Solved Tidserv virus - redirecting webpages

[lizmcreations]

I was really hoping that would work ... but still redirecting first link goes to the right spot, but second time and every time after that gets redirected.

Something else to try?

Liz

 

[Broni]

I'm really running out of ideas here, because I can't see any security issues.

Let's try one more thing...
Restart computer normally.

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :OTL
  O2 - BHO: (no name) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No CLSID value found.
  O2 - BHO: (no name) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - No CLSID value found.
  O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} Reg Error: Value error. (Reg Error: Key error.)
  O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.87.71.230 68.87.73.246
  O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
  O33 - MountPoints2\{1fa3d02c-e931-11de-b573-806e6f6e6963}\Shell - "" = AutoRun
  O33 - MountPoints2\{1fa3d02c-e931-11de-b573-806e6f6e6963}\Shell\AutoRun\command - "" = D:\reatogoMenu.exe -- File not found
  
  
  :Services
  
  :Reg
  
  :Files
  
  :Commands
  [purity]
  [emptytemp]
  [resethosts]
  [Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done
• You will get a log that shows the results of the fix. Please post it.
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

 

[lizmcreations]

Ok, here is the log from the "run fix" :

All processes killed
========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}\ not found.
Starting removal of ActiveX control {E06E2E99-0AA1-11D4-ABA6-0060082AA75C}
Registry error reading value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E06E2E99-0AA1-11D4-ABA6-0060082AA75C}\DownloadInformation\\INF .
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E06E2E99-0AA1-11D4-ABA6-0060082AA75C}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E06E2E99-0AA1-11D4-ABA6-0060082AA75C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E06E2E99-0AA1-11D4-ABA6-0060082AA75C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E06E2E99-0AA1-11D4-ABA6-0060082AA75C}\ not found.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\\DhcpNameServer| /E : value set successfully!
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{AEB6717E-7E19-11d0-97EE-00C04FD91972} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1fa3d02c-e931-11de-b573-806e6f6e6963}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1fa3d02c-e931-11de-b573-806e6f6e6963}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1fa3d02c-e931-11de-b573-806e6f6e6963}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1fa3d02c-e931-11de-b573-806e6f6e6963}\ not found.
File D:\reatogoMenu.exe not found.
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Liz
->Temp folder emptied: 11583765 bytes
->Temporary Internet Files folder emptied: 1334729 bytes
->Java cache emptied: 9059 bytes
->FireFox cache emptied: 57869880 bytes
->Apple Safari cache emptied: 0 bytes
->Flash cache emptied: 1084 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 1159062 bytes

Total Files Cleaned = 69.00 mb

C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

OTL by OldTimer - Version 3.2.1.1 log created on 04122010_073639

Files\Folders moved on Reboot...
File move failed. C:\Windows\temp\WebEx\Log\412\atashost.log scheduled to be moved on reboot.
C:\Windows\temp\00000MXL0004.CDX moved successfully.
C:\Windows\temp\00000MXL0005.CDX moved successfully.
C:\Windows\temp\00000MXL0006.CDX moved successfully.

Registry entries deleted on Reboot...


The log from the quick scan run after the fix is attached ...

Still having the redirect problem. Very frustrating. It would seem that replacing the infected/old atapi.sys file would have fixed everything ... I can't understand why it didn't.

Liz

 

[lizmcreations]

Ok, as a last ditch effort, I thought I would run the TDSSKiller file one more time -- my initial reasoning was to see if by chance it found an infected file somewhere other than the two places we replaced the atapi.sys file. However, it only found the one in the windows\system32\drivers folder --- BUT, it found a "suitable" replacement or back-up (I think it found the windows\erdnt\cache one you had me replace and after reboot it actually seems to be working.

I have tried a couple different searches, in both IE and firefox, and I clicked on at least 4 different links each time and NO REDIRECTS!!! Yay!

I am so excited and now I need to reinstall my Norton antivirus to make sure that I don't get another one.

Thank you very much for your help, I really appreciate it.

