Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations IamaSherpa on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Common Redirect at search engine malware present

Status
Not open for further replies.
rw409168

rw409168

Programmer
Jul 16, 2009
95
GB
Greetings,

I googled the internet for this problem where google searches are redirected.

With one user recommended downloading the TDSSkiller progam.

I ran in which it reported the following:-

Scanning Kernel memory ...
Driver "atapi" infected by TDSS rootkit!
File "C:\WINDOWS\system32\DRIVERS\atapi.sys" infected by TDSS rootkit ... cure failed

Completed

Results:
Memory objects infected / cured / cured on reboot: 1 / 0 / 0
Registry objects infected / cured / cured on reboot: 0 / 0 / 0
File objects infected / cured / cured on reboot: 1 / 0 / 0

As this failed, I read further and downloaded the comboxfix program and ultimately run MBR.exe -f and fixmbr from the console recovery window.

I then re-ran MBR.exe from the command prompt for diagnosis:-

The logfile of MBR shows the following:-

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer,
device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x0FFFAC44
malicious code @ sector 0x0FFFAC47 !
PE file found in sector at 0x0FFFAC5D !

I have malwarebytes running which is blocking ip addresses all over the place and from the logfile above It seems to read I still have a problem.

Can anyone please assist?

I hope I have included all the details it's 1:35am where I am so hope it makes some kind of sense (battled with it all day and night)

Next time I won't be so eager to just download and run fix-it progams.

Thanks
Rob
 
Sort by date Sort by votes
I forgot to mention I'm running Windows XP Professional SP3
 
Upvote 0 Downvote
For TDSS Rookit infection you'll need to delete the existing ATAPI.SYS file and replace it with a clean copy.

ROGER - G0AOZ.
 
Upvote 0 Downvote
Thanks for the reply.

I don't have the original windows cd what is the best method to replace ATAPI.SYS (as imagine it is a protected file)?
 
Upvote 0 Downvote
Replaced and all looks to be ok, thank you very much for the advice.

I am a happier man :)
 
Upvote 0 Downvote
Ok I haven't got rid of the problem.

I DID replace the ATAPI.SYS in the WINDOWS/system32/ which I can see by the new time stamp (copied it from another pc with windows xp installed).

I then re-ran combofix and copied the recongised problem area:-

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer,
device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A5BDAC8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba90cf28
\Driver\ACPI -> ACPI.sys @ 0xba77fcb8
\Driver\atapi -> atapi.sys @ 0xba711852
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: Marvell Yukon 88E8001/8003/8010 PCI Gigabit Ethernet Controller -> SendCompleteHandler -> NDIS.sys @ 0xba605bb0
PacketIndicateHandler -> NDIS.sys @ 0xba612a21
SendHandler -> NDIS.sys @ 0xba5f087b
user & kernel MBR OK
copy of MBR has been found in sector 0x0FFFAC44
malicious code @ sector 0x0FFFAC47 !
PE file found in sector at 0x0FFFAC5D


I'm not sure what action now to take, any advice welcome.

Thanks
 
Upvote 0 Downvote
Download:

HiJackThis

run a scan with log (do not fix anything yet) and paste that log here for our discernment..

Download:

MBAM - MalwareBytes AntiMalware

SuperAntiSpyware

Free editions on both should suffice, then run a complete scan with both delete anything they find...

you may also post another HJT Log for comparison...


report back...

PS: should MBAM not install, then rename the EXE to something else, e.g. MBAM.EXE to 123test.exe

as there are malware out there that check certain filenames and kill these before they can be installed...



Ben
"If it works don't fix it! If it doesn't use a sledgehammer..."
How to ask a question, when posting them to a professional forum.
Only ask questions with yes/no answers if you want "yes" or "no"
 
Upvote 0 Downvote
I've been running a complete scan with Dr.Web CureIt pre- reading your reply to the thread on my only only harddrive (120Gb) and it's almost done.

