Possible MBR rootkit

Hello All,

I'm new to this forum, and have never used a forum before, so I appologize if I do anything wrong. I how this "Malware Removal" is the right one for a possible rootkit problem. I took time to read the forum rules before placing this...my first post. Per the "READ & RUN ME FIRST. Malware Removal Guide", I:

1. Only have one anti-virus and one firewall program (and have Windows Firewall Off).
2. I closed all programs, uninstalled Java 6.17, rebooted, installed Java 6.18 (no reboot requested).
3. Empty Recycle Bin.
4. I emptied Quarantine folders for Malwarebytes and Avira Antivir, but not ComboFix (waiting for answer...see below).
5. I already have Ccleaner running on every boot, sorry about not having default options set...it's already been run with my options as follows: Under the Windows tab, everything is checked except for Advanced (where "Old Prefetch data" and "Custom Files and Folders" are checked using one Include and one Exclude path). Under Applications I have everything chacked except "Saved Form Information" and "Compact Databases". Firefox/Mozilla is listed there (I assume as my default browser). Under Options I have Normal file deletion (vs Secure), do not Wipe Free Space, have a white list of cookies to keep, and under advanced only have checked "Save all settings to INI file". There is only one user account on the PC, so multiple login/runs are not needed.
6. I have a 32-bit version of Windows XP Home Edition SP3.
7. I am set for viewing of hidden files, system files and file extensions.
8. I don't use MSconfig to filter startup programs (I know the reasons not to). I do use Startup Control Panel to do so, but it has not been changed in a long time, and any entries moved to the "Deleted" tab may have been for programs uninstalled a long time ago, so it would be risky to try and revive those, though a registry cleaner may find them as orphans if they were revived. In my HKLM/Run tab which is for current program, everything is checked to run (nothing is filtered out). Otherwise, MSconfig is set for Normal Startup mode.
9. Uninstall Malware via Add/Remove Programs: The only thing I found that may be in your list is xp-AntiSpy. Is it related to your "XP Antivirus Protection (any version/year)" listing? It appears I installed it 4/28/2009, but I doubt I've run it since then. Also, I did decide to uninstall "Coupon Printer for Windows" since ComboFix seemed to reference it, and I don't want it anyway.
10. Ran all steps in the "Windows XP Cleaning Procedure".
======== COMBOFIX
I appologize for having run ComboFix before finding this forum and joining. Here are the steps I took when I ran it based on directions found at a forum thread I was reading at forum.avast.com, I:
1. Renamed download.bleepingcomputer.com/sUBs/ComboFix.exe jgh.exe "before" downloading it to the Windows Desktop.
2. Closed or disabled all programs including browsers, anti virus, and anti malware.
3. Ran desktop\jgh.exe
4. It installed Microsoft Windows Recovery Console.
5. I let it run without my touching the keyboard or mouse until it finished.
6. When done, it produced a log. I'll copy that to a file named Cf3-13-10.txt to send you.
======== QUESTIONS
Here are my 2 questions (with some background).
On 3/13/2010, Malwarebytes gave me a warning about a Rootkit.Agent category for file:
C:\WINDOWS\system32\drivers\tutmx.sys
It has been put in quarantine with success.
To be safe, I ran ComboFix (for the first time) for a deep scan, and am including it's log.txt file. Note: It was put inside Mglogs.zip when I later ran that. I'm not a ComboFix expert, and wish aid in interpretting it's log.txt results, with suggestions for any follow-up steps I may want to take.