Liz

FYI - here is the log from the final run of TDSSKiller, in case it helps for someone else's infection issue:

08:47:34:410 5356 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04
08:47:34:410 5356 ================================================================================
08:47:34:410 5356 SystemInfo:

08:47:34:410 5356 OS Version: 6.0.6002 ServicePack: 2.0
08:47:34:410 5356 Product type: Workstation
08:47:34:410 5356 ComputerName: LIZ-LAPTOP
08:47:34:410 5356 UserName: Liz
08:47:34:410 5356 Windows directory: C:\Windows
08:47:34:410 5356 Processor architecture: Intel x86
08:47:34:410 5356 Number of processors: 2
08:47:34:410 5356 Page size: 0x1000
08:47:34:410 5356 Boot type: Normal boot
08:47:34:410 5356 ================================================================================
08:47:34:410 5356 UnloadDriverW: NtUnloadDriver error 2
08:47:34:410 5356 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
08:47:34:425 5356 wfopen_ex: Trying to open file C:\Windows\system32\config\system
08:47:34:425 5356 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
08:47:34:425 5356 wfopen_ex: Trying to KLMD file open
08:47:34:425 5356 wfopen_ex: File opened ok (Flags 2)
08:47:34:441 5356 wfopen_ex: Trying to open file C:\Windows\system32\config\software
08:47:34:441 5356 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
08:47:34:441 5356 wfopen_ex: Trying to KLMD file open
08:47:34:441 5356 wfopen_ex: File opened ok (Flags 2)
08:47:34:441 5356 Initialize success
08:47:34:441 5356
08:47:34:441 5356 Scanning Services ...
08:47:35:814 5356 Raw services enum returned 435 services
08:47:35:829 5356
08:47:35:829 5356 Scanning Kernel memory ...
08:47:35:829 5356 Devices to scan: 2
08:47:35:829 5356
08:47:35:829 5356 Driver Name: USBSTOR
08:47:35:829 5356 IRP_MJ_CREATE : 90B25FC8
08:47:35:829 5356 IRP_MJ_CREATE_NAMED_PIPE : 81E5EA22
08:47:35:829 5356 IRP_MJ_CLOSE : 90B26040
08:47:35:829 5356 IRP_MJ_READ : 90B260B8
08:47:35:829 5356 IRP_MJ_WRITE : 90B260B8
08:47:35:829 5356 IRP_MJ_QUERY_INFORMATION : 81E5EA22
08:47:35:829 5356 IRP_MJ_SET_INFORMATION : 81E5EA22
08:47:35:829 5356 IRP_MJ_QUERY_EA : 81E5EA22
08:47:35:829 5356 IRP_MJ_SET_EA : 81E5EA22
08:47:35:829 5356 IRP_MJ_FLUSH_BUFFERS : 81E5EA22
08:47:35:829 5356 IRP_MJ_QUERY_VOLUME_INFORMATION : 81E5EA22
08:47:35:829 5356 IRP_MJ_SET_VOLUME_INFORMATION : 81E5EA22
08:47:35:829 5356 IRP_MJ_DIRECTORY_CONTROL : 81E5EA22
08:47:35:829 5356 IRP_MJ_FILE_SYSTEM_CONTROL : 81E5EA22
08:47:35:829 5356 IRP_MJ_DEVICE_CONTROL : 90B25BC4
08:47:35:829 5356 IRP_MJ_INTERNAL_DEVICE_CONTROL : 90B197E4
08:47:35:829 5356 IRP_MJ_SHUTDOWN : 81E5EA22
08:47:35:829 5356 IRP_MJ_LOCK_CONTROL : 81E5EA22
08:47:35:829 5356 IRP_MJ_CLEANUP : 81E5EA22
08:47:35:829 5356 IRP_MJ_CREATE_MAILSLOT : 81E5EA22
08:47:35:829 5356 IRP_MJ_QUERY_SECURITY : 81E5EA22
08:47:35:829 5356 IRP_MJ_SET_SECURITY : 81E5EA22
08:47:35:829 5356 IRP_MJ_POWER : 90B2459C
08:47:35:829 5356 IRP_MJ_SYSTEM_CONTROL : 90B217A2
08:47:35:829 5356 IRP_MJ_DEVICE_CHANGE : 81E5EA22
08:47:35:829 5356 IRP_MJ_QUERY_QUOTA : 81E5EA22
08:47:35:829 5356 IRP_MJ_SET_QUOTA : 81E5EA22
