Hi all. I was wondering if you could help me out!

I ran a scan with Avast and my computer started to behave erratically. Text on Avast, my desktop icon names and startmenu also started to vanish when my mouse was near them. I stopped the scan half an hour into it (the scan seemed freakishly slow … as slow as 512k a second at times), wondering what the problem was and noticed that the scan had found 181 “Threat:Rootkit: system modification” warnings in the C:\Windows folder.

I let Avast delete these threats, and Avast gave me a message “Action postponed until the next …” beside each threat. As I closed Avast down, Avast advised me to start a bootscan, which I agreed to. However, upon restart instead of a bootscan Windows started a CHDSK scan, claiming my C drive was dirty. I assumed this was a legit Windows action, and not a malicious action done by the rootkit infection. Anyhow, the CHDSK scan finished and Windows restarted without the Avast bootscan starting up. I set a bootscan and restarted the computer again. This time the bootscan started and completed with no infections found…

To make sure there really was no problem, I went into safe mode and ran Avast. Incidentally, I noticed all the shield controls were off in safe mode. Is this normal? I started a full scan anyway. Nothing found.

Starting up Windows normally, I ran a quickscan in Avast. Nothing found. Then I ran a full scan again. The same erratic Windows behaviour occurred during the scan, with over 100 rootkit threats found, text in apps/desktop icons and the startmenu vanishing and slow disk activity.

Other weird Windows behaviour I’ve observed include:

• When I checked on the properties of some folders during the scan, the properties window would often be blackened out, the text barely visible.
• Folder windows often not responding and when they do they leave afterimages in other folder windows underneath them.
• when I looking at a .txt file in notepad I could not save any amendments I made. Instead I was variously given strange messages about there not being “enough resources to save” or the filename being incorrect and not being able to “save to diskette.” That last one surely wasn’t even a regular Windows warning!
• Couldn’t even get taskmanager up.
• Opening some other applications would result in a warning about the program not being supported or a “The application failed to initialize properly (0xc000012d). Click on OK to terminate the application” warning.
• Starting up Spybot, Windows gave me a warning that it had been modified. I shut it down just in case.
• I ran a full scan in Superantispyware and Windows went crazy in exactly the same way as when I ran an Avast full scan.
• Avast or Superantispyware stop responding if I stopva scan. Trying to close them down, I get a message claiming that the system has locked them.
• Copying large amounts of data is slower than normal. The estimated time left is often wildly exaggerated. For example, copying 8 gigs might take half hour, but the estimated time of completion can be 153 minutes.

Link to photos taken of some of the weird behaviour of my computer: http://www.flickr.com/photos/26212832@N07/sets/72157627678912456/

One last note: my machine seems to act normally when not full scanning with Avast or Superantispyware. On the web or playing games for example, all seems normal. The only exception to this is when I am copying files, where disk activity is really sluggish.

I read through the guide on dealing with malware from http://forum.avast.com/index.php?PHPSESSID=qor44h76enf9l50c5nva0jp6b2&topic=53253.0 and have done the scans with the programs suggested.

I already had Malwarebytes Anti-Malware on my computer, so I ran quickscan with it and had no problems. It didn’t seem to turn up any threats. Whether that means the rookit has managed to hide itself from MBAM’s scan, I don’t know. Nonetheless I have attached the log on the offchance any of the you can glean any clues from it.

I’ll be grateful for any help. Thanks!

your malwarebytes was not updated before you did the scan

Essexboy is notified…he is usually in here around 08:00pm - 11:59pm UK time

from what i can see of the fotos it looks as the detection is in a windows update file KB927891 ??? is that correct ?

http://www.microsoft.com/download/en/details.aspx?id=6458

There seems to a problem detected in several Windows updates. And the two Avast images I have taken were only the tip of the iceberg.

Never thought of checking what Windows updates were affected. Just checked kb927802 and kb927779. They both recieved updates due to security issues.

Here’s the updated mbam scan you mentioned. Thanks for the heads up.

