Jump to content

Atapi.sys infection? Start of Problems???


nowayout
 Share

Recommended Posts

I do not know with what problem I should start with first. About a week ago, whenever I did a search with a internet browser, I was always sent to some unrelated sites. With this happening - I knew somehow I had caught something in my system. Tried to do a scan with Mbam and it only would run for a few seconds and then "not respond". Before any of these problems accured was able to do scans in normal mode in as little as 6 minutes. Did a scan with my AVG and it found all sorts of things. Did a little research and found out that the same problem had been happening to others. Downloaded Hitman Pro 3.5.4 looking for a atapi.sys problem? Ran a scan after I able to download it and sure enough it found something. Problem solved?? Tried to run mbam and it would only run for a few seconds to a few minutes, still "not responding." Finally downloaded Dr. Web Cureit to try and help. No luck. Uninstalled Dr. Web. No luck. Did a "clean-uninstall" of mbam 1.32 , reinstalled 1.44 - uninstalled AVG 8.0, reinstalled AVG 9.0. Installed Avira AntiVir. Still not able to run Mbam in normal mode. Am able to do a quick scan in safe mode in about 10 minutes - nothing found. Have tried to restore system from a previous date. Guessed it - no luck. Still feel sick!! Have now noticed the Microsoft Security settings are somehow not activated any longer. Do not know what else I can do. Any help would be truly appreciated. Thanks.

Link to post
Share on other sites

Hi nowayout,

Welcome to the forum.

My nickname is deltalima and I will be helping you with your computer problems.

The logs can take some time to research, so please be patient with me.

Please note the following:

  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine.
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • If after 3 days you have not responded to this topic, it will be closed, and you will need to start a new one.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.

Link to post
Share on other sites

Hi nowayout,

Uninstalled Dr. Web. No luck. Did a "clean-uninstall" of mbam 1.32 , reinstalled 1.44 - uninstalled AVG 8.0, reinstalled AVG 9.0. Installed Avira AntiVir

Before we continue please ensure that you have only one antivirus program installed, uninstall any others.

Rkill

Please download Rkill from one of the following links and save to your Desktop:

One, Two,Three or Four

  • Double click on Rkill.
  • A command window will open then disappear upon completion, this is normal.
  • A notepad windows will open, please post the contents in your next reply
  • This log can also be found at C:\rkill.log
  • Please leave Rkill on the Desktop until otherwise advised.

Note: If your security software warns about Rkill, please ignore and allow the download to continue.

Download and run OTL

Download OTL by Old Timer and save it to your Desktop.

  • Double click on OTL.exe to run it.
  • Under Output, ensure that Minimal Output is selected.
  • Under Extra Registry section, select Use SafeList.
  • Click the Scan All Users checkbox.
  • Click on Run Scan at the top left hand corner.
  • When done, two Notepad files will open.
    • OTL.txt <-- Will be opened
    • Extras.txt <-- Will be minimized

    [*]Please post the contents of these 2 Notepad files in your next reply.

Please download GMER Rootkit Scanner from here.

  • Double click the .exe file. If asked to allow gmer.sys driver to load, please consent
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Run Gmer again and click on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All".
  • Click on the "Scan" and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.
  • Note: If you have any problems, try running GMER in SAFE MODE

Important! Please do not select the "Show all" checkbox during the scan..

Please post the GMER log and rkill.log along with OTL.txt and Extras.txt from the OTL scan into your next reply.

Link to post
Share on other sites

Thank you, thank you, deltalima for helping me with my problems.

I have run all of the routines that you requested and I have included them in this response. I have been able to run all of them in normal mode. However, the first time that I ran the gmer one - my system did not respond after a few hours - then ran it in "safe mode" and was able to save the log. Ran the routine in normal mode the next day, and it was able to run through without freezing however, when I went to save it to a text file it saved it to the clipboard and did not respond after that point, so was unable to save it to a text file. What I have included is from the "safe mode" run. If you need me to try to run it again in the normal mode, just let me know.

Thanks.

GMER.Txt

rkill.Txt

OTL.Txt

Extras.Txt

Link to post
Share on other sites

Hi nowayout,

Let's try the GMER scan again.

Reboot into normal mode

Run Rkill again and save the log.

Disable AVG9

  • Open AVG User Interface.
  • Double-click on the Resident Shield.
  • Un-tick the option Resident Shield active.
  • Save the changes.
  • Note: Don't forget to re-enable it after the fix.

Now run GMER but only select Files and Drive C: ensure that Show All is not checked.

Please post the Rkill and the GMER log in your next reply.

If GMER fails to complete the scan then please run this alternative scan

Scan with Rooter:

Please download Rooter.exe to your desktop.