08:47:35:845 5356 C:\Windows\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
08:47:35:845 5356
08:47:35:845 5356 Driver Name: atapi
08:47:35:845 5356 IRP_MJ_CREATE : 856F3AC8
08:47:35:845 5356 IRP_MJ_CREATE_NAMED_PIPE : 856F3AC8
08:47:35:845 5356 IRP_MJ_CLOSE : 856F3AC8
08:47:35:845 5356 IRP_MJ_READ : 856F3AC8
08:47:35:845 5356 IRP_MJ_WRITE : 856F3AC8
08:47:35:845 5356 IRP_MJ_QUERY_INFORMATION : 856F3AC8
08:47:35:845 5356 IRP_MJ_SET_INFORMATION : 856F3AC8
08:47:35:845 5356 IRP_MJ_QUERY_EA : 856F3AC8
08:47:35:845 5356 IRP_MJ_SET_EA : 856F3AC8
08:47:35:845 5356 IRP_MJ_FLUSH_BUFFERS : 856F3AC8
08:47:35:845 5356 IRP_MJ_QUERY_VOLUME_INFORMATION : 856F3AC8
08:47:35:845 5356 IRP_MJ_SET_VOLUME_INFORMATION : 856F3AC8
08:47:35:845 5356 IRP_MJ_DIRECTORY_CONTROL : 856F3AC8
08:47:35:845 5356 IRP_MJ_FILE_SYSTEM_CONTROL : 856F3AC8
08:47:35:845 5356 IRP_MJ_DEVICE_CONTROL : 856F3AC8
08:47:35:845 5356 IRP_MJ_INTERNAL_DEVICE_CONTROL : 856F3AC8
08:47:35:845 5356 IRP_MJ_SHUTDOWN : 856F3AC8
08:47:35:845 5356 IRP_MJ_LOCK_CONTROL : 856F3AC8
08:47:35:845 5356 IRP_MJ_CLEANUP : 856F3AC8
08:47:35:845 5356 IRP_MJ_CREATE_MAILSLOT : 856F3AC8
08:47:35:845 5356 IRP_MJ_QUERY_SECURITY : 856F3AC8
08:47:35:845 5356 IRP_MJ_SET_SECURITY : 856F3AC8
08:47:35:845 5356 IRP_MJ_POWER : 856F3AC8
08:47:35:845 5356 IRP_MJ_SYSTEM_CONTROL : 856F3AC8
08:47:35:845 5356 IRP_MJ_DEVICE_CHANGE : 856F3AC8
08:47:35:845 5356 IRP_MJ_QUERY_QUOTA : 856F3AC8
08:47:35:845 5356 IRP_MJ_SET_QUOTA : 856F3AC8
08:47:35:845 5356 Driver "atapi" infected by TDSS rootkit!
08:47:35:860 5356 C:\Windows\system32\drivers\atapi.sys - Verdict: 1
08:47:35:860 5356 File "C:\Windows\system32\drivers\atapi.sys" infected by TDSS rootkit ... 08:47:35:860 5356 Processing driver file: C:\Windows\system32\drivers\atapi.sys
08:47:41:196 5356 ProcessDirEnumEx: FindFirstFile(C:\Windows\Driver Cache\*) error 3
08:47:41:196 5356 ProcessDirEnumEx: FindFirstFile(C:\Windows\OemDir\*) error 3
08:47:41:196 5356 ProcessDirEnumEx: FindFirstFile(C:\Windows\system32\ReinstallBackups\*) error 3
08:47:41:196 5356 ProcessDirEnumEx: FindFirstFile(C:\Windows\ServicePackFiles\*) error 3
08:47:41:196 5356 ProcessDirEnumEx: FindFirstFile(C:\Windows\system32\dllcache\*) error 3
08:47:41:196 5356 !fdfb7
08:47:41:196 5356 vfvi6
08:47:41:274 5356 dsvbh1
08:47:41:274 5356 Backup copy2 found, using it..
08:47:41:289 5356 will be cured on next reboot
08:47:41:289 5356 Reboot required for cure complete..
08:47:41:289 5356 Cure on reboot scheduled successfully
08:47:41:289 5356
08:47:41:289 5356 Completed
08:47:41:289 5356
08:47:41:289 5356 Results:
08:47:41:289 5356 Memory objects infected / cured / cured on reboot: 1 / 0 / 0
08:47:41:289 5356 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
08:47:41:289 5356 File objects infected / cured / cured on reboot: 1 / 0 / 1
08:47:41:289 5356
08:47:41:289 5356 fclose_ex: Trying to close file C:\Windows\system32\config\system
08:47:41:289 5356 fclose_ex: Trying to close file C:\Windows\system32\config\software
08:47:41:289 5356 UnloadDriverW: NtUnloadDriver error 1
08:47:41:289 5356 KLMD(ARK) unloaded successfully

