My PC woke up with the "Google Redirect" social disease. Ran 8 steps twice. Now what?

Status
Not open for further replies.
R

Rwolf01

Posts: 127   +0
Happy Thanksgiving, and a sincere thank you for your kind assistance...

Here are the details of my system:

Dell Dimension 8300. (3GHz P4, 2.5GB RAM)
WD1200 SATA system disk and mirrored WD5000 SATA data disks
XP Home (SP3 w/ latest updates)
TrendMicro Office Scan. (current)
IE 8.0.6001.18702

My Most Recent Cleaning Activity:

1: Full Scan With Trend Micro Office Scan (nothing new found)
2: Ccleaner (including prefetch files)
3: Killed TrendMicro's ntrtscan, ofcpfwsvc, pccntmon & tmlisten processes.
(Office Scan wants a password I don't have to unload, so this is the next best thing)
4: Ran MalwareBytes (log attached)
5: Ran SuperAntiSpyware (log attached)
6: Reconfirmed Java is current
7: Ran Hijack This (log attached)

Note: These scans find nothing new, but earlier runs did remove some suspect items. I have temporarily disabled TrendMicro's OfcDog.exe to avoid nusiance hits in SAS.

I eagerly await your wise counsel.

Best Regards,

Rwolf01
 
Just to be clear, the redirect problem persists even after the standard scans were run.

I've looked through older logs where Tmagic650, Bobbye, Kritius & others helped similarly afflicted people. To save them time, I plan to run the ESET and Kaspersky Online Scanners (but not ComboFix) and post the logs.

I've also backed everything up, just in case things get worse...

Standing by,

- Rwolf
 
Logs from Kaspersky & ESET Online Scanners

Here are the logs. Looks like some dubious attachements to old emails, but they are very unlikely to ever get opened, so they are probably not active.

I just reconfirmed that the search link redirect hack is still active.

Any advice?

Hope you had a good thanksgiving.

- Rwolf
 
Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    gmer_zip.gif

  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
 
Here's what happened.

Thanks for the prompt reply. I'm documenting from my laptop as I try this...

random named GMER file downloaded.

Rebooting directly to safe mode w/o networking. (do it right the 1st time)

Double clicked on random named file.
Clciked Run at the security warning.
GMER 1.0.15.15252 window pops up and starts scanning.
Found a "suspicious midification" of atapi.sys!

Enabled scanning of my data disk, as well as the system disk, and clicked SCAN.
10 seconds into the scan I blue screen:

"A problem has been detected and windows has been shut down to prevent damage to your computer. The problem seems to be caused by the following file: kxtdrpod.sys. An attempt was made to write to read-only memory.
<snip>
Technical information:
*** STOP: 0x000000BE (0xF747E078, 0X0AB76161, 0XBAFE3B38, 0x0000000B)
*** kxtdrpod.sys - Address BA6D59DB base at BA6CA000, Datestamp 4b07cc32)"

I eagerly await further advice. In the mean time, I will attempt to find an appropriate atapi.sys file from another machine and manually replace the modified one.

- RWOLF
 
Do this in normal mode.

Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


[CENTER]
RC1.png
[/CENTER]


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC2-1.png



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.
 
Sorry for the delay in replying. I got an unmodified atapi.sys, but when I attempted to rename the suspect one, it would succeed, but the unnamed file would reappear before I could copy over the unmolested file!

Seems like the malware is guarding that file to prevent it from being removed...

Bounced into command line safemode & I could rename the file. Copied over the unmolested atapi.sys. COMP said they were different. Set the unhacked driver file to be read only.

Bouncing back into normal mode to check if the good version is still there...
It lives on, at least for now...

Killed monitoring programs & network connection.
Retrying GMER to see if it still bluescreens. Yup, it does.

Reboot. atapi.sys still the good one.
Starting ComboFix as instructed:
monitor SW killed
combofix started... Accepted disclaimer... Installing Recovery Console... (network reactived)
Scanning. Stage 1, stage 2, stage 3, 4, 5, 6, 6A, 7... 33,41,48... preparing log report.
Note: At this point the entire desktop is black, and only the combofix console window exists.
Log file appears and the desktop returns.
Log file will be attached in next posting.
 
ComboFix log file.

Should be attached.

Note: Internet Explore 8 has started doing a funny thing. In some situations it will go berzerk and start loading multiple copies, as fast as it can spawn them, until there are dozens of IE windows filling the screen and task bar.

Not sure if that is related or not. Think I'll rerun the 8 basic steps...
 
Ok, lets not try to get ahead of ourselves and potentially mess things up.

Follow my instructions and we will sort you out.

  • Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Check the boxes beside LOP Check and Purity Check.
  • Under the Custom Scan box paste this in

    /md5start
    atapi.sys
    /md5stop

  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Please copy both of these files with your next reply.
 
Aye Aye C'ptn.

I ran Trend Micro, CCleaner and MWB before I got your message. Nothing unusual found.

Disabled all real time monitoring.

OTL download gives me an "Unsafe Download Security Warning" looks like it's from WIndows Security Center. (captured it as a GIF, let me know if you want to see it)

Took a leap of faith and downloaded anyway.

OTL starts. Closed all others. Setup as instructed and starting scan.

Note: Used COMP.EXE from the command line to confirm that the atapi.sys I manually installed is still in place. The molested version of atapi.sys has been renamed to atapi.sys.spooky.

Scan completes. Will upload files in next post.
 
