×
INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!
  • Students Click Here

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Students Click Here

Jobs

Common Redirect at search engine malware present

Common Redirect at search engine malware present

Common Redirect at search engine malware present

(OP)
Greetings,

I googled the internet for this problem where google searches are redirected.

With one user recommended downloading the TDSSkiller progam.

I ran in which it reported the following:-

 Scanning        Kernel memory ...
Driver "atapi" infected by TDSS rootkit!
File "C:\WINDOWS\system32\DRIVERS\atapi.sys" infected by TDSS rootkit ... cure failed

Completed

Results:
Memory objects infected / cured / cured on reboot:      1 / 0 / 0
Registry objects infected / cured / cured on reboot:    0 / 0 / 0
File objects infected / cured / cured on reboot:        1 / 0 / 0

As this failed, I read further and downloaded the comboxfix program and ultimately run MBR.exe -f and fixmbr from the console recovery window.

I then re-ran MBR.exe from the command prompt for diagnosis:-

The logfile of MBR shows the following:-

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x0FFFAC44
malicious code @ sector 0x0FFFAC47 !
PE file found in sector at 0x0FFFAC5D !

I have malwarebytes running which is blocking ip addresses all over the place and from the logfile above It seems to read I still have a problem.

Can anyone please assist?

I hope I have included all the details it's 1:35am where I am so hope it makes some kind of sense (battled with it all day and night)

Next time I won't be so eager to just download and run fix-it progams.

Thanks
Rob

RE: Common Redirect at search engine malware present

(OP)
I forgot to mention I'm running Windows XP Professional SP3

RE: Common Redirect at search engine malware present

For TDSS Rookit infection you'll need to delete the existing ATAPI.SYS file and replace it with a clean copy.

ROGER - G0AOZ.
 

RE: Common Redirect at search engine malware present

(OP)
Thanks for the reply.

I don't have the original windows cd what is the best method to replace ATAPI.SYS (as imagine it is a protected file)?

RE: Common Redirect at search engine malware present

(OP)
Replaced and all looks to be ok, thank you very much for the advice.

I am a happier man smile

RE: Common Redirect at search engine malware present

(OP)
Ok I haven't got rid of the problem.

I DID replace the ATAPI.SYS in the WINDOWS/system32/ which I can see by the new time stamp (copied it from another pc with windows xp installed).

I then re-ran combofix and copied the recongised problem area:-

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A5BDAC8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba90cf28
\Driver\ACPI -> ACPI.sys @ 0xba77fcb8
\Driver\atapi -> atapi.sys @ 0xba711852
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
 ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
 ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: Marvell Yukon 88E8001/8003/8010 PCI Gigabit Ethernet Controller -> SendCompleteHandler -> NDIS.sys @ 0xba605bb0
 PacketIndicateHandler -> NDIS.sys @ 0xba612a21
 SendHandler -> NDIS.sys @ 0xba5f087b
user & kernel MBR OK
copy of MBR has been found in sector 0x0FFFAC44
malicious code @ sector 0x0FFFAC47 !
PE file found in sector at 0x0FFFAC5D


I'm not sure what action now to take, any advice welcome.

Thanks

RE: Common Redirect at search engine malware present

Download:

HiJackThis
http://free.antivirus.com/hijackthis/

run a scan with log (do not fix anything yet) and paste that log here for our discernment..

Download:

MBAM - MalwareBytes AntiMalware
http://www.malwarebytes.org/mbam.php

SuperAntiSpyware
http://www.superantispyware.com/

Free editions on both should suffice, then run a complete scan with both delete anything they find...

you may also post another HJT Log for comparison...


report back...

PS: should MBAM not install, then rename the EXE to something else, e.g. MBAM.EXE to 123test.exe

as there are malware out there that check certain filenames and kill these before they can be installed...

 

Ben
"If it works don't fix it! If it doesn't use a sledgehammer..."
How to ask a question, when posting them to a professional forum.
Only ask questions with yes/no answers if you want "yes" or "no"

RE: Common Redirect at search engine malware present

(OP)
I've been running a complete scan with Dr.Web CureIt pre- reading your reply to the thread on my only only harddrive (120Gb) and it's almost done.

Once it's complete I will reboot and carry out your instructions, thanks for the support smile

 

RE: Common Redirect at search engine malware present

(OP)
Unable to copy n paste log file content as site continously timeouts (after several reboots and multiple attempts to post)

Attach hijackthis.logs both PRE and POST scans using malwarebytes (already had this installed) and SuperAntiSpyware as requested.

Thanks for the help again.

 

RE: Common Redirect at search engine malware present

Ok, HJT log looks clean, except for the following which you should fix using HJT:

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)

Then think about both the Messenger (Microsoft) and Google Taskbar, are they needed? if the answer is "NO, they are not needed." then get rid of them also...

after that is done, grab your XP CD, insert it into the CD ROM, go and open up a Command line Interface (START >> RUN >> type CMD and hit ENTER), there type the following commands:

1. netsh winsock reset
(this resets the Winsocks which may be needed)

2. SFC /SCANNOW
(this is where the XP CD is needed)



report back...
 

Ben
"If it works don't fix it! If it doesn't use a sledgehammer..."
How to ask a question, when posting them to a professional forum.
Only ask questions with yes/no answers if you want "yes" or "no"

RE: Common Redirect at search engine malware present

(OP)
Thanks for the reply, I will carry out those the action in HJT.

I don't have an XP CD.

I installed combofix which did install the windows recovery console if this is of some help.

RE: Common Redirect at search engine malware present

(OP)
I phoned a friend and utilised his xp cd and ran SFC /SCANNOW (after running netsh winsock reset).

It carried out the SFC /SCANNOW without problems.

I rebooted the pc and malwarebytes when I search in google and click a link is still blocking malicious IP addresses.

The TDSSKiller.exe still identifies Atapi.sys as being infected in memory (it can be cured it says) but after reboot it recognises the file is still infected.

I took an Atapi.sys from another pc which shows new datestamp which definately isn't affected, so I'm curious how it believes its infected.

Thanks for helping me out.
 

RE: Common Redirect at search engine malware present

(OP)
Atapi.sys is reported as clean using
http://virusscan.jotti.org/

Which checks against all the big name scanners.

RE: Common Redirect at search engine malware present

[quot]when I search in google and click a link is still blocking malicious IP addresses.[/quote]That sounds good... I mean if it is blocking MALICIOUS IP's...

check your HOST file, located at C:\WINDOWS\system32\drivers\etc, it should only have one entry (unless you used S&D and/or SpywareBlaster), and that should be:

127.0.0.1    localhost

as to why TDSSKiller is stating that ATAPI.SYS is infected, it could be reporting it as a false positive...




 

Ben
"If it works don't fix it! If it doesn't use a sledgehammer..."
How to ask a question, when posting them to a professional forum.
Only ask questions with yes/no answers if you want "yes" or "no"

RE: Common Redirect at search engine malware present

(OP)
The latest version of combofix.exe released on 18/04/2010 deleted some files and replaced the atapi.sys file successfully.

TDSSKiller now does NOT detect a problem with atapi.sys and malwarebytes is not blocking IP addresses every few minutes.

Thanks for all the help, I downloaded and ran so many TDSS rootkit killers it would be complicated to document exactly what I did in what order!

So if anyone has a problem with google re-directs I recommend downloading combofix.exe to remove the problem and malwarebytes to prevent it happening again.

Fingers crossed the nightmare is over smile
 

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members!

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close