 

[lizmcreations]

ARRRGGHHHH!!! I spoke too soon once again .... just did another search and the redirects are back ....

Any other ideas?

Liz

 

[lizmcreations]

Ok, I did a search on my computer for more copies of atapi.sys -- there are 6 copies of this file on my computer -- including the two locations that you had me change with your file ...

would it make sense for me to replace all 6 of these files with the file that you sent?

Thanks,

Liz

 

[Broni]

would it make sense for me to replace all 6 of these files with the file that you sent?

We can try that in a moment, but let's try something else, first.

Please download Sophos Anti-rootkit & save it to your desktop.

IMPORTANT!

• Disconnect from the Internet or physically unplug you Internet cable connection.
• Clean out your temporary files.
• Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
• Temporarily disable your anti-virus and real-time anti-spyware protection.
• After starting the scan, do not use the computer until the scan has completed.
• When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.

• Double-click sar_15_sfx.exe to begin the installation, read the license agreement and click Accept.
• Allow the default location of C:\Program Files\Sophos\Sophos Anti-Rootkit and click Install.
• A message will appear "Sophos Anti-Rootkit was successfully installed. Click 'yes' to start it now". Click Yes.
• Make sure the following are checked:
  
  • Running processes
  • Windows Registry
  • Local Hard Drives
  
  
• Click Start scan.
• Sophos Anti-Rootkit will scan the selected areas and display any suspicious files in the upper panel.
• When the scan is complete, a pop-up screen will appear with "Rootkit Scan Results". Click OK to continue.
• Click on the suspicious file to display more information about it in the lower panel which also includes whether the item is recommended for removal.
  
  • Files tagged as Removable: No are not marked for removal and cannot be removed.
  • Files tagged as Removable: Yes (clean up recommended) are marked for removal by default.
  • Files tagged as Removable: Yes (but clean up not recommended) are not marked for removal because Sophos did not recognize them. These files will require further investigation.
  
  
• Select only items recommended for removal, then click "Clean up checked items". You will be asked to confirm, click Yes.
• A pop up window will appear advising the cleanup will finish when you restart your computer. Click Restart Now.
• After reboot, a dialog box displays the files you selected for removal and the action taken.
• Click Empty list and then click Continue to re-scan your computer a second time to ensure everything was cleaned.
• When done, go to Start > Run and type or copy/paste: %temp%\sarscan.log
• This should open the log from the rootkit scan. Please post this log in your next reply. If you have a problem, you can find sarscan.log in C:\Documents and Settings\<username>\Local Settings\Temp\

 

[lizmcreations]

Ok, all it found was 3 "hidden" files from article collections I've had for ages ... I had it them because I don't believe I've even looked at the collections in quite some time and if by some chance I need them, I have a back-up of them.

Here is the log:


Sophos Anti-Rootkit Version 1.5.0 (c) 2009 Sophos Plc
Started logging on 4/12/2010 at 11:16:39 AM
User "Liz" on computer "LIZ-LAPTOP"
Windows version 6.0 SP 2.0 Service Pack 2 build 6002 SM=0x300 PT=0x1 Win32
Info: Starting process scan.
Info: Starting registry scan.
Info: Starting disk scan of C: (NTFS).
Hidden: file C:\Users\Liz\Documents\Affiliate Information\100,000 Articles\Business\Read_This_Page__And_I_ll_Show_You_How_To_Make__25_In_Just_7_Minutes__Or_Less___Sitting_At_Home_In_Front_Of_The_Computer..._And_The_Best_Part_Is..._You_Can_Do_It_Over_And_Over_Again__.txt
Hidden: file C:\Users\Liz\Documents\Affiliate Information\Active Niches\Registry Cleaner 10-5\computer-repair\Computers_Technology\Communications\Treo-Gear.com_Offers_the_Palm_Treo_700w_Smartphone_the_First_Verizon_Windows_Mobile_Device_Built_Into_the_Power_of_a_Palm.txt
Hidden: file C:\Users\Liz\Documents\Affiliate Information\Active Niches\Registry Cleaner 10-5\computer-repair\Computers_Technology\Web_Development\Long-Range_Wireless_Phone_Extender__Cost-effective_Rural_Voice_And_Internet_Solution_For_Remote_Area_Home-Based_Biz_Work.txt
Info: Starting disk scan of E: (FAT).
Stopped logging on 4/12/2010 at 12:52:05 PM

Still redirecting ... very mysterious and frustrating ... should I try replacing ALL the atapi.sys files that I found on my computer?

Thanks again for all your time and assistance ...

Liz

 

[Broni]

Those are text files, so they can't be malicious.

Yeah, go ahead and replace all atapi.sys files.

 

[lizmcreations]

Any other tricks I can try .... I was able to replace 4 of the 6 atapi.sys files that my search found the other 2 it said were in use they were located in a Windows\winsxs\x86.... folder.

Still, everytime I run the tdsskiller.exe scan - it says that the atapi.sys that is in windows\system32\drivers is infected ... but how can that be? Unless there is a file somewhere in the boot process that is re-infecting everything?

I've said this before, but I will keep saying it ... I very much appreciate your time and assistance with this.

Is there anything else that you know of that we can try?

Thanks,

Liz

 

[Broni]

Physically disconnect from the internet.
Boot from OTLPE and replace all atapi.sys files with my file.

 

[lizmcreations]

OK, unplugged my router AND booted to OTLPE (the first time I tried to replace all 6 files I had booted to OTLPE but didn't unplug my router) ....

Still can't replace 2 of the atapi.sys files ...

they are located in:
windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6002.1805_none_df23a1261eab99e8

and
windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6001.18000_none_dd38281a2189ce9c

It says the file is in use and cannot be renamed and then therefore the new file can't be put in its place.

Could those two files be the ones causing the problems? I don't recall them even showing up in any of the other scans.

Liz

 

[Broni]

I doubt, but let's try another way to replace them.
Keep the computer disconnected from the internet.
Restart computer in Safe Mode.

Using OTM...

• Please double-click OTM to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
• Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

:Processes

:Services
      
:Reg

:Files
C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6002.18005_none_df23a1261eab99e8\atapi.sys|C:\atapi.sys /replace
C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6002.18005_none_df23a1261eab99e8\atapi.sys|C:\atapi.sys /replace


:Commands
[purity]
[emptytemp]
[Reboot]

• Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
• Click the red Moveit! button.
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
• Close OTM and reboot your PC.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

 

[lizmcreations]

Ok, here are the contents of the log... can't tell if it replaced them or not, but I'm still having the redirect problem. Any other thoughts or suggestions?



All processes killed
========== PROCESSES ==========
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
Unable to replace file: C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6002.18005_none_df23a1261eab99e8\atapi.sys with C:\atapi.sys without a reboot.
Unable to replace file: C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6002.18005_none_df23a1261eab99e8\atapi.sys with C:\atapi.sys without a reboot.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Liz
->Temp folder emptied: 34556109 bytes
->Temporary Internet Files folder emptied: 1163910 bytes
->Java cache emptied: 9059 bytes
->FireFox cache emptied: 48747153 bytes
->Apple Safari cache emptied: 0 bytes
->Flash cache emptied: 905 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 96 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 5190656 bytes
%systemroot%\system32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 86.00 mb


OTM by OldTimer - Version 3.1.10.1 log created on 04122010_170028

 

[Broni]

Delete your TDSSKiller file and download fresh one.
Run it and post fresh log.

 

[lizmcreations]

OK, new log (no change in status - although I notice the log shows usbstor.sys "verdict 1" which I'm assuming means that file is infected as well? Should that driver be replaced too?)