1. I notice in the first section titled "Other Deletions" that it deleted 7 files, and I'm wondering why those files. Some appear to be system files such as regedit.exe, though at this point I can still run that Windows registry editor if I choose. I can not find the file, though I can't recall if that's an "internal" command, in which case I wouldn't see a file. It does appear to have been moved to quarantine with theses other files as follows:
2010-03-13 20:33:03 . 2010-03-13 20:33:03 830 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-HijackThis.reg.dat
2010-03-13 20:23:30 . 2010-03-13 20:23:30 5,098 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2010-03-13 20:12:47 . 2010-03-13 20:18:59 102 ----a-w- C:\Qoobox\Quarantine\catchme.log
2009-03-06 16:33:48 . 2008-04-14 00:12:37 135,680 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\TASKMGR.COM.vir
2009-03-06 16:33:43 . 2008-04-14 00:12:32 146,432 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\REGEDIT.COM.vir
2009-01-27 15:59:05 . 2009-01-27 15:59:05 0 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Winhelp.ini.vir
2009-01-27 15:43:36 . 1996-10-20 12:52:12 87,392 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\Twain.dll.vir
2008-03-25 00:01:49 . 2008-06-18 07:24:33 71,008 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\COUPON~1.OCX.vir
2004-04-01 07:38:58 . 2003-09-03 08:25:04 73,728 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\Sstray.exe.vir

2. In a section near the bottom of the log is the message:
"Warning: possible MBR rootkit infection !"
Can someone tell me if that refers to the prior line that references the file "ntoskrnl.exe" or something else, and what are the recommended steps to take (if any) to improve the situation.
======== BACKGROUND
FYI, here is my typical PC activity:
O/S = Windows XP Home Edition SP3

Real-time memory-resident protection (all w/medium to high security settings):
2WIRE 2701HG-B DSL Gateway = Hardware Firewall (powered off each night).
Comodo Firewall with Defense+ Security both set to "Safe" modes.
Avira Antivir Personal.
Winpatrol (notifies me of any kind of Windows startup entries that have just changed).
Browser=Firefox w/extensions NoScript (Java-script white list) and WOT (Web Of Trust).

Run per boot:
Ccleaner (also set to clean cookies not on my white-list).

Run at least once per month:
Windows Update.
Malwarebytes Anti-Malware (after updating).
Taskpatrol (to manually review all running tasks).
SpywareBlaster update.
One or more registry cleaners/defragers.

Run as needed:
Chkdsk.
Hard drive defrag.
HJT (HiJackThis), keeping multi-date log history.
Driveimage xml.
Update Java version.
Review Windows Services settings.
========
Thanks for your help. I have to go now, but will check tomorrow to see if anyone has replied yet.

 

Thanks Kes.
Here are answers to your questions:
======== MULTI AV APPS
Even though I have both Avira and Comodo Internet Security (CIS) installed, I recall that when I installed CIS, I omitted installing the AV component and only installed the "Firewall" and "Defense+ Security" (which is a feature I really like). So to the best of my knowledge, I only have one AV installed, which is Avira. In fact, in CIS I can't even find a choice amoung it's menus to do an on-demand full scan (or any type of scan), which I would imagine any AV app would allow you to do (in addition to the real-time protection).
======== C:\0\BOOBOO.LNK
I downloaded nircmd.exe from nirsoft.net on 3-13-10 at 2:30pm EST. It is a small command prompt utility with many options. I then created a batch file named Booboo.bat (my wife's nickname) so she could hear a phrase spoken over the speakers. It calls nircmd.exe (which I believe calls a standard Windows component) to turn a text phrase into a spoken result. "Web Of Trust" gives nirsoft.net a high security rating, but I did just upload nircmd.exe to virustotal.com and 3 out of 42 antivirus apps showed a possible malware. Note that nirsoft.net mentions false positives will show up for some of it's utilities. Since only 3 out of 42, these may be false positives, and here are the 3:
Comodo 4273 2010.03.15 UnclassifiedMalware
F-Secure 9.0.15370.0 2010.03.15 Suspicious:W32/Malware!Gemini
Sophos 4.51.0 2010.03.15 NirCmd
======== C:\ FOLDERS
Even though I'm a retired FoxPro programmer, I'm also now a part time Computer Consultant, and I recently (within last 6 months) worked on some projects for my prior employer, and many of those directories are for individual database apps I was modifying for them. Although I'm gald you mention the folder name "Bundle" in your example, becase I'm not sure what that is. The folder name shows a date of 2/12/9 (and properties show a create date of 4/28/0). It has 66 files under it's folder tree, dated from 7/13/0 thru 3/31/3. Sub-folders are: Money (holds Money.msi), Support\Tools (11 files), Valueadd (many folder/files under it), and Works (holds Works6.msi). That last one made me wonder MS Works? I just risked looking at Readme.htm under Support\Tools, and the first line reads: Release Notes (Readme.htm) for Windows Support Tools for Microsoft Windows XP Professional and Windows XP 64-Bit Edition. I have 32=Bit Windows Home Edition, so am a bit confused as to why these tools say they are for a version of Windows I don't have? The more I think about it, I believe this Bundle folder may simply hold software that was bundled with the PC. I next looked for folders in the root that had recent access dates and didn't see anything I didn't know except for Cmdcons which has a create date of 3/13/10...was that created by one of the tools we ran? There's also an Mgtools folder for that app, and the Qoobox folder (which I have not touched other than to view) for ComboFix.
======== C:\ FILES
Again, the files you mentioned are temporary work files (that I have not yet removed) from making program changes to the database apps I was working on, so I know theY are legit.

