I could use help with a rootkit

Discussion in 'Malware Help (A Specialist Will Reply)' started by maxrebo, Jun 26, 2010.

  1. maxrebo

    maxrebo Private E-2

    I'm trying to fix (what appeared to be) a browser hijacking problem on a friend's laptop. Both firefox and IE will go to google.com just fine, but then every search in google gets redirected to random places (ie. marthastewart.com and others that I don't recall. Just very random)

    Two days ago, I ran adaware, superantispyware, malwarebytes and hijackthis. I don't have logs from any of those (or maybe I do, if they saved themselves automatically), but one of them found some things called "rogue antivirus suite" and "fraudpack". So I ran smitfraudfix, and subsequent scans haven't found those again, however, google is still redirecting.

    So, today I ran everything again and saved some logs for you guys to look at, because this is beyond my ability to do alone.

    I'm not attaching a superantispyware log, because I couldn't figure out how to make one. It found 13 adware tracking cookies that I deleted. I'm also not attaching MBAM, because it told me that it found nothing.
     

    Attached Files:

    maxrebo, Jun 26, 2010
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    * Please download TDSSKiller to your Desktop
    * Extract its contents to your Desktop so that you have TDSSKiller.exe directly on your Desktop and not in any subfolder of the Desktop.
    * Click Start > Run and copy/paste the following bold command into Run box and hit Enter.

    "%userprofile%\Desktop\TDSSKiller.exe" -v

    * Follow the instructions to type in "delete" when it asks you what to do when if finds something.
    * When done, a log file should be created on your C: drive named something like TDSSKiller.2.1.1_27.12.2009_14.17.04_log.txt which is based on the program version # and date and time run. Please attach this log to your next reply.
     
    TimW, Jun 26, 2010
    #2
  3. maxrebo

    maxrebo Private E-2

    I've been using both browsers now for about an hour without incident. So I think the problem is solved! Thanks!

    I have a few questions though: Was the rootkit hiding in imapi.sys? Isn't that a cd-burning program? How did the rootkit get in there?

    and when tdsskiller tells me: "File "C:\WINDOWS\system32\DRIVERS\imapi.sys" infected by TDSS rootkit ... 23:00:30:187 2724 Backup copy found, using it..
    23:00:30:250 2724 will be cured on next reboot"

    Where exactly is it finding the backup copy? I was trying to manually replace the corrupt atapi and imapi files in WINDOWS/System32/drivers (I was doing this before you helped me), and I found atapi.sys on my SP3 cd and saved it over the corrupt one, but I had no idea where to find imapi. Those are my only questions. I'm not sure if you guys actually answer these types of questions here, since this isn't a 'discussion' type of forum, but more of a 'post your problem, we'll help you fix it' type of forum, but if you could answer those questions, I'd be quite grateful. If you don't want to explain everything to me, a link with info on this stuff would be super appreciated.

    Thanks again!
     

    Attached Files:

    maxrebo, Jun 26, 2010
    #3
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    These newer infections will latch on to all kinds of files. We have seen them even latch on to printer files. There is just no telling where they will attach themselves. I really don't know where it found a backup file that was clean, but if you want to search for any files, you can use this program:

    Download SystemLook from one of the links below and save it to your Desktop.

    Download Mirror #1


    Download Mirror #2

    • Double-click SystemLook.exe to run it. (If you are using Vista, please right-click and select run as administartor)
    • A blank Windows shall open with the title "SystemLook v1.0-by Jpshortstuff".
    • Copy and Paste the content of the following codebox into the main textfield under "File":

    Code:
    :filefind
imapi.sys
    • Please Confirm everything is copied and Pasted as I have provided above
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. You can close this notepad window as the log will already be saved as SystemLook.txt on your Desktop ( if you downloaded and ran SystemLook to your Desktop as requested ).

    Note: The scan may take a while from several seconds to a minute or more depending on the number of files you have and how fast your computer can perform the task.

    Since that seems to have fixed your redirect issue, then If you are not having any other malware problems, it is time to do our final steps:

    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no real time protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.


    3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.

    10. After doing the above, you should work thru the below link:

     
    TimW, Jun 27, 2010
    #4

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds