Any help appeciated - resistant browser hijack + suspicious svchost.exe?

Welcome to Major Geeks!

You did not finish the instructions. You need complete trying all steps. You need to run MGtools and attach the log

 

Looks like you may have the new form of TDSS infection. I see that you have run TDSSkiller at least 7 times and the last time it pointed to atapi.sys and said it would fix it at reboot. It may or may not have fixed it if it is the new form since atapi.sys would not really be the problem.

Please run the below and attach the log from GMER. If you have any Disk Emulation Software (like Daemon Tools) running, make sure you followed the instructions in step 6 of the READ & RUN ME to disable it with Defogger first.

GMER - running with a random name


When you tried to run ComboFix, did you have both Avast and Comodo shutdown as specified? Did you also have UAC disabled??

 

Your GMER log is clean which would imply that TDSSkiller was able to remove the infection. Are you still having hijack issues?

You did not answer the below previous questions

 

Yes! And if that does not work, see if you can run ComboFix in safe boot mode. Also please run the below online scanner from Kaspersky and attach the log:

Running Kaspersky Online Scanner

 

Hmmm! Road blocks in all directions!


Download OTL by Old Timer and save it to your Desktop.

• Double-click OTL.exe to start the program.
• Under Output, make sure that Standard Output is selected.
• Under Extra Registry section, select Use SafeList.
• Click the Scan All Users checkbox.
• Click on Run Scan at the top left hand corner.
• When done, two Notepad files will open.
  • OTL.txt <-- Will be opened
  • Extras.txt <-- Will be minimized
• Click the OK button.
• Just close the notepad windows and attach these logs from OTL to your next message.

Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the Execute button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

Run MGtools.exe ( Note: If using Vista make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )

Then attach the below logs:

• the two logs from OTL
• C:\avenger.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

That's okay! I did not expect the last fix to resolve your redirect problem. It was just miscellaneous cleanup and collection of information from the new scan from OTL. We are trying to locate the system file ( or files ) that have been replaced with fakes and this can be difficult at time when not directly shown by any of the normal scans. The malware is making all of the system files appear to be of normal times, dates, sizes, and to have valid MD5 codes. Currently the only file showing up to be infected is atapi.sys as shown in the the logs from TDSSkiller that you ran. However, sometimes atapi.sys is indicated as the problem when it is not.

We need to find a backup for atapi.sys that may need to restore from. This may or may not work depending on whether atapi.sys is really the source of the problem of not. The below is just to collect information. It will not fix anything.


Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1

Download Mirror #2

• Double-click SystemLook.exe to run it. (If you are using Vista, please right-click and select run as
  administartor)
• A blank Windows shall open with the title "SystemLook v1.0-by Jpshortstuff".
• Copy and Paste the content of the following quote box into the main textfield under "File":

• Please Confirm everything is copied and Pasted as I have provided above
• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. You can close this notepad window as the log will already
  be saved as SystemLook.txt on your Desktop ( if you downloaded and ran SystemLook to your Desktop as requested ).
• Please attach this log in your next reply.

Note: The scan may take a while from several seconds to a minute or more depending on the number of
files you have and how fast your computer can perform the task.





Now download DDS and save it to your Desktop

• Disable any script blockers/protection software
• Now double click dds.scr to run the tool.
• When it finishes, DDS will open two (2) logs
  1. DDS.txt
  2. Attach.txt
• Save both reports to your Desktop.
• And then attach them to your next message.

Do you have your Windows 7 boot DVD that could be used to boot to the System Recovery Options if necessary?

 

Also please do the below.

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following

Code:

:OTL
O7 - HKU\S-1-5-21-698486764-79579113-2045735674-1001\Software\Policies\Microsoft\Internet Explorer\Restrictions present
@Alternate Data Stream - 121 bytes -> C:\ProgramData\TEMP:DFC5A2B2
@Alternate Data Stream - 109 bytes -> C:\ProgramData\TEMP:A8ADE5D8

:Commands
[emptytemp]
[Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Attach the new log it produces in your next reply.

 

Does this get you to a command prompt type window where you can enter DOS like commands? Like the last option shown in the below.

http://windows.microsoft.com/en-us/windows7/What-are-the-system-recovery-options-in-Windows-7

 

Not sure about that. Your OS was on drive C and you had another disk as drive D

Code:

Item Value 
Drive C: 
Description Local Fixed Disk 
Compressed No 
File System NTFS 
Size 465.66 GB (500,000,878,592 bytes) 
Free Space 123.88 GB (133,014,626,304 bytes) 
Volume Name  
Volume Serial Number C2B8F6DF 
  
Drive D: 
Description Local Fixed Disk 
Compressed No 
File System NTFS 
Size 149.04 GB (160,031,014,912 bytes) 
Free Space 25.36 GB (27,227,201,536 bytes) 
Volume Name  
Volume Serial Number EC48DF37 

Drive E was your CD ROM.

What happens if you click the Command Prompt button?

