Intractable Google redirector trojan

Welcome to Major Geeks!

Please do the below while I look thru all of your other logs.

Go to TDSSKiller and Download TDSSKiller.zip to your Desktop

• Extract its contents to your Desktop so that you have TDSSKiller.exe directly on your Desktop and not in any subfolder of the Desktop.
• Click Start > Run and copy/paste the following bold command into Run box and hit Enter.

"%userprofile%\Desktop\TDSSKiller.exe" -v

• Follow the instructions to type in "delete" when it asks you what to do when if finds something.
• When done, a log file should be created on your C: drive named something like TDSSKiller.2.1.1_27.12.2009_14.17.04_log.txt which is based on the program version # and date and time run. Please attach this log to your next reply. (See: HOW TO: Attach Items To Your Post )

 

Hmmmmm! Apparently you also run TDSSkiller too before posting as I see it added a fix to your computer. That should have fixed your rootkit prooblem when it correctly the atapi.sys rootkit.

Are you sure you are still being hijacked after a reboot? You do have a couple other things to do but I want to know your real status first.


You should however start on the below now.

I strongly advise you to cleanup your Desktop. Remove eveything but links to run programs. Do not download and save programs here and defintely do not use it for long term storage. You need to keep ComboFix.exe here for now as we need it, but we will be removing it when we are finished with your cleanup. A cluttered Desktop is malware's playground and it can also cause performance degradation especially when you start saving large files here like you are doing.


Also please attach the below first logs from SAS and MBAM as they are the ones we needed

Code:

"C:\Users\mike\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\Logs\"
Dec 28 2009        1940  "SUPERAntiSpyware Scan Log - 12-28-2009 - 08-34-53.log"
 
"C:\Users\mike\AppData\Roaming\Malwarebytes\Malwarebytes' Anti-Malware\Logs\"
Dec 28 2009        1210  "mbam-log-2009-12-28 (06-58-21).txt"
Dec 28 2009        1049  "mbam-log-2009-12-28 (08-17-40).txt"

 

TDSSkiller does not delete the atapi.sys file. It rehooks into a new file that it creates. It was previosly called tsk_atapi.sys and now there is a file named atapi.tsk. As long as you do not delete the tsk_atapi.sys or atapi.tsk files before fixing the registry keys that are pointing to them rather than the atapi.sys file, the PC would still be bootable. It is possible that something else may have deleted the atapi.sys file or the tsk_atapi.sys file.

If your PC is bootable right now, we could use a different fix with ComboFix to just replace the infected atapi.sys file with a clean one and avoid running TDSSkiller. I was just confused by your logs which seem to show everything was fixed.

 

Hmmm? Possibly a new version of the infection is out.

Please download and run the latest version of MGtools then attach the new MGlogs.zip file. I want to see if the registry key for loading atapi.sys has been modified. Do not run TDSSkiller anymore unless I specifically request.

 

It actually has a lot of false detections including the detection of ComboFix and the process.exe file used by MGtools and many other programs. In reality, dr.web just has lots of problems that need to be ignored.

Just download the current version of MGtools which I just updated again about two minutes ago. And run it and attach the new log.

The first Important notes in the READ & RUN ME said the below and you are ignoring this

 

Not necessarily. svchost.exe itself is valid but the infection may have hooked into svchost.exe which is quite common. If you deleted this svchost.exe file, Windows would no longer run.

 

Question: Why are you running this PC without proper protection? I see no antivirus and you are relying only on the less than adequate Windows Defender for antispyware and the also poor Windows Vista firewall.

Okay the service entry in your registry is still pointing to C:\Windows\system32\drivers\atapi.sys which is good. Let's see if we can replace the possibly infected file with another good copy that shows in your logs. Also we will fix a few other problems.



Now we need to use ComboFix

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of
  allowing ComboFix to run properly.
• If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).



Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Please do not rename any log files. You should be posting exactly what we request. i.e., C:\MGlogs.zip and C:\combofix.txt

Totally not correct. You still need a real bidirection software firewall for proper protection for many reasons. One example is, a hardware firewall only protects you from incoming hackers. If you get an infection on to your PC (even by plugging in an infected USB drive), your hardware firewall will allow the malware to dial home or even worse, it will allow your PC to infected other computers on the network behind the firewall.