REQUESTED ACTIONS TAKEN:

C:\MGtools\analyse.exe...fixed:
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

ComboFix
Created desktop\CFscript.txt
Exited all apps and security
Dragged CFscript.txt onto ComboFix
ComboFix updated itself
ComboFix needed to reboot due to rootkit
The reboot re-loaded my security software, so I had to disable them again to continue
Rebooted a second time (and I diasbled my security again)
Finished
Attaching c:\combofix.txt

Ran C:\MGtools\GetLogs.bat
Attaching C:\MGlogs.zip

You asked "let me know how things are running with your machine now". Well, my PC has been running fine all along as far as there have been no visible symptoms other than reports from the various mallware apps that suggest a possible root kit etc. I truely appreciate the time you are taking to ultimately help set my mind at ease as to having removed everything other than false positives. Waiting to hear back.

Thanks Kes.
Mark

 

Normally I would wait to post when you ask for a specific reply, but I wanted to give you a little info from my PC for the atapi.sys investigation that may or may not be usefull to you. And while I'm at it, I was curious about 3 things in the ComboFix.txt log that I hope you don't mind me asking about as I'm always trying to learn.

======== ATAPI.SYS
Yes, I noticed 2 days ago when I ran C:\WINDOWS\system32\Sigverif.exe that two files were "Not Signed": atapi.ysy and pdfr_nst.ppd (which I believe is related to a freeware app that I use often called PDF Redirect that creates a print device to send print output to a PDF file). Here are all the atapi*.* that I found, including create/modify/access dates (yymmdd format), read/hidden attributes (r h columns), and version numbers (according to windows properties):

create modify access r h version
040401 020829 100315 n n 5.1.2600.1106 atapi.sys 86,912 8-29-2002 11:27 c:\windows\system32\reinstallbackups\0008\driverfiles\i386\
090124 030331 100313 n n n/a atapi.sy_ 47,242 3-31-2003 8:00 c:\windows\i386\
040803 040803 100316 n n n/a atapi.sy_ 49,558 3-08-2004 23:59 c:\cmdcons ()
100314 040804 100315 n n 5.1.2600.2180 atapi.sys 95,360 8-04-2004 1:59 c:\mgtools\temp\ntspu\
090125 040804 100315 n n 5.1.2600.2180 atapi.sys 95,360 8-04-2004 1:59 c:\windows\$ntservicepackuninstall$\ ()
100314 080413 100315 n n 5.1.2600.5512 atapi.sys 96,512 4-13-2008 14:40 c:\mgtools\temp\spf\
040804 080413 100315 n n 5.1.2600.5512 atapi.sys 96,512 4-13-2008 14:40 c:\windows\servicpackfiles\i386\
090125 080413 100315 n n 5.1.2600.5512 atapi.sys 96,512 4-13-2008 23:40 c:\windows\system32\dllcache\
090125 080413 100315 n n n/a atapi.sys 96,512 4-13-2008 23:40 c:\windows\system32\drivers\


