Posted 12 June 2010 - 06:13 PM
I'm a system admin and I have an employees work computer that has a search page redirect. Also, they are unable to go to windows update and it looks like this may have been for some time. I've dealt with a lot of rootkits before similar to this but I have always been able to clean them up(thanks to your site and admins posts). However, in this case, I can't seem to get rid of it. I have run rootrepeal, McAfee Root detective(we also use McAfee Enterprise) and rootreveal, spybot, combofix, Ad-Aware, HJT, MBAM, mbr, TDLfix, GMER, new MVPS host file and more. Most attempts were based on the directions of what was posted by admins here. All the data was backed up, so losing everything and reinstalling would not be a problem. However, I prefer to learn by doing and I want to know how to handle this one going forward. Also, another computer seems to have the same symptoms and reformatting THAT one is an absolute last resort. OK, enough small talk, here we go.
The computer runs XP Professional with SP3 and IE 7. It also had Opera but I uninstalled that and other programs not needed. At work, we use an Oracle Forms app that limits our browser and java choices due to compatability. For example, IE8 and Java 6.20 do not work so we need to use lesser versions like IE7. The ComboFix did ran fine and said it needed to reboot after rootkit activity. The log said that PCIIDE.SYS was infected and cleaned. However, after rebooting the redirects remained. I also ran Combofix twice in a row and it still found the rootkit for PCIIDE.SYS. GMER also revealed issues with ATAPI.SYS("suspicious modification of atapi.sys") and I replaced both with clean disk copies (I check versions too) and still the same problems. MBAM, Spybot, McAfee, Ad-Aware, etc. have not found anything. I know I should have come to the experts here before the attempts, but since I always was able to clean up viruses and spyware before, I didn't want to admit defeat, well now I admit defeat. Again, my attempts did follow the steps posted for similar problems. Also MBAM realtime does decrease redirects by catching attempts to sites like 184.108.40.206 and 220.127.116.11. I checked the hosts file (no entries) but did change it to the MVP hosts file. As of right now, I have MBAM with realtime protection, McAfee Enterprise and HiJack this installed. I uninstalled Ad-Aware, Spybot, Combofix, etc. I hope I didn't ramble too much.
PS - I'm not the OTS admin so I don't set security policies for all our computers. I'm more a dba and database admin, so I hope I don't get yelled at here for some crappy virus/spyware protection policies. I certainly going to improve them now for our department.