted 03 June 2010 - 02:16 AM

Hi EB
Here is the systemlook log

Thanks
Dave

Attached Files



#14 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:19 AM

Posted 03 June 2010 - 04:23 PM

  1. Go to Start->Run and type in notepad and hit OK.
  2. Then copy and paste the content of the following codebox into Notepad:

    CODE
    @echo off
    copy /y C:\WINDOWS\ServicePackFiles\i386\atapi.sys c:\
    del %0

  3. Save the file to your DESKTOP as "fix.bat". Make sure to save it with the quotes.
  4. Once saved, the icon to click should look like this on your desktop:


  5. Double click fix.bat. to run it. A small black box should open and close - this is normal.

Please confirm now there is a file called atapi.sys in your C:\ drive.


Print out these instructions to use while in the Recovery Console:. Instructions into it can be found here. You already have it installed, since Combofix installed it when you ran it. (This is for XP only)
  1. Restart your computer.
  2. Before Windows loads, you will be prompted to choose which Operating System to start.
  3. Use the up and down arrow key to select Microsoft Windows Recovery Console
  4. You must enter which Windows installation to log onto. Type 1 and press 'Enter'.
  5. At the C:\Windows prompt, type the following bolded entries, and press 'Enter' (note the spaces):

    cd c:\windows\system32\drivers
    ren atapi.sys atapi.old
    copy c:\atapi.sys c:\windows\system32\drivers
    exit


    You should see a message '1 file copied'. If you did not see that message, try again and ensure there is a space after the word copy and another space between the file paths.
    (if you do not see 1 file copied on the screen, even after ensuring the commands are correct, rename the file back to it's original name by typing the following command then hitting Enter.
    ren atapi.old atapi.sys
    you should NOT be prompted to overwrite an existing file, but if you are, select No then type exit to restart and notify me of your results)

  6. Type exit and press 'Enter'. Your computer should reboot.

Let me know how it goes.
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#15 Davemort

Davemort
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:19 AM

Posted 07 June 2010 - 02:42 AM

Hi EB
Followed your instruction and everythig seemed to go OK
TDSSkiller is still reporting Driver atapi infected by TDSS rootkit

Results
Memory object infected / cured/ cured on reboot 1/0/0
registry objects infected / cured /cured on reboot 0/0/0
File objects infected /cured/ cured on reboot 0/0/0

Does this mean I'm still infected ?
The file atapi.sys in the windows/system32/drivers folder now shows a date of 13/4/2008 as aposed to the atapi.old which fas a date of 2/6/2010

thanks Dave





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users