If you do have a Gen 3 rootkit, and you continue to fool with it, you may actually manage to remove the infected file. If that happens, you will no longer be able to access your computer.
In your IE go to tools> Internet Options>History>delete
In FF go to tools>clear recent history>all
For prefetch go to My Computer>C:>Windows>prefetch. These files let your computer find things faster, but it won't hurt anything to get rid of them. They will rebuild. Leave the boot folder be.
For temp files Go to My Computer>C;>Windows>Temp Delete what you can. Not all of them will delete probably.
Doing that won't hurt anything.
I don't think it shows on GMER but if you want to try it: Scan only!
After it is downloaded to your desktop, right click on the icon, run as admin. Uncheck all but services, history and files. It may cause a blue screen. If so, try again in safe mode. You will need to save the log to Notepad.
Message Edited by delphinium on 12-08-2009 08:37 PM
Delphinium, I don't see "history" as an option in GMER. It has System, Sections, IAT/EAT, Devices, Modules, Processes, Threads, Libraries, Services, Registry and Files.
Delphinium, I don't see "history" as an option in GMER. It has System, Sections, IAT/EAT, Devices, Modules, Processes, Threads, Libraries, Services, Registry and Files.
Good morning Uncle Willie. I'm glad to see you are still with us. I would ask you to do one little thing. When you have the laptop back, go into the computer pane>settings> scroll down to Exclusions >configure and add atapi.sys to both the scan exclusions and to auto protect exclusions.
Unfortunately, the GMER mention of atapi.sys pretty much confirms that you do have a rootkit active on that machine. If your wife is still using the laptop, it is extremely insecure. There should be no banking done, or credit card purchases, or sensitive information transmitted. You will need to change all passwords for this type of usage.
Oracles have long been noted as the bearers of bad news.
I will give you the names of a couple of malware removal sites, where they have the tools and know-how to assist you in the safe removal. Save all of the data that is important on the laptop, first thing. The removal is a risky business.
When you go to these sites for help, please remember to ask any questions you have before you try a process or scan that they tell you to do. It is always better to ask to clarify something than to wait till after when it may be too late. Good luck.
Delphinium, My wife drove to the office with the scan still running, but I did not have "registry" checked. Good thing I got her that new heavy duty battery! As soon as I saw the strang pop-ups I told her no bankig or credit card transactions. I will also check those removal sites. I didn't quie understand "computer pane>settings> scroll down to Exclusions >configure and add atapi.sys to both the scan exclusions and to auto protect exclusions." Is that from inside NIS? Thanks.
I will ask her to rescan with "registry" checked. FWIW, here is the output of the GMER scan with services, system and files chosen:
Plankton, For #2, My wife's PC was running McAfee when it got infected, not NIS. NIS was installed after the fact to try to fix the problem.So that question would have to go to a McAfee board. :) Although it is disappointing that Nortion can't detect it after the fact. :(
Just for info. Antivirus software is extremely sticky. It has to be that way. So if you just removed McAfee from the computer using Add/Remove, you would not have removed it completely. Each antivirus has its own removal tool. That kind of thing interferes with the correct operation of the newly installed antivirus, no matter whose it is.
Second, rootkits come with their own list of antivirus names and sites to block. This prevents many products from accessing updates, their own websites, and prevents you from accessing, downloading and running products that could interfere with the rootkit.
Thirdly, downloading an antivirus into a severely infected machine, corrupts the installation, and prevents it from doing what it is supposed to do. So try not to think too badly of Norton, it never had a chance.
The 2010 antivirus engines have cut down the number of rootkit infections to almost nothing on this forum. The problem is that the malware writers have had to get more creative in their bid to infect machines. The malware always comes out first. Once it is discovered, Symantec takes it apart and writes changes into their product to block the attacks. Then it begins again. This is very sophisticated malware, frequently acquired by a careless click of the mouse in the wrong place.
Sorry, yes. The settings are in the main screen for Norton. The top pane is the computer, settings you will find on the right side.
Message Edited by delphinium on 12-09-2009 09:37 AM
Gen 3 and GMER, if GMER is able to show it should show up for one in the "devices" section, so no point in just scanning the "services", "registry" .......................,
UncleWillie stated further up
Getting ready to run GMER. When it starts up, it lists a ble c:\WINDOWS\system32\drivers\atapi.sys suspiscious modificationWhich sounds like Gen3 (TDL3) that's why it has, in this case luck enough appeared.
2) Thankfully access to the Norton website has not been blocked and it was able to download updates.
3) True, but I also tried booting from the CD, downloading updates and running a scan. That didn't find anything either.
Microsoft released a bunch of drive-by security updates today, including a modified version of MRT.exe. Unfortunatly they came a couple of weeks to late from my wife's laptop.
Maybe I am a cynic, but I don't believe there will ever be anything developed that some other individual can not find holes to take advantage of. There will always be browser vulnerabilities, program vulnerabilities, and errors in judgment.
Security is composed of patching software vulnerabilities, such as in Java, MS Office, Windows, Adobe, and a multitude of others. It also depends on the things we do, such as P2P, file sharing, torrents, Facebook, etc. The more popular the site, the more likely malware will be inserted. There is no point in placing your malware in a place where nobody goes.
Doubling up on real-time antivirus scanners is problematic, and many of the rootkit infections we have seen here were on machines with more than one active antivirus engine.
In the end, no matter how careful and prudent we are, sooner or later, we will get infected. It is good to know what to do about it and where to go for help. Malware is now a fact of internet usage and as unavoidable as death and taxes.
We are forced to deal with indications with these infections. If you read the articles provided by Voyager 10, and Quads's posts, it will help you. It is simply one of the files that the rootkit over-writes. It is not necessarily the only one, but if you notice, the OP did say that it showed in GMER.
