Am i Clean? Don't Think so :(

Not quite. You missed the log from SUPERAntiSpyware. Please attach it.

Also I suspect you could be having Google Redirect issues and possibly you may have some problems running EXE files.

Please run this: GMER - running with a random name and attach the log from GMER.


You also need to stop using MSconfig to control startups and put your PC into Normal Startup mode as explained in the READ & RUN ME.

 

If you wish to permanently remove them; otherwise see what was given to you in the READ & RUN ME.



Now we need to use ComboFix

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.


Now go to TDSSKiller and Download TDSSKiller.zip to your Desktop

• Extract its contents to your Desktop so that you have TDSSKiller.exe directly on your Desktop and not in any subfolder of the Desktop.
• Click Start > Run and copy/paste the following bold command into Run box and hit Enter.

"%userprofile%\Desktop\TDSSKiller.exe" -v

• Follow the instructions to type in "delete" when it asks you what to do when if finds something.
• When done, a log file should be created on your C: drive named something like TDSSKiller.2.1.1_27.12.2009_14.17.04_log.txt which is based on the program version # and date and time run. Please attach this log to your next reply. (See: HOW TO: Attach Items To Your Post )

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

I don't think your problem is gone. It is just in hiding. You appear to have a newer form of a TDSS infection.


Please run the below and attach the log from GMER.

GMER - running with a random name

 

You're welcome.


Now we need to use ComboFix

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.


After reboot, run TDSSKiller again.
Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).


Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Okay it looks like you may have an even newer form of infection than other people. While atapi.sys is being pointed to as being a problem, something else is making it look this way. You need to shutdown ALL protection software and also any Disk Emulation software (like Daemon Tools) if you use any. Then please rerun GMER again and attach a new log. I'm hoping it will show the other driver that is the root of the problem. Make sure you run GMER from drive C not drive D like last time.

 

That explains it.

Note: Side comment. You cannot keep running Windows XP this way. You have only half of the minimum recommended amount of memory and having so little free space on the Windows boot drive is also a very bad condition. This PC must run very slow. You need to get a larger hard disk and get did of the 5 tiny little drives ( C thru G ).

I still don't like the idea that your atapi.sys appears to be infected but it does not want to get fixed and you are not showing signs of other drivers being infected. Do you have any redirection issues or other malware problems?

Please run this Trend Micro RootkitBuster and attach a log.

 

Do you have your Windows XP boot CD so that we can use it to boot to the Recovery Console?

 

Rarely since most manufacturers are totally negligent and don't think you will ever need one. They think everyone would like to waste time make factory recovery CDs to return a PC to the state it was shipped.


Try booting your PC up to the Recovery Console that you installed using ComboFix. Let me know if you can successfully boot to it.

 

It is possibly a sign of the infection getting worser. Let me know if you get an XP CD to try booting from.

Other options would be to:

1. put the hard disk into another PC as a slave drive to replace infected file
2. or make another special boot CD to boot from and then copy the file. ( like the CD mention in the follwing link in message # 17: http://forums.majorgeeks.com/showthread.php?t=214161&highlight=OTLPE )

 

Let's get a new log from MGtools immediately!!


Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).


Then attach the below logs:

• C:\MGlogs.zip

Do the above before worrying about the below, because if you do have Virut, you will be reinstalling.

You can make this CD (yes a CD-R) on any PC where you can download the .iso file and the burner program to burn the iso to disk. You don't need IsoBurner if you have your own CD burning software that can do the samething.

 

You do not appear to have a Virut infection. Try making the OTLPE CD and then see if you can actually boot up using it.

 

Okay just close the OTLPE process window that you have open at this point. Not sure if you left it running all this time. If you did not leave this running then just reboot with this CD again and this time do not double click the yellow OTLPE icon.

• This time double click the 2xExplorer icon which will open up a multi column Windows Explorer like program.
• At the top of the 2xExplorer window is a menu. Click View, Sort by, and select Name to have it Sort by file names otherwise files will be sorted by types making it harder to locate a specific file name.
• Now click the middle pane to select this form and then navigate to the in the C:\WINDOWS\ServicePackFiles\i386\atapi.sys file. After selecting the middle pane, you can actually navigate in this pane or you can use the left most column/pane to more quickly navigate thru folders (this is just like Windows Explorer).
• Once you have located the above atapi.sys file just click it once to select it. You should observe that the top of this middle pane indicates the C:\WINDOWS\ServicePackFiles\i386 folder
• Now in the right most pane, navigate your way to the C:\windows\system32\drivers folder. When done correctly, you should observe that the top of this right most pane indicates the C:\windows\system32\drivers folder.
• Use your mouse and drag the selected atapi.sys file from the middle pane into the right most pane and release the mouse button. You will be prompted about over writing the file that is already there. Just click Yes to overwrite it.
• Now exit/close the 2xExplorer program.
• Now in the lower left of the Window click the icon that is where a Window Start button would normally be (looks like the a Windows icon but in all blue).
• Then select Shutdown and on the next Windows like form, select Restart to restart your PC.
• The CD will automatically eject. Remove the CD and just wait. In a few seconds your PC will reboot into normal Windows.
• After reboot, see if you still have redirection issues. Also do the below.

Run TDSSkiller just like previously requested.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).


Then attach the below logs:

• C:\MGlogs.zip

 

You are still infected which means that the atapi.sys is not really the problem. Another driver file must be causing this and it is not showing in GMER and TDSSkiller is misinterpreting where the problem is. Let's try a different scan from Kaspersky to see if it can detect it. Please run the below and attach the log:

Running Kaspersky Online Scanner

 

Not necessarily since we need to know exactly which driver or drivers are the problem and your GMER log is not showing anything other than atapi.sys but we know there is something else since replacing it from the OTLPE boot enviroment did not help. Any one of several hundred drivers could be infected.

Right now I was already leaning towards mouclass.sys possibly being infected because your OTL log showed no version info for it which it should have.

Let's see if we can ComboFix to run again. Please download and save the current version to your Desktop: combofix.exe

Now shutdown all protection software and try the below.


Now we need to use ComboFix

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

Run MGtools.exe ( Note: If using Vista make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )

Now attach the below log:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Okay that appears to have fixed the TDSS infection now let's address a few other issues.

First we need to collect some additional info on some system files that may have been changedDownload and Run SystemLook

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1

Download Mirror #2

• Double-click SystemLook.exe to run it. (If you are using Vista, please right-click and select run as administartor)
• A blank Windows shall open with the title "SystemLook v1.0-by Jpshortstuff".
• Copy and Paste the content of the following codebox into the main textfield under "File":

Code:

:filefind
beep.sys
null.sys
acpiec.sys

• Please Confirm everything is copied and Pasted as I have provided above
• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. You can close this notepad window as the log will already be saved as SystemLook.txt on your Desktop ( if you downloaded and ran SystemLook to your Desktop as requested ).
• Please attach this log in your next reply.

Note: The scan may take a while from several seconds to a minute or more depending on the number of files you have and how fast your computer can perform the task.

Do you still have iolo's System Mechanic installed? I see things related to it but I'm not seeing it installed.

 

Okay those look fine.

Is the below Proxy Server setting ( to a location in Austria ) something you setup?

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 81.189.106.138:8080

If not then add it to the below fix with HijackThis.


Now run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -

After clicking Fix, exit HJT.

Now we need to use ComboFix

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.
Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

You're logs are clean.


If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

You're welcome. Surf safely!