======== COMBOFIX.TXT
======== What is NTDLL modification, and is it something you'll be looking into?
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-15 12:12
Windows 5.1.2600 Service Pack 3 NTFS
detected NTDLL code modification:
ZwClose, ZwOpenFile
======== What is MBR rootkit, and is it something you'll be looking into?
======== What are LOCKED REGISTRY KEYS, and is it something you'll be looking into?
[HKEY_LOCAL_MACHINE\System\ControlSet001\Control\SecurePipeServers\winreg]
@Denied: (Full) (Administrators)
@Allowed: (Read) (LocalService)
@Allowed: (Read) (LocalService)
"Description"="Registry Server"

Oh I just see you re-posted while I was writing this. I'll send this now and then read your new post.

Thanks!
Mark

 

I created the new CFscript.txt on the desktop and dragged it onto ComboFix on the desktop. As before it updated and said it detected the presence of rootkit activity and needed to reboot. The log still seems to show atapi.sys as a problem, though The "NTDLL modification" message is gone from the log now. I have 4 questions:

1. I am still using the ComboFix I donwloaded to desktop\jgh.exe via the steps that I described in my first post. It does do the update step each time you have had me run it again, which has been about once a day. Should I delete it and follow the download directions from your website instead, just to be safe?

2. Does the ComboFix run rely on the presence of c:\Mgtools.exe? I have been moving it into c:\Mgtools.7z with a password so that my AV does not popup evertime I look at the c: root folder. I then bring it out whenever you need me to run it, and when done remove it again (keeping it in zipped file).

3. Your final C:\MGtools\GetLogs.bat step you have me do (of course I unzip Mgtools.exe first) seems to also put the c:\Combofix.txt log into it's c:\Mglogs.zip, so when that's the case, do you still want me to attach c:\Combofix.txt whenever you are already having me attach c:\Mglogs.zip to my post?

4. I know this may be paranoid, but when you say to double click C:\MGtools\GetLogs.bat, instead I've been entering C:\MGtools\GetLogs.bat from the Windows start menu as a "run" command, so that the log does not show an open folder running (for me to double click the file from). If you need me to not run it via a run command, let me know.

Thanks!
Mark.

ps - As far as I can tell, Forums.MajorGeeks.com seems to be one of the best Forums I've seen for getting technical help for harder things like Rootkits and the use of ComboFix.

 

I went to your http://forums.majorgeeks.com/showthread.php?t=139313 "Windows XP Cleaning Procedure" page and clicked the http://download.bleepingcomputer.com/sUBs/ComboFix.exe link and saved the file directly to my windows desktop, and I did not rename the executable (still named combofix.exe). Ran it (it did not ask to update). Still an extra reboot happens due to rootkit activity.

It appears we still have to find out what is hampering the atapi.sys correction. Would DiskMon from htp://technet.microsoft.com/en-us/sysinternals be of any use to us, or would the rootkit still hide it's activity from it's log?

Thanks!
Mark

 

I ran it, and also attached a screenshot of the dos window.

Also, I ran sysinternals Sigcheck utility and have attached those results as text and csv versions of the report. You can ignore them if they don't help.

