tim6918
Newbie
Posts: 23
|
 |
« Reply #15 on: October 21, 2009, 05:55:34 PM » |
|
Volume in drive C has no label.
Volume Serial Number is D882-54B2
Directory of c:\dell
07/14/2004 05:22 PM 28,672 ATAPI.EXE
1 File(s) 28,672 bytes
Directory of c:\i386
08/04/2004 12:59 AM 95,360 atapi.sys
1 File(s) 95,360 bytes
Directory of c:\i386\COMPDATA
08/10/2004 07:00 AM 881 DECATAPI.HTM
08/10/2004 07:00 AM 449 DECATAPI.TXT
2 File(s) 1,330 bytes
Directory of c:\WINDOWS\$NtServicePackUninstall$
08/04/2004 12:59 AM 95,360 atapi.sys
1 File(s) 95,360 bytes
Directory of c:\WINDOWS\ServicePackFiles\i386
04/13/2008 02:40 PM 96,512 atapi.sys
1 File(s) 96,512 bytes
Directory of c:\WINDOWS\system32\drivers
04/13/2008 02:40 PM 96,512 atapi.sys
1 File(s) 96,512 bytes
Directory of c:\WINDOWS\system32\ReinstallBackups\0003\DriverFiles\i386
08/04/2004 12:59 AM 95,360 atapi.sys
1 File(s) 95,360 bytes
Directory of c:\WINDOWS\system32\ReinstallBackups\0012\DriverFiles\i386
08/04/2004 12:59 AM 95,360 atapi.sys
1 File(s) 95,360 bytes
Total Files Listed:
9 File(s) 604,466 bytes
0 Dir(s) 7,234,445,312 bytes free
|
|
|
|
|
Logged
|
|
|
|
tim6918
Newbie
Posts: 23
|
|
« Reply #16 on: October 21, 2009, 06:01:41 PM » |
|
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.netdevice: opened successfully user: MBR read successfully called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys sphk.sys hal.dll >>UNKNOWN [0x8A039938]<< kernel: MBR read successfully user & kernel MBR OK |
|
|
|
|
Logged
|
|
|
|
|
Jintan
|
|
« Reply #17 on: October 21, 2009, 06:16:12 PM » |
|
Good, some clean file options to use. If I forget, please remind after these next steps we need to put back the copy we will "borrow" right now. To keep them from interfering with the repairs, be sure to temporarily disable all antivirus/anti-spyware softwares while these steps are being completed. This can usually be done through right clicking the software's Taskbar icons, or accessing each software through Start - Programs. Especially disable any startup settings you notice in them. Download The Avenger by Swandog from here and save it to your Desktop, and unzip the downloaded avenger.zip file. Then in the new avenger folder created locate and click on avenger.exe to run the tool. Okay the warning. When the Avenger display opens place a check in the following box: Automatically disable any rootkits foundThen copy/paste the following text inside the Code box into the Avenger box titled "Input script here:". Then click the Execute button to run the repair, click Yes, then allow Avenger to reboot your system. Begin copying here:
Files to move:
c:\WINDOWS\ServicePackFiles\i386\atapi.sys | c:\WINDOWS\system32\drivers\atapi.sys Your system may reboot twice to complete the repairs. After the reboot a text will open - copy/paste those contents back here please. The log can also be found at C:\avenger.txt. ---------- Download ComboFix.exe from here to your desktop, but I would like you to rename the file as you download it (do not download it directly without renaming it - use right click "Save Target/Link As" ). For this, rename the downloading file to 456out.com, then click the renamed 456out.com to run that scan. Be sure to install the Recovery Console if you are asked to do so. When the scan completes, a text window with your log will open. Please copy and paste that log back here. A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Allow the scan to run. When completed a text window will appear - please copy/paste the contents back here. This log can also be found at C:\ComboFix.txt. Post that log and the C:\avenger.txt log please. Also run and post back a new Gmer scan log. |
|
|
|
|
Logged
|
|
|
|
tim6918
Newbie
Posts: 23
|
|
« Reply #18 on: October 21, 2009, 07:24:56 PM » |
|
Logfile of The Avenger Version 2.0, (c) by Swandog46 http://swandog46.geekstogo.comPlatform: Windows XP ******************* Script file opened successfully. Script file read successfully. Backups directory opened successfully at C:\Avenger ******************* Beginning to process script file: Rootkit scan active. No rootkits found! File move operation "c:\WINDOWS\ServicePackFiles\i386\atapi.sys|c:\WINDOWS\system32\drivers\atapi.sys" completed successfully. Completed script processing. ******************* Finished! Terminate. |
|
|
|
|
Logged
|
|
|
|
|
Jintan
|
|
« Reply #19 on: October 21, 2009, 07:29:03 PM » |
|
Good, but better to stay on the task and then post all logs after everything is done. And this way I will more likely see that we are ready for our next repair steps.