FireFox has more security holes than Internet Explorer and is currently one of the largest problems we have in the forum with fixing malware issues and hijacks. Even with all of those in place, you still got infected as you mentioned due to a friend installing something. This is another reason you want a real software firewall and obviously a antivirus. A hardware firewall is not going to protect you from identity theft.

Don't know why either.

So you are saying you are not getting search redirections now? Not sure why you are still seeing something with GMER. That is what you would expect if the infection was still in place. Are you sure you have no redirections using any browser. Try both IE and FireFox.

Not sure if this is due to what TDSSkiller did that was causing you problems before or somehow due to the atapi.tsk file that TDSSkiller created. The file we replaced atapu.sys with was a valid file on your system which is a direct replacement for file use with Vista SP2.

 

One more thing I want you to do.

Please download SystemLook from one of the links below and save it to your Desktop

Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
• Copy the contents of the following codebox into the main textfield:
  Code:

  :filefind
  atapi.sys

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please attach this log to your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

 

Not really a contradiction but yes it is somewhat out of date. Basically it was telling you the one from Vista is better than the older version and provides some protection. However the problem is that it is just not good enough with the evolution that has occurred in malware. If you install an antivirus that has built-in antispyware protection (like Avira, Avast, or AVG), you would have more adequate protection and since the protection of Windows Defender is so limited, it would run okay along side them.


Side note: You need to read this sticky: Don't Bump! It Only Hurts You!!!

 

It did not show any problems in your atapi.sys file. All MD5 codes were valid. However this does not mean that the hackers have not figured out how to keep the MD5 codes the same. Also some other file could be infected.

That was the reason for my question back in message # 19 asking if you were sure! Which brower do the redirects occur with?

 

Note: Please do not attach HijackThis logs. It is already part of MGtools and is run properly when Mgtools is run.

Your logs from MBAM, SAS and HJT show that you have new infections. This is probably occurring because you are running without proper protection. The items shown in your logs are all new!!!! This may explain your new redirections too.

Please run C:\MGtools\GetLogs.bat and attach the new C:\MGlogs.zip file.

 

I was not asking you a question. I was merely pointing out the fact that in msg # 18 I asked "were you sure" because I had a feeling you were still infected.

I do still need to know which browser the redirects occur with.

As stated in the sticky, it does not matter why. Every post bumps your position back to the end of the work queue. If you post a few minutes later or even an hour, the impact is not too large. If you post the next day again before we answer, it could cost you 1 day minimum or possibly 2 days. If you add another additional post another day later, you would then tack on at least another day. If a person were to continually keep adding a post (and some people do) they could potentially never get an answer.

This is explained in the sticky. In most cases the additional info can wait or if you don't care about the delay added by the bump, then add your messages, but remember the effect.

Yes I know but the MD5 code says otherwise which is what I was pointing out. GMER and other tools like it are not perfect and sometimes have problems with false detections. At this point, we still don't know for sure if the atapi.sys file is bad or something else in the chain. It could also just be that GMER is misinterpreting due to the necessary changes that were made when TDSSkiller fixed the problems due to the infected atapi.sys driver being detected and fixed.

You don't need to do anything other than turn your PC on or leave it running. You don't have proper protection and your PC is susceptible to getting reinfected because of this and it was. This is a prime example of why proper protection is required. We have seen brand new PCs out of the box get infected literally with 2 to 5 minutes of connecting the cable to the internet when they are not properly protected. Will this always happen....no! But when a PC like yours has already been infected, especially with malware like you have, odds are very high that your address is already known or that you have malware already installed that will look for more malware to download and install. Again this is a reason why you need a read software firewall installed since a hardware firewall does not protect you from the dial home problem I already mentioned. And neither does the Windows firewall since it is unidirectional and its protection is poorly rated.

SpywareBlaster is a good addition but provides no active protection. You need to install are an antivirus, and antispyware, and a real firewall program. Since many new AV programs include an antispyware component, you could install one like Avira or Avast to add these two components and they should run okay without being impacted by having Windows Defender running. Then you need to install a firewall like Comodo or PC Tools (only the firewall and nothing else from their download since they sometimes come with other adders). However as stated in the READ & RUN ME, DO NOT install anything else right now other than what I ask you to install. Installing these could potentially get in the way of removal or the install could get corrupted by certain malware.