Have a great day at work, and Thanks!
Mark

 

Hi Kes,

You're still at work, and now I'm also going to leave to do other things until tomorrow, but will leave you a couple more comments:

I'm trying to help you out by letting you know I could perform tasks that most users would not want to learn. So at least you know we have these extra choices. I'm wondering if you'd like me to download the DrWeb Live CD Image to burn to a blank CD, and then booting off that CD, and trying (from that boot independent of the PC's C: drive operating system) to copy atapi.sys from a good location over the (now unlocked) bad file. I could download/burn it on my laptop instead of the infected desktop as an added precaution. This is the link I would get the CD image from: http://www.freedrweb.com/livecd/how_it_works/
I've read about and glanced at other rescue CD alternatives, including the Avira_rescuecd.exe (which is not an CD image), but I notice that the DrWeb image seems to be updated on a daily basis which I like. On the other hand you may know of another rescue CD provider you recommend. Note that I've not used this method before, nor even an XP Recovery Console (I'd have to find my emachines original CD for that, which I can probably find, but it may not even have Recovery Console). However, I do know how to change my PC's BIOS setting to put the CD drive at the top of the list of boot devices, and change it back to the hard drive later. I could even boot to a usb 3.5" floppy for any methods you want to use to create one.

Also, for what it's worth, there's an interesting thread at http://www.bleepingcomputer.com/forums/topic279883.html about an Atapi.sys rootkit issue that was fixed (though probably not the exact same problem I have). I've only skimmed the thread so far, and of course would never take any steps from there because I am strictly working with you for my current problem. I just thought it may give you some ideas of additional things you may wish for me to try via your own worded instructions.

Have a great day!
Mark

 

Hi Kes,

Sorry it took me so long, we had errands to run today. I ran what you asked and when I clicked the "Submit file" button at Jotti, it gives the message "Status: File is empty (0 bytes)!". So it appears the file is locked up, and can not be read.

 

Here's the new MGlogs.zip. I'll be away for a few hours, and check when I get back.

Thanks!

 

While I was waiting to hear back from you, I was curious to see if perhaps the Windows Recovery Console was installed on my PC. I booted and pressed F5 or F8 until the advanced boot options menu came up, and then went to the OS choices menu, and there were 2 choices: Windows XP, and "Microsoft Windows Recovery Console". I picked the Recovery Console to see what I would get (I'd not used it before), and got a screen that showed:

1: C:\WINDOWS

Which Windows installation would you like to log onto (To cancel, press ENTER)?

I assume I would enter 1 to continue. I decided to go no further until submitting this to you. I pressed enter, and it rebooted normally.

Thanks.

 

Hi Kes,

I believe you already had me try that Jotti scan (in post 13). But I just did it again and still get the message "File is empty (0 bytes)". My wife wants to use the PC soon, and I'll be away tomorrow morning. I'll be back on this PC in about 24 hours to see what new steps you may have for me to try. I assume you saw post about the Microsoft Windows Recovery Console boot option that I have, if we need that at any point.

Thanks!
Mark

 

Thanks for your help so far. Please do not close this thread just yet. I was able to boot to the Microsoft Windows Recovery Console, and access C:\WINDOWS\system32\drivers\atapi.sys and rename/move it and replace with the good copy. When I sent the renamed copy to Jotti, it was actually not the version we had been having trouble with, but a copy of the good version of atapi.sys, and I wonder if the potential malware may not have been smart enough to swap the good/bad copies when booting down so that Recovery Console would not be an easy solution. I have to be away for the rest of today, and partly busy for the next 2 days, but will do further research as soon as I can, and let you know.

Thanks!
Mark

 

I feel like an idiot. All along I thought one of our problems was that Combofix was unable to overwrite atapi.sys as Kes first mentioned in post#__, which made me glance at the Combofix logs where I kept seeing the "!HASH: COULD NOT OPEN FILE !!!!!" for c:\windows\system32\drivers\atapi.sys, so I incorrectly assumed we were still trying to solve that problem. Now I'm guessing that message is to be expected since the file is in use by the OS, though Kes's request for me to try to send the file to Jetti__ is a bit confusing since atapi.sys can not be opened or copied after a normal boot, and thus 0 bytes are sent up to Jetti__. I'm sorry Kes, because it was probably my mistaken comments thinking something was still wrong with atapi.sys that kept you investigating even after my PC was probably clean. I do have 2 final questions.