|
|
|
|
|
Logged
|
|
|
|
tim6918
Newbie
Posts: 23
|
|
« Reply #20 on: October 21, 2009, 10:28:25 PM » |
|
|
|
|
|
|
Logged
|
|
|
|
|
Jintan
|
|
« Reply #21 on: October 22, 2009, 05:55:46 AM » |
|
A hidden malware service showing, which may be what is causing the Gmer log to show the "unknown section" still. Be sure to continue to temporarily disable any protective software when running the scan tools we use here. Open notepad (go to Start, Run, type notepad and press Enter) and copy/paste the text in the codebox below into it: KillAll::
Driver::
d88254b2
Rootkit::
C:\WINDOWS\system32\.d88254b2\d88254b2.exe Save this to your desktop as CFScript.txtYou should now have both ComboFix and that CFScript.txt on the desktop. Just left click/hold on the CFScript.txt file, and drag it into ComboFix to start the scan. ComboFix will now run as it did before. Allow the scan to run. When completed a text window will appear - please copy/paste the contents back here. This log can also be found at C:\ComboFix.txt. A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. --------------- Run a new Gmer scan, and post that and the C:\ComboFix.txt log please. |
|
|
|
|
Logged
|
|
|
|
tim6918
Newbie
Posts: 23
|
|
« Reply #22 on: October 23, 2009, 06:29:44 PM » |
|
|
|
|
|
|
Logged
|
|
|
|
|
Jintan
|
|
« Reply #23 on: October 23, 2009, 07:43:41 PM » |
|
We need to make more repairs now, but I will also need you to uninstall any Alcohol/Daemon Tools software you might have there. It blurs the Gmer results too much, since it uses much the same methods as rootkits do (it actually is a rootkit, technically). Do that first, and then the following: Be sure to continue to temporarily disable any protective software when running the scan tools we use here. Open notepad (go to Start, Run, type notepad and press Enter) and copy/paste the text in the codebox below into it: Firefox::
uStart Page = hxxp://www.ask.com/?o=101760&l=dis
mStart Page = hxxp://www.dell4me.com/myway
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://toolbar.ask.com/toolbarv/askRedirect?o=101757&gct=&gc=1&q=%s
IE: &Search - ?p=ZLfox000
FF - prefs.js: browser.search.defaulturl - hxxp://yandex.ru/yandsearch?clid=123047&text=
FF - prefs.js: browser.search.selectedEngine - Яндекс
FF - prefs.js: browser.startup.homepage - hxxp://yandex.ru/?clid=123049
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnli]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\qomnmll]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"=-
[-HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[-HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"=-
[-HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[-HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}] Save this to your desktop as CFScript.txtYou should now have both ComboFix and that CFScript.txt on the desktop. Just left click/hold on the CFScript.txt file, and drag it into ComboFix to start the scan. ComboFix will now run as it did before. Allow the scan to run. When completed a text window will appear - please copy/paste the contents back here. This log can also be found at C:\ComboFix.txt. A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. ----------------------------- Run a new Gmer scan, and post that log and the C:\ComboFix.txt log please. |
|
|
|
|
Logged
|
|
|
|
tim6918
Newbie
Posts: 23
|
|
« Reply #24 on: October 24, 2009, 07:17:26 AM » |
|
|
|
|
|
|
Logged
|
|
|
|
|
Jintan
|
|
« Reply #25 on: October 24, 2009, 03:57:24 PM » |
|
I see I was trying to get too much out of that CFScript "Firefox::" option, and set it wrong at that. There is still some of Daemon's Duplex Secure hidden functions there, but of larger concern if that that same important system file shows as altered in some way. Download Dr.Web CureIt! from here to your Desktop. When you have done this, boot into safe mode (restart your computer and tap F8 continuously as it restarts) Doubleclick the drweb-cureit.exe file. Click on Start and Ok and allow it to run the express scan. This is a short scan and will scan all files currently running in memory. If something is found, click the Yes button when it asks you if you want to cure it. Once the short scan has finished, click on Custom Scan and choose the drives that you want to scan. Click on the drive to select it. A red dot shows which drives have been chosen (if only one drive you will not be shown these options). Click the green arrow > to the right and the scan will begin. At the first sign of infection, Select 'Yes to all' if it asks if you want to cure/move the file. When the scan has finished, click the "Select all" button and then click on the Move button. This will move any infected files to the %userprofile%\DoctorWeb\quarantine folder. Next and this is important, from the main Dr.Web CureIt menu (top left), click File and choose save report list and save the report to your desktop. The report will be called DrWeb.csv and it can be opened in Notepad. Close Cureit and restart your computer to completely remove any stubborn files. You may get a message saying "No operations performed with some objects in list. Exit program". If so, click "Yes" (You may get a popup offering you a discount if you purchase DrWeb AntiVirus. You may or may not wish to take advantage of this offer later but for now, just close the popup and wait for the scan to finish). Please post the log in this thread. |
|
|
|
|
Logged
|
|
|
|
tim6918
Newbie
Posts: 23
|
|
« Reply #26 on: October 24, 2009, 10:06:08 PM » |
|
When the scan was done it wouldn't let me cure them. It just deleted them automatically. I hope that worked. Anyways, here is the log.