 

Okay before booting back to this command prompt window, from normal Windows, copy the below file

C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_x86_neutral_f64b9c35a3a5be81\atapi.sys


And put the copy at C:\atapi.sys so that it is much easier to get to without alot of typing. If for some reason you cannot copy it to C:\atapi.sys then try copying it to c:\windows\atapi.sys

Then boot back to that System Recovery, Command Prompt line and at the command prompt, enter the below series of commands that are in bold black each followed by the enter key. The purple and brown text is just informational.

cd drivers

• Note the space after the cd. The prompt should change to X:/windows/system32\drivers>
• If it does not change to this prompt, you must not continue. Just come back and tell me what happened.

ren atapi.sys atapi.sys.old

• Note the space before each atapi

copy x:\atapi.sys atapi.sys

• Use the above if you had previously copied the file mentioned above to C:\atapi.sys. And then skip the below copy command. Otherwise run the below copy command if you previously copied the file to the Windows folder. You should see a message about 1 file being copied

copy x:\windows\atapi.sys atapi.sys

• Use the above if you had previously copied the file mentioned above to C:\windows\atapi.sys. You should see a message about 1 file being copied

dir atapi.sys

• Make sure you get a file listing showing the atapi.sys file. If you do not, that means something above did not work. You must not shutdown or reboot until you get this file copied because your PC will not boot up if this file is missing. If it becomes necessary to get the file back, just use ren atapi.sys.old atapi.sys to rename back the original copy.

Then reboot your PC normally and run TDSSkiller one more time.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

That's because the atapi.sys file must not be the source of the infection since we have replaced it. TDSSkiller is incorrectly seeing it to be the problem when there is another driver that is actually the problem. We will have to use a different method to find the real problem file. Please read ALL of the below and print it to refer to while trying to follow the instructions while offline. Make sure you understand all of it and ask any questions you have before starting.

• Please download maxlook and save it to your Desktop.
• Right click maxlook.exe and select Run As Administrator to run it.
  • Note - you must run it only once!
• As instructed when the tool runs, restart the computer and logon to the System Recovery Environment.
  • Select Command Prompt like you did the previous time
  • Once you get to the System Recovery Options screen, we will have to change directories and drive to the E drive which you have now determined to be your operating system drive. The instructions are below.
• Type the following bolded command at the x:\sources> prompt (or x:\windows\system32>) then hit Enter.
  • cd /d e:\windows <--- the red e represents your operating system drive letter, as shown in the image below which happens to show drive C rather than E. So where you see C: in the below, you should have drive E. Also note that this picture shows Vista but you will have Windows 7. NOTE: there is a space ater the cd and before the e:

• At the C:\Windows> prompt type the following look.bat command then hit Enter (You can see how it looks in the above image).
  • look.bat
• You will see many files copied then return to the e:\windows> prompt.
• Type Exit then restart your computer and logon in normal mode.
• Please click Start > Run and type
  • maxlook -sig
• Then hit enter. A logfile will open, please attach this logfile.

 

Okay that appears to indicate another driver as suspected. Are you still unable to run ComboFix? Can you run it in safe boot mode with Avast disabled? The next step could be possibly be easier if we could run ComboFix since it may be able to correct the problem file. Otherwise would have to replace the file manually from the system recovery console.

 

In the meantime, let's also get a copy of the file we will need.

In a normal Windows boot environment ( that is, NOT from the System Recovery Console), use Windows Explorer to copy the c:\windows\system32\drivers\vdrvroot.sys and put the copy into the C:\windows folder so that you have c:\windows\vdrvroot.sys

Then right click on the file c:\windows\vdrvroot.sys and right click it and select Properties. Then click the Details tab and make sure that it shows the below:

File description: Virtual Drive Root Enumerator
Product name: Microsoft Windows Operating System
​

There will be more info than the above but those two lines are a sufficient check.

 

Okay then boot back to that System Recovery, Command Prompt line and at the command prompt, enter the below series of commands that are in bold black each followed by the enter key. The purple and brown text is just informational.

cd drivers

• Note the space after the cd. The prompt should change to e:/windows/system32\drivers>
• If it does not change to this prompt, you must not continue. Just come back and tell me what happened.

ren vdrvroot.sys vdrvroot.sys.old

• Note the space before each vdrvroot

copy E:\windows\vdrvroot.sys vdrvroot.sys

• The above should make a copy of the file you copied into your Windows folder while normal Windows was running and put it into the drivers folder. You should see a message about 1 file being copied

dir vdrvroot.sys

• Make sure you get a file listing showing the vdrvroot.sys file. If you do not, that means something above did not work. You must not shutdown or reboot until you get this file copied because your PC may not boot up if this file is missing. If it becomes necessary to get the file back, just use ren vdrvroot.sys .old vdrvroot.sys to rename back the original copy.

Then reboot your PC normally and run TDSSkiller one more time.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

You're welcome. Your logs are clean now.

On the contrary! I knew we could get it fixed. It was just a matter of isolating the problem file. As I said back in message # 4 that I did not believe atapi.sys was the source of the problem even though TDSSkiller implied it was. These infections are evolving all the time to make it more difficult to find and remove. When the malware creators learn the steps we take to find and remove the infection, the will try to adapt the infection to defeat the detection and removal procedures.



If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!