1. I'm mildy curious about something. In the 5 Combofix log files I sent you, in the atapi.sys "COULD NOT OPEN" line, there appears to be a date stamp with date and time of day of the file. The time of day of the newer version of atapi.sys (file size 96512 bytes) seems to jump around but always has :40 as minutes. If so, then why? Does Combofix run partially from the web, using different servers that may be in different time zones, thus reporting the time of day according to their time zone? Or maybe Combofix has rebooted into a debug mode that does not have access to the PC's time-zone configuration? Here are the log entries in the order they were run:
[-] 2008-04-13 23:40 . !HASH: COULD NOT OPEN FILE !!!!! . 96512 . . [------] . . c:\windows\system32\drivers\atapi.sys
[-] 2008-04-14 03:40 . !HASH: COULD NOT OPEN FILE !!!!! . 96512 . . [------] . . c:\windows\system32\drivers\atapi.sys
[-] 2004-08-04 05:59 . !HASH: COULD NOT OPEN FILE !!!!! . 95360 . . [------] . . c:\windows\system32\drivers\atapi.sys
[-] 2004-08-04 05:59 . !HASH: COULD NOT OPEN FILE !!!!! . 95360 . . [------] . . c:\windows\system32\drivers\atapi.sys
[-] 2008-04-13 18:40 . !HASH: COULD NOT OPEN FILE !!!!! . 96512 . . [------] . . c:\windows\system32\drivers\atapi.sys

2. In the final Combofix log, could you explain each of these 3 lines to me:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A179CF0]<<
detected MBR rootkit hooks:
Warning: possible MBR rootkit infection !

Kes, thanks again for all your help!
Mark

ps - To answer your questions from the prior post: I have not been seeing any malware issues (ie, symptoms) other than the 3 log messages I mentioned above). I never did have the symptom of being re-directed on the web, having pop ups or other malware signs, though I have so many security tools on my PC that I imagine they could have blocked some symptoms even if I were still infected with something.

 

You all have been great. Thank you very much. This means my PC is now clean. I'll start doing your "final steps" from post#21.

 

Hi Kes,

I already took most the "final steps" to clean off the tools we installed, but we can re-download them as we need them.

I booted the Recovery Console and ran fixmbr. It displayed this message:

** CAUTION **
This computer appears to have a non-standard or invalid master boot record.
FIXMBR may damage your partition tables if you preceed.
This could cause all the partitions on the current hard disk to become inaccessible.
If you are not having problems accessing your drive, do not continue.

I answered N (do not continue) because I wanted you to advise me if I should run it anyway.
Perhaps that warning was to be expected. If not, I have a few comments. I did use the well known program "PowerQuest Partition Magic version 7.0" (PM) years ago when I first bought this PC, to create a second (logical) partition which is drive D:. I uninstalled Partition Magic back then after I created that partition. I still have the PM CD if I need it. I imagine that PM creates a standard Windows partition (not non-standard), but perhaps that's not correct. If you think it prudent, I could take the time to backup up the files from the D: partition to an external (usb) hard drive, and/or I could use the program "DriveImage XML ver 1.21" that I have installed to backup an image on the C: (boot) partition to an external (usb) hard drive, assuming that the infection on my PC would allow me to take those steps in a clean manner (as opposed to moving the malware to the usb hard drive).

I will wait to see your answers before proceeding.

 

Note: Since I've already removed MGtools etc, I have this observation regarding the other steps you want me to take after fixmbr:

Looking at my prior notes, since I no longer have C:\MGtools\temp\SPF\atapi.sys, the only file I have matches it's MD5 (9f3a2f5aa6875c72bf062c712cfa2674) is C:\WINDOWS\Servicepackfiles\I386\Atapi.sys, and so perhaps that is the one we need to use in it's place, correct?

 

While waiting for you, I sent the C:\WINDOWS\Servicepackfiles\I386\Atapi.sys file up to jotti.org and it found no problems. Then I sent it to virustotal.com (which uses 42 scanners vs jotti's 20) and got one hit from the eSafe scanner: "eSafe 7.0.17.0 2010.03.23" found Win32.Rootkit. Of course that may be a False Positive, but wanted to let you know. Is that by any chance the name of the "new form of an MBR infection, one that we are not used to seeing and has only just cropped up"?