Redirects fixed! Are we done?

I almost forgot to check, but now that the atapi.sys file has been restored, the redirects seem to have disappeared.

The symptoms have resolved... does that mean I'm fully cured?

If not, why not?

- Rwolf
 
Oops. Still redirecting after all.

I got one or two searches that went through and thought I was cured, but it's still hacked. I rechecked the atapi.sys and it still appears to be the good one, so there is something else going on.

As requested, I am uploading the currently installed atapi.sys from C:\windows\system32\drivers.

I am also attaching the suspect file, which I renamed to a harmless extension, incase someone better than me wants to do forensics on it. (it should NOT be installed, unless you plan to wipe your system afterwards!)

Note: I get an upload error "Invalid File" when I try to attach. I'm guessing driver files are not allowed to be posted. Will zip it and try to upload that.

That worked. Download and open with care.
These files are from a hacked system!
 

Attachments

  • atapi.zip
    53.3 KB · Views: 20
The suspect file is not genuine
The new one is

No malware found in the suspect one though, but I believe replacing it with the current MS one has fixed it
 
But I'm still getting redirects...

The atapi.sys problem is now fixed, but something else is still going on....

My earlier post that the problem was resolved was an overly optimistic interpretation of one or two searches that worked.... once I started using the computer again in earnest I quickly found other searches that were getting hijacked.

Any advice on how to proceed would be much appreciated...

At what point does "FORMAT C:" become the right answer? :)
 
Rwolf01 said:
At what point does "FORMAT C:" become the right answer? :)
Click to expand...
Never

You cannot Format C, as the filesystem is on it
You must always remove the partition for clean installs (not Format)

Please wait for kritius support, I have not followed this thread in full
 
it was just a metaphore... I could have just as easily said "rm -rf" but that would be showing my age... :)

But I'll await captain's orders on whether to forge ahead with salvaging this install or wipe the system disk and rebuild windows. (and all the applications... blerg!)

Still hoping for a magic bullet!

- Rwolf
 
Can you attach the screenshot. I would say that atapi.sys is still infected, this infection has a habit of showing virus scanners what they want to see.

Also, I believe I have what I need to continue.

Print out these instructions to use while in the Recovery Console:

1. Restart your computer.
2. Before Windows loads, you will be prompted to choose which Operating System to start.
3. Use the up and down arrow key to select Microsoft Windows Recovery Console
4. You must enter which Windows installation to log onto. Type 1 and press 'Enter'.
5. At the C:\Windows prompt, type the following bolded entries, and press 'Enter'(note the spaces):

cd system32\drivers
ren atapi.sys atapi.sys.vir
copy c:\windows\system32\dllcache\atapi.sys c:\windows\system32\drivers
exit


6. Type y to the prompt and press 'Enter'.

7. Type exit and press 'Enter'. Your computer should reboot.


Reboot into Normal mode and run ComboFix and post the log here.
 
Here's the screen shot & ComboFixLog you requested.

Kimsland said atapi.sys was genuine. I'm inclined to agree, given that CMD COMP.EXE says the file is identical with one I pulled from an uninfected system.

I will never the less follow your instructions to the letter.

Rerunning combofix:
monitor programs killed
combofix is downloading newer version....
made system restore point & backed up registry
scanning...
done.

Logfile is attached.

You should know that I've installed a new monitor, keyboard and mouse so some driver files will have legitimately changed within the last 48 hours...

I did 1/2 a dozen google searches after ComboFix finished and did not notice any redirects. Will continue exercising the system before declaring victory.

Standing by for further instructions....

Thanks again for your assistance and persistance!

- Rwolf
 
Rwolf01 said:
The atapi.sys problem is now fixed, but something else is still going on....

My earlier post that the problem was resolved was an overly optimistic interpretation of one or two searches that worked.... once I started using the computer again in earnest I quickly found other searches that were getting hijacked.

Any advice on how to proceed would be much appreciated...

At what point does "FORMAT C:" become the right answer? :)
Click to expand...

That looks ok, my earlier post about atapi.sys still being infected were inreference to the above post.

However GMER is showed no more modifications.

Post a fresh OTL log for me.
 
OTL log attached.

Fair enough.

I've done a few more searches now, so my confidence that we've exorcised the daemons is increasing... (pun intended :)

The OTL log is attached. Absent other instructions I ran it as follows:

Kill the usual monitoring programs
close all windows
Minimal output, +LOP check +Purity Check
\\ No extras
Run Scan

Incidentally, one of the things I googled was OTL. It turns out to be a Korean emoticon for failure and despair. (view it as the side view of a stick figure. He is on hands and knees, hanging his head...)

Ironic, given that we appear to be close to victory...

Thanks again for your help!

- Rwolf
 
Your logs are clean as far as I can see.

Please do an online scan with Kaspersky WebScanner

Kaspersky online scanner uses JAVA tecnology to perform the scan. If you do not have the latest JAVA version, follow the instrutions below under Upgrading Java, to download and install the latest vesion.

  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure the following is checked.
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  9. Please post this log in your next reply.
Upgrading Java:
  • Download the latest version of Java SE Runtime Environment (JRE)JRE 6 Update 16.
  • Click the "Download" button to the right.
  • Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation (jre-6u16-windows-i586.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Make sure the C:\Program Files\JAVA folder is removed.
  • Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u16-windows-i586.exe and select "Run as an Administrator.")
 
Status
Not open for further replies.

Latest posts

Back