Let's continue with some cleaning steps.


Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKUS\S-1-5-18\..\Run: [AntiVirus Plus] "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\config\systemprofile\AppData\Roaming\AntiVirus Plus\AntiVirus Plus.70367201.dll", start 70367201 (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [LosAlamos] rundll32.exe C:\Windows\system32\sshnas.dll,AddConsoleAliasAW (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AntiVirus Plus] "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\config\systemprofile\AppData\Roaming\AntiVirus Plus\AntiVirus Plus.70367201.dll", start 70367201 (User 'Default user')

After clicking Fix, exit HJT.

Now we need to use ComboFix to remove a bunch of malware files.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Now it would be potentionally be very helpful if you would install Microsoft .NET Framework 3.5 Service Pack 1 since not having it installed is blocking a useful scan from MGtools from running. Also it actually block thousands of other useful programs and webpage scripts from running. If it tells you it needs to reboot to complete the installation, make sure you reboot before continuing with the below.


Also delete all files and subfolders in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
C:\WINDOWS\Temp
C:\Users\mike\AppData\Local\temp\

Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

Run MGtools.exe ( Note: If using Vista make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )


Now attach the below log:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Okay! While we still do not have everything fixed, we have currently gotten into better shape than seen in previous logs. To try and keep things in better this conditon, please do the below:

Download, install, and update AntiVir Personal Edition

Also download and install PC Tools Firewall Plus <-- make sure you uncheck the options to install Google Toolbar and Threatfire free edition. There's is no sense in installing excess baggage.

Now run GMER again and attach a new log.

Now I want to try and debug a problem where a log for MGtools is not showing up. Click Start, Run, and enter cmd and click OK. This will open a command prompt. In the command prompt Window enter the below black bold print commands. The purple text is only comments to help you follow what should be happening. Observe the spaces in the commands.

cd C:\MGtools <<-- if this works, the prompt should change to C:\MGtools>
processdll << if this runs, a list of process should scroll by and a file name procdll.txt should appear on your Desktop. I expect you may get an error. Tell me exactly what happens.

Then no matter what happens, do the below.


Run this Using ESET's Online Scanner


Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).



Then attach the below logs:

• the log from ESET
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Yes I figured it would which is why I stated way back that you need an antivirus and firewall.

We know all about what the infection is and what it does; however, infections do evolve. So either you have a newer vintage or something else on your system had become broken before coming here which may explain why you could not run TDSSkiller without having a problem.

Yes it is one solution which is why I gave it to you in my first message. The other solution is that ComboFix can also automatically fix it in many cases and when it does not, a manual replacement of the files using ComboFix or Avenger also works. We also did this on your PC. So either the infection came back when other infections showed up or on of the other commonly infected .SYS files could also be hooked.

You are at the point where you don't have too much of a choice. I you had your DVD and could boot to the recovery console, you could attempt to manually replace the infected files which may or may not be successful if we don't know all of the files that are infection.

You could make a backup copy of a clean atapi.sys file in the drivers folder and just give it a different name ( like atapi.sys.bak ) and then if you run into a problem after running TDSSkiller, you could boot to safe mode with command prompt. In this mode, you could copy the backup file back to atapi.sys and then reboot. You could even try booting in this mode right now as a learning experiment to see if you can actually get it to boot in this mode. There is no familiar Windows running in this mode. Everything is done from a command prompt like in DOS days.

The clean file to copy is the one I had you use with ComboFix earlier:
C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_b12d8e84\atapi.sys

And the place to copy it to as a backup would be:
C:\Windows\System32\drivers\atapi.sys.bak

Then from the command prompt, you would cd to the C:\Windows\System32\drivers folder and run the below copy command:

copy C:\Windows\System32\drivers\atapi.sys.bak C:\Windows\System32\drivers\atapi.sys

 

Oh and let me also mention one other possible tool to try but note that I have not tested this tool so you would be a guinea pig. Check out the below:

http://www.esagelab.com/resources.php?n=2

 

Sorry to hear of this problem. The tool sounded promising.

I would say it is not likely since this infection is based on hooking into the running OS files. If you are just backing up your own data, you should not have any problem.