 

Since I had already cleaned up (removed tools), I had to perform extra steps:
Disabled my Antivir Guard
Downloaded Mgtools to C:\Mgtools.exe
Ran C:\Mgtools.exe
I saw the scrolling list say iaStor.sys File Not Found, hopefully that's an optional file (I don't have RAID hard drive setup)
Ran C:\MGtools\DisableUAC.reg
Rebooted
Noticed CCleaner was set to run at each boot, so changed it not to (in case we need to see any new temp files etc)
Ran C:\MGtools\GetLogs.Bat
Ran C:\MGtools\EnableUAC.reg
Oops, I noticed I ran the Vista & Windows 7 instructions (a few extra steps?)...sorry, I have XP SP3
Dowbloaded and ran avenger.exe from desktop
Ran script:

Files to move:
C:\MGtools\temp\SPF\atapi.sys | C:\WINDOWS\system32\drivers\atapi.sys

Downloaded combofix to desktop and ran.
It detected the presence of rootkit activity and needed to reboot.
Around stage 2 or 3 my Antivir (which was now enabled due to reboot) popped up (presence of C:\Mgtools.exe) and I quickly clicked ignore.
Completed 34 stages and rebooted.
It displayed a line something like: can not find Whitedir01 ...???
The "Preparing Log Report" step took longer than I remember (maybe a few minutes).
I ran C:\MGtools\GetLogs.bat

Thanks Kes!
Mark

 

I just read my email telling me about your "March 23, 2010 22:29" post (which would be post#32 based on timestamp). The text in the email does not exactly match the text in your post. I don't know if that's because you edited the post? The email text starts with:

"OK let's try this before we have you back up all of your important data and have you run the fixmbr despite the warning."

...and the email's script description said to copy from C:\MGtools\temp\NTSPU\atapi.sys rather than post's C:\MGtools\temp\SPF\atapi.sys.

I just wanted you to know I followed the directions in the post at the thread page, not the email directions that are slightly different.

 

I booted from the emachines Restore DVD that came with my PC. The newest file on the CD is dated April 2 2004. As I suspected, it booted into a factory restore mode (powered by PC Angel System Recovery). There were 3 choices:
1. Full System Recovery / Factory Recondition
2. Non-Destructive System Recovery
3. Install Master Boot Record
I did none of those steps.

I found a BartPE boot CD that I had created on Jan 21 2009. I had created that BartPE PC primarily to be able to run Driveimage XML (which I had installed on that BartPE CD) to backup or restore boot partitions. For what it's worth I also have McAfee Stinger on that CD if we want to run it, though it would be as of 1/21/2009. I booted from the BartPE CD, went to the cmd prompt and entered the following commands:
c:
cd\windows\system32\drivers
ren atapi.sys atapi.old
COPY C:\WINDOWS\system32\dllcache\atapi.sys c:\windows\system32\drivers\atapi.sys
I also set the file attributes to read-only, system, hidden to be safe:
..\attrib +R -A +S +H atapi.sys
SHR C:\WINDOWS\system32\drivers\atapi.sys
While I was still booted into BartPE I went ahead and used Driveimage XML (version 2.02) to make a partition backup of my boot partition (Drive C to an external hard drive. I also copied all my directories and files from my other (non-bootable) partition (drive D to an external hard drive drive.
When I rebooted back to normal Windows on C:, I looked at the attributes of c:\windows\system32\drivers\atapi.sys, and there was no Version tab, though it still had the SHR attributes. I then looked at the renamed atapi.old file and it DID have the Version tab with the correct information.

