Jump to content

Recommended Posts

My computer is badly infected and I'm getting frustrated with it. I know a little about virus removal and have successfully removed malicious threats before. This time I really need to seek some help. This is my first post, so please notify me if I do something wrong.

I thought I had a rootkit and followed some advice I found on this forum. MB kept finding the same ".sys" file and tried to delete it on startup. It never did get deleted though. Then I ran Root Repeal and wiped the malicious file out of there. MB then was able to delete the malicious files. I thought everything was fine. Then, I still noticed suspicious pop ups in my Mozilla Firefox sessions. Also, I noticed suspicious alerts in my Norton Antivirus History. So, I ran MB again a few days later and more threats were found. Every time I remove the threats them seem to pop up again. I think something has dug itself deep in my PC. Is it a Rootkit? I could really use some help.

I want to start at square one. Can someone walk me through this? If not, I will have to do a complete reformat. I can run whatever programs and post the necessary logs.

I am running Norton Internet Security 2009. I have MB, HijackThis, and Root Repeal. I know Combofix is an option too, but haven't gone down that road yet.

I am attaching some logs to this message. The first two are MB logs (first one is before removal of 16 items and the second is after it is supposedly clean). The other two are HJT and RootRepeal logs. All of these were run two days ago.

Thanks so much for reading all of this and helping anyone you can!

Josh

P.S. While I was typing this, Norton Quarantined a Trojan Horse. This information might be helpful?

mbam_log_2010_02_08__12_09_43_.txt

mbam_log_2010_02_08__16_01_44_.txt

2010_02_08_HJT_Log.txt

2010_02_08_RR_Log.txt

Link to post
Share on other sites

  • Staff

Hi,

I see you have Viewpoint installed...

Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546

I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.


  • Viewpoint
  • Viewpoint Manager
  • Viewpoint Media Player

Then,

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

O1 - Hosts: ::1 localhost

O1 - Hosts: 94.232.248.66 antivguardian.com

O1 - Hosts: 94.232.248.66 www.antivguardian.com

O2 - BHO: Internet Explorer Plugin - {9A5B84B4-FC31-41F3-8744-EE1599395BCD} - kcgjaist.dll (file missing)

O20 - AppInit_DLLs: wbsys.dll,zudorava.dll

* Click on Fix Checked when finished and exit HijackThis.

Make sure your Internet Explorer is closed when you click Fix Checked!

Then, please update MalwareBytes, because the databaseversion is outdated.

  • Start MalwareBytes and click the Update tab. There click "Check for updates"
  • Once the updates are downloaded, perform a quick scan again.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log, then we'll proceed from there with new steps.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Link to post
Share on other sites

Hi miekiemoes, and thanks for the quick reply!

I removed all the Viewpoint entries as you suggested and restarted my computer. I then fixed the entries you suggested using HJT. The only one that was missing was "O20 - AppInit_DLLs: wbsys.dll,zudorava.dll". It was not there when I ran HJT, but I removed all the other entries. I also updated and ran MB and generated both logs. I have attached these logs to this message.

Please look these over and tell me where to go from here.

Also, I keep getting errors popping up regarding "Data Execution Prevention". I also keep getting errors that reference "ccSvchst.exe" and "C:\Windows\system32\svchost.exe". I have attached a jpeg image to this message that shows you what these errors look like. Could this have something to do with Norton Internet Security? I often see svchost.exe trying to access the internet in my Norton history log. I can provide that history log to you if necessary.

Thanks again and I look forward to your next reply.

Josh

2010_02_13_HJT_Log.txt

mbam_log_2010_02_13__22_41_30_.txt

post-31709-1266120261_thumb.jpg

Link to post
Share on other sites

  • Staff

Hi,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

Link to post
Share on other sites

Hi,

UPDATE: I successfully ran ComboFix and generated a log file for you.

I backed up some data to my external hard drive and uninstalled some old programs. Basically I cleaned up some junk off my computer then downloaded and ran ComboFix. I disabled as many Norton features as possible, but couldn't get it to shut down completely. I don't think it interfered, but I can run it again if necessary.