RegUBP2b-Christine.reg;C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2;Trojan.StartPage.1505;Deleted.;
3 Months Free NetZero.exe;C:\Documents and Settings\All Users\Start Menu;Trojan.Click.1487;Deleted.;
A0188769.reg;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1325;Trojan.StartPage.1505;Deleted.;
A0188849.reg;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1326;Trojan.StartPage.1505;Deleted.;
A0189473.reg;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1327;Trojan.StartPage.1505;Deleted.;
A0189502.reg;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1327;Trojan.StartPage.1505;Deleted.;
A0189503.exe;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1327;Trojan.Click.1487;Deleted.;
|
|
|
|
|
Logged
|
|
|
|
|
Jintan
|
|
« Reply #27 on: October 25, 2009, 05:56:15 AM » |
|
Not really locating anything of active malware - just something SpyBot removed, a likely mistaken identity of an ISP promotional and then some items in System Restore. The malware infection there is set to re-infect the system file early in the boot process. As of now, the current model for addressing this altered atapi.sys that is most successful is replacing the file before Windows actually loads, using an access called the "Recovery Console". This requires either an XP CD, or a boot disk you can make, but let me know if you happen to have, or can borrow, and XP CD first.
And let's do a new check for clean file copies there.
Go to Start > Run and type:
cmd.exe
and ok. Copy and paste the below string after the prompt, then press Enter >
dir /s /a "c:\*atapi*.*" > c:\find3.txt && notepad c:\find3.txt
Your drive will be scanned and when finished, Notepad will pop up with some information. Copy and paste it in this thread please.
Once that Notepad textbox opens, also click at the prompt in the still open command console window and type exit to close that.
|
|
|
|
|
Logged
|
|
|
|
|
Jintan
|
|
« Reply #28 on: October 25, 2009, 06:11:57 AM » |
|
Go ahead and do that file check, and post back on the availability of an XP CD, but I would also still like us to clear out more of what Daemon adds to that system. Click here to download Duplex Secure's SPTD installer SPTDinst-v162-x86.exe to your desktop, then click the downloaded file to start the installer. When the option appears select Uninstall, and allow the tool to uninstall SPTD from your system. Be sure to reboot after to complete the removal of the SPTD settings. After the reboot run and post back a new Gmer scan log please. |
|
|
|
|
Logged
|
|
|
|
tim6918
Newbie
Posts: 23
|
|
« Reply #29 on: October 25, 2009, 09:06:18 AM » |
|
I am pretty sure I have an xp disk lying around here somewhere. I will try and track it down.
Volume in drive C has no label.
Volume Serial Number is D882-54B2
Directory of c:\cmdcons
08/03/2004 10:59 PM 49,558 ATAPI.SY_
1 File(s) 49,558 bytes
Directory of c:\dell
07/14/2004 05:22 PM 28,672 ATAPI.EXE
1 File(s) 28,672 bytes
Directory of c:\i386
08/04/2004 12:59 AM 95,360 atapi.sys
1 File(s) 95,360 bytes
Directory of c:\i386\COMPDATA
08/10/2004 07:00 AM 881 DECATAPI.HTM
08/10/2004 07:00 AM 449 DECATAPI.TXT
2 File(s) 1,330 bytes
Directory of c:\WINDOWS\$NtServicePackUninstall$
08/04/2004 12:59 AM 95,360 atapi.sys
1 File(s) 95,360 bytes
Directory of c:\WINDOWS\system32\drivers
04/13/2008 02:40 PM 96,512 atapi.sys
1 File(s) 96,512 bytes
Directory of c:\WINDOWS\system32\ReinstallBackups\0003\DriverFiles\i386
08/04/2004 12:59 AM 95,360 atapi.sys
1 File(s) 95,360 bytes
Directory of c:\WINDOWS\system32\ReinstallBackups\0012\DriverFiles\i386
08/04/2004 12:59 AM 95,360 atapi.sys
1 File(s) 95,360 bytes
Total Files Listed:
9 File(s) 557,512 bytes
0 Dir(s) 7,374,897,152 bytes free
|
|
|
|
|
Logged
|
|
|
|
|
