Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Win2k machine appears to have a rootkit

  • This topic is locked This topic is locked
3 replies to this topic

#1 Gullible Jones

Gullible Jones

  • Members
  • 3 posts
  • Gender:Male
  • Local time:10:42 PM

Posted 10 July 2011 - 09:35 AM

My father has a Windows 2000 desktop which until recently was working fine. Because no modern on-access antivirus works on Win2k, I didn't have him using any; instead I had just installed a firewall, and Firefox with Noscript, and made sure it had all the updates applied. There was also Hitman Pro installed as an on-demand scanner. I figured this would be enough, given his surfing habits. Apparently it wasn't.

Yesterday a routine scan with Hitman Pro resulted in a complete system crash. Reproducing the crash in Safe Mode (with networking) gave me a nice bluescreen with an error indicating a page fault in atapi.sys. Hitman Pro had never done this before.

After this I attempted to do a scan from the AVG Antivirus Live CD. However, the command line scanner exited with an error on reaching a certain file (and didn't tell me what the error message was). I'm still not sure why this happened; I suspect a bug in the current version of the live CD, though I do wonder if it's possible for malicious code to execute when scanned by an antivirus...

(I would have used the Kaspersky, DrWeb, or Avira live CDs, BTW, but those all have problems with the computer's video card.)

Anyway, bit of Googling seemed to indicate that TDSS can cause crashes like what I observed. So I figured that doing a scan for TDSS specifically would not hurt, and downloaded and ran Kaspersky's TDSS Killer. It hadn't even started scanning when another crash occured, this time in ntoskrnl.dll.

At this point I was getting quite suspicious. So I created a copy of UBCD4Win on another computer, and booted the "infected" computer from that. I then scanned with Avira and SuperAntiSpyware from the live environment.
* Avira didn't find anything.
* SAS found and removed a registry entry associated with "Malware.Trace" - apparently something involving the Explorer desktop shell - but didn't see anything else.
* I also tried TDSS Killer from the live environment, but it didn't run properly.

Exasperated, I rebooted into Safe Mode and tried running aswMBR, scanning C:\ in its entirety. The MBR came up as clean, and one file on the desktop (some kind of CD labeling software) came up as possibly bad. BUT! on reaching a certain file on the drive (which I wasn't able to get the name of), aswMBR caused a bluescreen! And again, the fault was in atapi.sys.

I have to admit I'm pretty stumped right now - three AV/ARK tools crashing like that seems like a fairly obvious sign that something nasty is up, but for the life of me I can't figure out what it is or how to remove it. Can anyone help me out here?

P.S. If anything I said sounds odd, it's probably because I'm a Linux guy and haven't used Windows in a while. I know Windows well enough to get by, but clearly not well enough to fix whatever ails this computer.

BC AdBot (Login to Remove)


#2 cryptodan


    Bleepin Madman

  • Members
  • 21,868 posts
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:03:42 AM

Posted 10 July 2011 - 10:05 AM

Please follow the instructions in ==>This Guide<==.

Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<== Please include the link to this topic in your new topic and a description of your computer issues and what you have done to resolve them.

If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.

Once you have created the new topic, please reply back here with a link to the new topic.

#3 Gullible Jones

Gullible Jones
  • Topic Starter

  • Members
  • 3 posts
  • Gender:Male
  • Local time:10:42 PM

Posted 10 July 2011 - 10:35 AM

Thank you very much. The new thread is here: http://www.bleepingcomputer.com/forums/topic408754.html

#4 Animal


    Bleepin' Animinion

  • Site Admin
  • 35,905 posts
  • Gender:Male
  • Location:Where You Least Expect Me To Be
  • Local time:07:42 PM

Posted 10 July 2011 - 10:56 AM

Now that your log is properly posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a Malware Removal Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the logs you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the Malware Removal Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the Malware Removal Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the Malware Removal Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another Malware Removal Team member is already assisting you and not open the thread to respond.

To avoid confusion, I am closing this topic.

The Internet is so big, so powerful and pointless that for some people it is a complete substitute for life.
Andrew Brown (1938-1994)

A learning experience is one of those things that say, "You know that thing you just did? Don't do that." Douglas Adams (1952-2001)

"Imagination is more important than knowledge. Knowledge is limited. Imagination circles the world." Albert Einstein (1879-1955)

Follow BleepingComputer on: Facebook | Twitter | Google+

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users