Atapi is not showing a company name and is locked, that is not normal so I would like to jump straight to a stronger tool first

Download and Install Combofix

Download ComboFix from one of the following locations:

Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop *

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Thanks guys.

My computer probably hasn’t been online for something like two weeks until yesterday, so I updated my antispyware and updates to Windows XP. To my surprise, my computer seemed to work fine after that. Mysteriously, even Superantisypware worked mostly normally whilst running a full scan (all it found was one measly cookie). I also ran a full Avast scan for 40 minutes, and that didn’t pick up any of the previous infections. In both cases, the Superantisypware and Avast scans seemed normal, with no vanishing text or slow disk activity or unresponsive programs. However, after the incredibly erratic behaviour I’ve seen over the past couple of weeks, that just makes me more suspicious than relieved.

The one unusual thing that did occur was during the Superantisypware scan, when a window popped up and asked to connect to the internet (I was offline at the time). There was nothing unusual about the window itself, it being the regular window that pops up whenever something requests a net connection, however I was not running any other program at the time, and the scan appeared to grind to a halt when it was onscreen. The scan only restarted when I closed the window down via taskmanager. Not sure if that event was something or anything at all.

Anyway, I’ve run Combofix. It deleted a few things, but my computer seems to be running fine.

Please find the log attached.

Although Combofix could not determine if Atapi was infected it also failed to find an MD5 and company name so I feel it would be prudent to switch it

1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in the quotebox below into it:

FCopy:: c:\windows\ServicePackFiles\i386\atapi.sys|c:\windows\system32\drivers\atapi.sys

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exeWhen finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

No problem, here you go.

OK I am happy with that - any problems remaining ?

No, I think we covered everything. Does my computer seem to be in the clear now?

I’m still confused where all those problems went though … I mean, as soon as I updated my antispyware and XP installed some updates yesterday the problems seemed to vanish, literally, without anything being deleted/removed.

Could you explain what you think were or are the problems with my computer, as I am really baffled! :-[

Thanks!

It may have just been the corruption of the Atapi file as that could cause weird results. Basically it was just minor adware found

Subject to no further problems

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Run OTL
[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:Commands [resethosts] [purity] [emptytemp] [EMPTYFLASH] [CLEARALLRESTOREPOINTS] [Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done

Remove ComboFix
[*]Hold down the Windows key + R on your keyboard. This will display the Run dialogue box
[*]In the Run box, type in ComboFix /Uninstall
(Notice the space between the “x” and “/”)
then click OK

http://i1224.photobucket.com/albums/ee362/Essexboy3/Misc%20screen%20shots/CF_Uninstall-1.jpg

[]Follow the prompts on the screen
[]A message should appear confirming that ComboFix was uninstalled

Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself.

We will now confirm that your hidden files are set to that, as some of the tools I use will change that
[*]Click Start.
[*]Open My Computer.
[*]Select the Tools menu and click Folder Options.
[*]Select the View Tab.
[*]Under the Hidden files and folders heading select Do not show hidden files and folders.
[]Click Yes to confirm.
[]Click OK.

http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.gif
Your Java is out of date.
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version of Java components and upgrade the application.

Upgrading Java:
[] Go to this site and click Do I have Java
[] It will check your current version and then offer to update to the latest version

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

http://img233.imageshack.us/img233/7729/mbamicontw5.gif
Malwarebytes.

Update and run weekly to keep your system clean

Download and install FileHippo update checker and run it monthly it will show you which programmes on your system need updating and give a download link

It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit
[*]Microsoft Windows Update

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?Keep safe

Done, done and done. Just about everything seems fine now, thanks! I’ve got just one minor query for you (not even sure if I should be asking it here or one of the other forums), but since cleaning everything up with Combofix and OTL yesterday I’ve noticed that Avast no longer appears in the icon tray automatically unless I start it up manually. I checked the basic settings, and the option to have it showing in the icon tray is definitely ticked as on. Any suggestions?

Run a repair on Avast that should clear that problem