mijcar, as I posted previously, when GMER starts up, it displays a few lines including this:
c:\WINDOWS\system32\drivers\atapi.sys suspiscious modification
Hi Mijcar:
For those of us who do not know or understand the complexities of GMER, SysProt, or Rootrepeal, the best we can hope for is the recognition of the one item that is either indicated as a problem, or is in a place it should not be. Uncle Willie was kind enough to share with us the following info:
Getting ready to run GMER. When it starts up, it lists a ble c:\WINDOWS\system32\drivers\atapi.sys suspiscious modification
delphinium wrote:Hi Mijcar:
Getting ready to run GMER. When it starts up, it lists a ble c:\WINDOWS\system32\drivers\atapi.sys suspiscious modification
Ahhhh. And here I thought it was the spelling of "suspicious" itself that was suspiciously modified. :-)
Hi mij
I think that was a typo when Uncle Willie typed what it said at the start of the scan.
Yes, my fault. I was copying from my wife’s laptop to mine, and I didn’t use the spell checker.
GMER Registry scan turned up nothing.
I just tried to do a Windows Update, hoping some of theMS security fixes would help. I got an error message that "Files required to use Windows Update are no longer registered of installed on your computer. To continue:
Register or reinstall the files for me now (recommended)
Let me read about more steps that might be required to solve the problem.
When I select #1) I get 403 forbidden: Access is denied. You do not have permission fo view this directory or page using the credentials that you supplied.The second options just lets me search by typing in keywords.
Gen 3 (TDL3) does not show in the registry.
How are Windows updates suppose to fix TDL3 ???
Quads
Quads, One of the updates was a new version of MRT.exe. That is the Microsoft malware removeal tool. Are you saying that MRTis not able to handle TDL3?
That would be correct; the MRT does not handle TDL3.
Even if I get rid of the rootkit, if I can’t get Windows Updates anymore, I am hosed, no? I am getting ready to punt and reinstall the OS. Too bad the laptop didn’t come with the Windows DVD.
UncleWillie:
Those two links I gave you to malware removal sites are the only thing you can do short of cleaning off the hard drive (reformat) and starting over. You need a specialist in malware removal, and the specialized tools and programs necessary. When I say bad news, I really meant it.
Delphium, I am on the phone with Microsoft Live right now. We’ll see if they can help. They say they are having a high call volume due to scareware infections.
I have been having a look in case something new in developments has appeared. I can't find anything on the fact MRT removes TDL3
Quads
Just finished running Microsoft Live Scan from Safe Mode as instructed by the Microsoft Live support desk. It foundReal VNC remote control software on the laptop. Scary, but not surprising.
http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?ThreatId=7480
That software is not a problem, Some AV's and spyware products detect Remote assistance / access software as pre-caution
Quads
Now the Microsoft tech is remotely running malware detection software from www.norman.com. Not sure what it will find that the 10 other scans didn't...
Bill
UncleWillie wrote:Now the Microsoft tech is remotely running malware detection software from www.norman.com. Not sure what it will find that the 10 other scans didn't...
Bill
I'm not surprised at that considering what it looks like you have.
Quads
The Microsoft tech was able to get the browser hijacking to stop. I'm not sure exactly what all he did. It had something to do with the Winsock catalog
Windows Update is still not working, but he says that is a different issue and he opened a new case number.
Willie
Do you not get about the TDL3 and atapi.sys??
Quads
Perhaps this will explain your issue more clearly.
http://rootbiez.blogspot.com/2009/11/rootkit-tdl3-why-so-serious-lets-put.html