I suspect we need to run fixmbr from the Recovery Console. I'm not sure running "Install Master Boot Record" from the emachines Restore DVD would work as well since I added a partition after I bough the PC...does the mbr hold partition info? Though I have backed up the second partition, so I suppose I could re-create it if needed. I will wait for your instructions, but am in a hurry to use this computer to run my income tax software, so please hurry. I hope we can avoid a re-install of Windows as that would take me a very long time to try and reconfigure from.

Thanks!
Mark

 

Hi Kes,

I decided to run ComboFix on my Laptop (not the PC you are working on), and got the same kind of problem with atapi.sys. I then googled again for other people with my style of problem. I am 99% sure I have found the answer to our problem. Look at http://www.bleepingcomputer.com/forums/topic293569.html titled "Why we request you disable CD Emulation when receiving Malware Removal Advice". They just added that last month. I suggest MajorGeeks may want to put up a similar page. I have a CD Emulation program running on both my PC and laptop (avoids having to constantly load CD's when swicthing games or applications that need the CD inserted). As suggested there, I ran DeFogger to disable my CD Emulation, and it rebooted, and now when I ran ComboFix on my laptop it did not have to reboot due to rootkit activity, and it's log was clean, and I can look at the properties of atapi.sys and see the version tab etc.

My wife is using the PC (the one you are working on) right now, but I can run DeFogger on it tomorrow morning, and then run ComboFix and send you the new log. Between now and then, if you want me to do other steps let me know and I'll read your instructions before starting in the morning.

Thanks!
Mark

 

Hi Kes,

Ok, I didn't hear back so I went ahead and downloaded http://download.bleepingcomputer.com/jpshortstuff/Defogger.exe to my desktop and ran it (it rebooted when done). As with my laptop, the properties of atapi.sys are now normal. I then ran Combofix (it did NOT require a reboot due to rootkit activity), and then ran C:\MGtools\GetLogs.bat (log attached).

Also, I comared the differences between the prior and the new Combofix.txt logs, and saw these changes...


== THINGS NO LONGER IN THE NEW COMBOFIX LOG:
------- Sigcheck -------
[7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\atapi.sys
[-] 2008-04-13 22:40 . !HASH: COULD NOT OPEN FILE !!!!! . 96512 . . [------] . . c:\windows\system32\drivers\atapi.sys
[7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\Servicepackfiles\I386\Atapi.sys
[7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\$ntservicepackuninstall$\Atapi.sys
[-] 2002-08-29 . 95B858761A00E1D4F81F79A0DA019ACA . 86912 . . [5.1.2600.1106] . . c:\windows\system32\Reinstallbackups\0008\Driverfiles\I386\Atapi.sys

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A21E630]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf76bbf28
\Driver\ACPI -> ACPI.sys @ 0xf7586cb8
\Driver\atapi -> 0x8a21e630
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
Warning: possible MBR rootkit infection !
user & kernel MBR OK

------------------------ Other Running Processes ------------------------
d:\pr\Comodo\COMODO Internet Security\cmdagent.exe
d:\pr\Avira\Avira\AntiVir Desktop\avguard.exe


== NEW THINGS ADDED IN THE NEW COMBOFIX LOG:
S4 a347bus;a347bus;c:\windows\system32\drivers\a347bus.sys [5/31/2009 12:38 PM 160640]
S4 a347scsi;a347scsi;c:\windows\system32\drivers\a347scsi.sys [5/31/2009 12:38 PM 5248]

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer
detected NTDLL code modification:
ZwClose, ZwOpenFile
c:\documents and settings\Mark\Application Data\Mozilla\Firefox\Profiles\xc76idwk.default\prefs.js.BAK 84176 bytes
c:\documents and settings\Mark\Application Data\Mozilla\Firefox\Profiles\xc76idwk.default\user.js.BAK 0 bytes
scan completed successfully
hidden files: 2

--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(732)
c:\windows\system32\guard32.dll
- - - - - - - > 'lsass.exe'(788)
c:\windows\system32\guard32.dll
- - - - - - - > 'explorer.exe'(3848)


I will await to see if you wish me to run further scans or to start cleaning up.

Thanks!
Mark