18:06:01:980 5708 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04
18:06:01:980 5708 ================================================================================
18:06:01:980 5708 SystemInfo:

18:06:01:980 5708 OS Version: 6.0.6002 ServicePack: 2.0
18:06:01:980 5708 Product type: Workstation
18:06:01:980 5708 ComputerName: LIZ-LAPTOP
18:06:01:980 5708 UserName: Liz
18:06:01:980 5708 Windows directory: C:\Windows
18:06:01:980 5708 Processor architecture: Intel x86
18:06:01:980 5708 Number of processors: 2
18:06:01:980 5708 Page size: 0x1000
18:06:01:980 5708 Boot type: Normal boot
18:06:01:980 5708 ================================================================================
18:06:01:980 5708 UnloadDriverW: NtUnloadDriver error 2
18:06:01:980 5708 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
18:06:01:996 5708 wfopen_ex: Trying to open file C:\Windows\system32\config\system
18:06:01:996 5708 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
18:06:01:996 5708 wfopen_ex: Trying to KLMD file open
18:06:01:996 5708 wfopen_ex: File opened ok (Flags 2)
18:06:02:027 5708 wfopen_ex: Trying to open file C:\Windows\system32\config\software
18:06:02:027 5708 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
18:06:02:027 5708 wfopen_ex: Trying to KLMD file open
18:06:02:027 5708 wfopen_ex: File opened ok (Flags 2)
18:06:02:027 5708 Initialize success
18:06:02:027 5708
18:06:02:027 5708 Scanning Services ...
18:06:02:901 5708 Raw services enum returned 436 services
18:06:02:901 5708
18:06:02:901 5708 Scanning Kernel memory ...
18:06:02:901 5708 Devices to scan: 2
18:06:02:901 5708
18:06:02:901 5708 Driver Name: USBSTOR
18:06:02:901 5708 IRP_MJ_CREATE : 903CDFC8
18:06:02:901 5708 IRP_MJ_CREATE_NAMED_PIPE : 81E63A22
18:06:02:901 5708 IRP_MJ_CLOSE : 903CE040
18:06:02:901 5708 IRP_MJ_READ : 903CE0B8
18:06:02:901 5708 IRP_MJ_WRITE : 903CE0B8
18:06:02:901 5708 IRP_MJ_QUERY_INFORMATION : 81E63A22
18:06:02:901 5708 IRP_MJ_SET_INFORMATION : 81E63A22
18:06:02:901 5708 IRP_MJ_QUERY_EA : 81E63A22
18:06:02:901 5708 IRP_MJ_SET_EA : 81E63A22
18:06:02:901 5708 IRP_MJ_FLUSH_BUFFERS : 81E63A22
18:06:02:901 5708 IRP_MJ_QUERY_VOLUME_INFORMATION : 81E63A22
18:06:02:901 5708 IRP_MJ_SET_VOLUME_INFORMATION : 81E63A22
18:06:02:901 5708 IRP_MJ_DIRECTORY_CONTROL : 81E63A22
18:06:02:901 5708 IRP_MJ_FILE_SYSTEM_CONTROL : 81E63A22
18:06:02:901 5708 IRP_MJ_DEVICE_CONTROL : 903CDBC4
18:06:02:901 5708 IRP_MJ_INTERNAL_DEVICE_CONTROL : 903C17E4
18:06:02:901 5708 IRP_MJ_SHUTDOWN : 81E63A22
18:06:02:901 5708 IRP_MJ_LOCK_CONTROL : 81E63A22
18:06:02:901 5708 IRP_MJ_CLEANUP : 81E63A22
18:06:02:901 5708 IRP_MJ_CREATE_MAILSLOT : 81E63A22
18:06:02:901 5708 IRP_MJ_QUERY_SECURITY : 81E63A22
18:06:02:901 5708 IRP_MJ_SET_SECURITY : 81E63A22
18:06:02:901 5708 IRP_MJ_POWER : 903CC59C
18:06:02:901 5708 IRP_MJ_SYSTEM_CONTROL : 903C97A2