Once it's complete I will reboot and carry out your instructions, thanks for the support :)

 
Upvote 0 Downvote
Unable to copy n paste log file content as site continously timeouts (after several reboots and multiple attempts to post)

Attach hijackthis.logs both PRE and POST scans using malwarebytes (already had this installed) and SuperAntiSpyware as requested.

Thanks for the help again.

 
 http://www.mediafire.com/?dudmhgyyw0w
Upvote 0 Downvote
Ok, HJT log looks clean, except for the following which you should fix using HJT:

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)

Then think about both the Messenger (Microsoft) and Google Taskbar, are they needed? if the answer is "NO, they are not needed." then get rid of them also...

after that is done, grab your XP CD, insert it into the CD ROM, go and open up a Command line Interface (START >> RUN >> type CMD and hit ENTER), there type the following commands:

1. netsh winsock reset
(this resets the Winsocks which may be needed)

2. SFC /SCANNOW
(this is where the XP CD is needed)



report back...


Ben
"If it works don't fix it! If it doesn't use a sledgehammer..."
How to ask a question, when posting them to a professional forum.
Only ask questions with yes/no answers if you want "yes" or "no"
 
Upvote 0 Downvote
Thanks for the reply, I will carry out those the action in HJT.

I don't have an XP CD.

I installed combofix which did install the windows recovery console if this is of some help.
 
Upvote 0 Downvote
I phoned a friend and utilised his xp cd and ran SFC /SCANNOW (after running netsh winsock reset).

It carried out the SFC /SCANNOW without problems.

I rebooted the pc and malwarebytes when I search in google and click a link is still blocking malicious IP addresses.

The TDSSKiller.exe still identifies Atapi.sys as being infected in memory (it can be cured it says) but after reboot it recognises the file is still infected.

I took an Atapi.sys from another pc which shows new datestamp which definately isn't affected, so I'm curious how it believes its infected.

Thanks for helping me out.
 
Upvote 0 Downvote
[quot]when I search in google and click a link is still blocking malicious IP addresses.[/quote]That sounds good... I mean if it is blocking MALICIOUS IP's...

check your HOST file, located at C:\WINDOWS\system32\drivers\etc, it should only have one entry (unless you used S&D and/or SpywareBlaster), and that should be:

127.0.0.1 localhost

as to why TDSSKiller is stating that ATAPI.SYS is infected, it could be reporting it as a false positive...






Ben
"If it works don't fix it! If it doesn't use a sledgehammer..."
How to ask a question, when posting them to a professional forum.
Only ask questions with yes/no answers if you want "yes" or "no"
 
Upvote 0 Downvote
The latest version of combofix.exe released on 18/04/2010 deleted some files and replaced the atapi.sys file successfully.

TDSSKiller now does NOT detect a problem with atapi.sys and malwarebytes is not blocking IP addresses every few minutes.

Thanks for all the help, I downloaded and ran so many TDSS rootkit killers it would be complicated to document exactly what I did in what order!

So if anyone has a problem with google re-directs I recommend downloading combofix.exe to remove the problem and malwarebytes to prevent it happening again.

Fingers crossed the nightmare is over :)
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

2ffat
  • Locked
  • News
MalwareBytes may have been hacked
Replies
0
Views
169
2ffat
2ffat
goombawaho
  • Locked
  • News
Malware Injected Into CCleaner 3
Replies
2
Views
157
goombawaho
goombawaho
Tiffc0922
  • Locked
  • Question
Virus / Malware Scans on Local PCs
Replies
5
Views
179
goombawaho
goombawaho
goombawaho
  • Locked
  • Helpful tip
Evil: Poweliks Malware 1
Replies
1
Views
107
kjv1611
kjv1611
andyv2011
  • Locked
  • Question
Looking at Virus Actions
Replies
0
Views
119
andyv2011
andyv2011

Part and Inventory Search

Sponsor

Back
Top