Please see the attached log file. After running CF, I am already noticing that the computer is much more efficient. :-)

Thanks!

Josh

2010_02_16_CF_Log.txt

Link to post
Share on other sites

  • Staff

Hi,

Download GMER Rootkit Scanner from here to your desktop. It will be a randomly named executable.

  • Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.
  • Double click the exe file.
  • The program will begin to run, and perform an initial scan. If possible rootkit activity is found, you will be asked if you would like to perform a full scan. Click No.
  • In any case, after the initial scan is complete, click on the Save button, and save the log file somewhere you can easily find it, such as your desktop, and attach it in reply

Link to post
Share on other sites

Hi,

I ran the GMER Rootkit Scanner as you requested. The initial scan took only a few seconds and it did not ask me to perform a full scan. I saved the log file and have attached it.

Thanks,

Josh

Sorry, the log file must not have attached. I will try again. I see, it won't let you upload files with a "log" extension. I have changed it to a "txt" extension. This way worked.

Josh

2010_02_17_GRS_log.txt

Link to post
Share on other sites

  • Staff

Hi,

Your atapi.sys appears to be infected. Let's find out where you have copies present, so do the following...

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1

Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :filefind
    atapi.sys


  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

Link to post
Share on other sites

  • Staff

Hi,

Since this variant changes all the time and uses extra protection mechanisms, the safest way to deal with this is to do it via a boot cd.

You do have the Recovery console installed since you used Combofix, however, one single mistake can cause un unbootable situation. That's why I think it's safer to replace the infected atapi.sys with hiren boot cd, because, *in case something goes wrong, you'll still be able to access your files etc..

Please visit the website to download the bootcd > http://www.hirensbootcd.net/details/10.0.html

Just extract everything into a folder & double click on "BurnToCD.cmd" in order to burn it to cd.

Then, Boot the computer using the Hiren CD which you just burned. When you get to this screen, select "Start Mini Windows Xp"

HirenBootCD_menu.png

It will then look like this:

hirenboocd_desktop.png

In the Hiren Boot "Mini Windows Xp"

1) Locate this file - C:\Windows\System32\Drivers\atapi.sys

2) Rename it to atapi.sys.bad

3) Then copy the atapi.sys from the c:\windows\system32\dllcache folder to the C:\Windows\System32\Drivers folder

When finsihed, restart the machine & boot back to your normal OS

Once back into the OS, run Systemlook before (the same way as you used before) and post the log in your next reply.

Link to post
Share on other sites

Hello,

I'm sorry for the delayed response. I've been very busy. I followed your instructions and ran the Hiren boot CD and copied the new "atapi.sys" file to the drivers folder. I then ran SystemLook using the instructions you previously gave me. I've attached the log to this message.

Do I have to delete the file that I renamed "atapi.sys.bad"? I just left it in the drivers folder after I copied the other one into it. Please let me know.

Thanks,

Josh

2010_02_22_SL_Log.txt

Link to post
Share on other sites

  • Staff

Hi,

You can remove the C:\WINDOWS\system32\drivers\atapi.sys.bad now.

* Go to start > run and copy and paste next command in the field:

ComboFix /Uninstall

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.

Link to post
Share on other sites

Hi Miekiemoes,

I removed the atapi.sys.bad file and uninstalled ComboFix like you suggested. Ever since I ran ComboFix, things have been better with my computer. Do you think the infected atapi.sys file was the problem? If so, do you know what type of virus/rootkit I had?

It turns out my Norton subscription was expiring, so I renewed my subscription with my ISP and got Norton 360. I ran a full computer scan and updated and ran MB again. I found no viruses or spyware present on my PC. I reinstalled Mozilla Firefox and surfed the net. I didn't see any popups come up.

So, I think it is fixed! Do you have any other thoughts or suggestions?

Thanks a million,

Josh

Link to post
Share on other sites

  • Staff

Hi,

Yes, the infected atapi.sys was the cause. You were dealing with the TDL3 rootkit.

Glad I could help. :)

Please read my Prevention page with lots of info and tips how to prevent this in the future.

And if you want to improve speed/system performance after malware removal, take a look here.

Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.