18:06:02:901 5708 IRP_MJ_DEVICE_CHANGE : 81E63A22
18:06:02:901 5708 IRP_MJ_QUERY_QUOTA : 81E63A22
18:06:02:901 5708 IRP_MJ_SET_QUOTA : 81E63A22
18:06:02:916 5708 C:\Windows\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
18:06:02:916 5708
18:06:02:916 5708 Driver Name: atapi
18:06:02:916 5708 IRP_MJ_CREATE : 8570DAC8
18:06:02:916 5708 IRP_MJ_CREATE_NAMED_PIPE : 8570DAC8
18:06:02:916 5708 IRP_MJ_CLOSE : 8570DAC8
18:06:02:916 5708 IRP_MJ_READ : 8570DAC8
18:06:02:916 5708 IRP_MJ_WRITE : 8570DAC8
18:06:02:916 5708 IRP_MJ_QUERY_INFORMATION : 8570DAC8
18:06:02:916 5708 IRP_MJ_SET_INFORMATION : 8570DAC8
18:06:02:916 5708 IRP_MJ_QUERY_EA : 8570DAC8
18:06:02:916 5708 IRP_MJ_SET_EA : 8570DAC8
18:06:02:916 5708 IRP_MJ_FLUSH_BUFFERS : 8570DAC8
18:06:02:916 5708 IRP_MJ_QUERY_VOLUME_INFORMATION : 8570DAC8
18:06:02:916 5708 IRP_MJ_SET_VOLUME_INFORMATION : 8570DAC8
18:06:02:916 5708 IRP_MJ_DIRECTORY_CONTROL : 8570DAC8
18:06:02:916 5708 IRP_MJ_FILE_SYSTEM_CONTROL : 8570DAC8
18:06:02:916 5708 IRP_MJ_DEVICE_CONTROL : 8570DAC8
18:06:02:916 5708 IRP_MJ_INTERNAL_DEVICE_CONTROL : 8570DAC8
18:06:02:916 5708 IRP_MJ_SHUTDOWN : 8570DAC8
18:06:02:916 5708 IRP_MJ_LOCK_CONTROL : 8570DAC8
18:06:02:916 5708 IRP_MJ_CLEANUP : 8570DAC8
18:06:02:916 5708 IRP_MJ_CREATE_MAILSLOT : 8570DAC8
18:06:02:916 5708 IRP_MJ_QUERY_SECURITY : 8570DAC8
18:06:02:916 5708 IRP_MJ_SET_SECURITY : 8570DAC8
18:06:02:916 5708 IRP_MJ_POWER : 8570DAC8
18:06:02:916 5708 IRP_MJ_SYSTEM_CONTROL : 8570DAC8
18:06:02:916 5708 IRP_MJ_DEVICE_CHANGE : 8570DAC8
18:06:02:916 5708 IRP_MJ_QUERY_QUOTA : 8570DAC8
18:06:02:916 5708 IRP_MJ_SET_QUOTA : 8570DAC8
18:06:02:916 5708 Driver "atapi" infected by TDSS rootkit!
18:06:02:916 5708 C:\Windows\system32\drivers\atapi.sys - Verdict: 1
18:06:02:916 5708 File "C:\Windows\system32\drivers\atapi.sys" infected by TDSS rootkit ... 18:06:02:916 5708 Processing driver file: C:\Windows\system32\drivers\atapi.sys
18:06:04:913 5708 vfvi6
18:06:04:991 5708 dsvbh1
18:06:07:674 5708 fdfb1
18:06:07:674 5708 Backup copy found, using it..
18:06:07:674 5708 will be cured on next reboot
18:06:07:674 5708 Reboot required for cure complete..
18:06:07:690 5708 Cure on reboot scheduled successfully
18:06:07:690 5708
18:06:07:690 5708 Completed
18:06:07:690 5708
18:06:07:690 5708 Results:
18:06:07:690 5708 Memory objects infected / cured / cured on reboot: 1 / 0 / 0
18:06:07:690 5708 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
18:06:07:690 5708 File objects infected / cured / cured on reboot: 1 / 0 / 1
18:06:07:690 5708
18:06:07:690 5708 fclose_ex: Trying to close file C:\Windows\system32\config\system
18:06:07:690 5708 fclose_ex: Trying to close file C:\Windows\system32\config\software
18:06:07:690 5708 UnloadDriverW: NtUnloadDriver error 1
18:06:07:690 5708 KLMD(ARK) unloaded successfully

 

[Broni]

Download and save HelpAsst_mebroot_fix.exe to your desktop.

• Close all open programs.
• Double click HelpAsst_mebroot_fix.exe to run it.
• Pay attention to the running tool.
• If the tool detects mbr infection, please allow it to run mbr -f and shutdown your computer. To do so, type Y and press Enter.
• After restart, wait 5 minutes, then go Start>Run, copy and paste the following command in the run box then hit Enter:
  • 
    helpasst -mbrt
• When it completes, a log will open.
• Please post the contents of that log.

IMPORTANT!
If the tool does NOT detect any mbr infection and completes, proceed with the following...

• Click Start>Run and copy and paste the following command, then hit Enter:
  • 
    mbr -f
• Repeat the above step one more time
• Now shut down the computer (do not restart, but shut it down), wait 5 minutes then start it back up.
• Wait another 5 minutes, then click Start>Run and copy and paste the following command, then hit Enter.
  • 
    helpasst -mbrt
    
• When it completes, a log will open.
• Please post the contents of that log.

**Important note to Dell users - fixing the mbr may prevent access the the Dell Restore Utility, which allows you to press a key on startup and revert your computer to a factory delivered state. There are a couple of known fixes for said condition, though the methods are somewhat advanced. If you are unwilling to take such a risk, you should not allow the tool to execute mbr -f nor execute the command manually, and you will either need to restore your computer to a factory state or allow your computer to remain having an infected mbr (the latter not recommended).

 

[lizmcreations]

it says that the tool is not compatible with my system ... doesn't run - I'm running Windows Vista Home Premium 32 bit.

Liz

 

[Broni]

I'd like to see something.
Please, run fresh OTL scan.



* Double click on OTL icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
* Under the Custom Scan box paste this in:


netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
/md5stop
%systemroot%\*. /mp /s
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\System32\config\*.sav
CREATERESTOREPOINT


* Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

• When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.

 

[lizmcreations]

Ok, logs attached ...

Anything else to try?

Thanks,

Liz

 

[Broni]

What happened to my atapi.sys in C:\ directory?

 

[lizmcreations]

sorry, the second time I tried to replace all the atapi.sys files I put your file on my usb thumb drive rather than on the c: drive ... I deleted it after the OTM.exe file move ... didn't even think about it, I was just thinking I would download it again "fresh" if I needed it again ... or use the one I kept on my thumb drive just in case somehow just being on the c: drive was causing the file to get infected or something ....

Probably doesn't make any sense, but I'm just trying to do whatever I can to get the computer back to functioning and I appreciate all the help you're providing me.

Liz

 

[Broni]

No big deal
We're both little bit frustrated...hmmmm...

You still have my zipped file on your desktop.
Please, unzip it, copy and paste atapi.sys into C:\ directory.
Then, re-run OTL, using instructions from my reply #69.
I need the scan to see that file so I can compare hash numbers (MD5).

 

[Broni]

Yeah, it looks like we're dealing with the newest version of TDSS rootkit.
I just found out more about it today.
There are some test fixes ready, so hopefully we can do something about it.

In addition to my previous instructions...

Delete any GMER file, if you have one.

Download GMER: http://www.gmer.net/files.php, by clicking on Download EXE button.
Alternative downloads:
- http://majorgeeks.com/GMER_d5198.html
- http://www.softpedia.com/get/Interne...ers/GMER.shtml
Double click on downloaded .exe file, select Rootkit tab and click the Scan button.
When scan is completed, click Save button, and save the results as gmer.log
Warning ! Please, do not select the "Show all" checkbox during the scan.
Post the log.

I'll be back here tomorrow evening (PST)

 

[lizmcreations]

Alright, I am not sure what is going on ... but I've run OTL.exe several times (deleted the .exe file and then re-downloaded it again) and I CANNOT get the extras.txt file! I didn't change any settings and I didn't pay enough attention to the settings when I did get the extras.txt file to notice if there was any difference. I have shut down and restarted and run it to try to get the extras.txt file and I can't seem to get it.

But, attached is otl.txt.

Will follow the next instructions shortly.

Liz