  • Double click on Rooter.exe to start the application.
  • Now click on the Scan button.
  • When the scan is completed a text file called Rooter.txt will appear on your desktop, post the contents in your next reply.
  • Now click on Close button to exit Rooter.

Note: The logfile can also be located within this folder Rooter$ at the root of your installed Hard-Drive. EG: C:\Rooter$

Please post the log in your next reply.

Link to post
Share on other sites

Hi nowayout,

TDSSKiller

  • Download the file TDSSKiller.zip and save it on your desktop
  • Extract the file tdskiller.zip, it will create a folder named tdsskiller on your desktop
  • Next double-click the tdsskiller Folder on your desktop.
  • Next right-click on tdsskiller.exe and click Copy then Paste it directly on to your Desktop.
  • Highlight and copy the text in the codebox below.
    "%userprofile%\desktop\tdsskiller.exe" -l "%userprofile%\desktop\tdsskiller.txt"


  • Click Start, click Run... and paste the text above into the Open: line and click OK.
  • Wait for the scan and disinfection process to be over.
  • Open tdskiller.txt on your desktop and post the contents in your next reply

Link to post
Share on other sites

Hi nowayout,

Run OTL

  • Double click on OTL.exe to run it.
  • Under the Custom Scan box paste this in
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    symmpi.sys
    adp3132.sys
    /md5stop
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav


  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When done, two Notepad files will open.
    • OTL.txt <-- Will be opened
    • Extras.txt <-- Will be minimized

    [*]Please post only OTL.txt in your next reply

Please go to Kaspersky website and perform an online antivirus scan.

  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives

[*]Click on My Computer under Scan.

[*]Once the scan is complete, it will display the results. Click on View Scan Report.

[*]You will see a list of infected items there. Click on Save Report As....

[*]Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.

[*]Please post this log in your next reply along with OTL.txt

Link to post
Share on other sites

Hi nowayout,

Run TFC

  • Please download TFC to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • Click the Start button in the bottom left of TFC
  • If prompted, click "Yes" to reboot.

Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It should not take longer than a couple of minutes , and may only take a few seconds. Only if needed will you be prompted to reboot.

Configure AVG

There has been a problem identified where Malwarebytes Antimalware can freeze when AVG is installed. Let's apply the fix for that to make sure that is not the problem.

Please read the post here and follow the instructions relevant to Windows XP and AVG 9.

Now please reboot then run RKill then try another Malwlarebytes scan.

If this fails then please run Malwlarebytes one more time and click on the Settings tab and uncheck Always scan registry objects then run a quick scan.

If the scan completes then please post the log back here, if not please let me know.

Link to post
Share on other sites

Hi nowayout,

I was able to complete a quick scan, the second time, after I unchecked the "always scan registry objects"

That is a known problem and will be fixed in a new release.

Now we will fix the problem with Microsoft Security Centre

OTL

  • Close all other open windows, then double-click OTL.exe to start OTL
  • Copy all of the text in the code box below and paste it in the white area under Custom Scans/Fixes (under the cyan line at the bottom of the window)
    :reg
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "FirstRunDisabled" = 0
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "AntiVirusOverride" = 0


  • Close all running programs except for OTL, including all browser windows.
  • Then click Run Fix at the top of the window.
  • Once done, OTL will require a reboot. Please allow it.
  • After reboot, the log should open. Please save the log and post it in your next reply.

Please also let me know how the computer is running now.

Link to post
Share on other sites

Hi nowayout,

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

  • Click Start, point to Settings, and then click Control Panel.
  • In Control Panel, double-click Add or Remove Programs.
  • In Add or Remove Programs,
    highlight Dealio Toolbar v4.0.2
    click Remove
  • Close the Add or Remove Programs and the Control Panel windows.

Update Java Runtime

You are using an old version of Java. Sun's Java is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version. For this reason, it's extremely important that you keep the program up to date, & also remove the older more vulnerable versions from your system. The most current version of Sun Java is: Java Runtime Environment Version 6 Update 18.

  • Download the latest version of Java Runtime Environment (JRE) 6 Here
  • Scroll down to where it says "JDK 6 Update 18 (JDK or JRE)"
  • Click the orange Download JRE button to the right
  • Select the Windows platform from the dropdown menu
  • Read the License Agreement and then check the box that says: "I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement". Click on Continue.The page will refresh
  • Click on the link to download Windows Offline Installation & save the file to your desktop
  • Close any programs you may have running - especially your web browser
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs & remove all older versions of Java
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java 6) in the name
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions
  • Reboot your computer once all Java components are removed
  • Then from your desktop double-click on jre-6u18-windows-i586-p.exe to install the newest version

Please delete the TDSSKiller icon, folder and zip file from your desktop.

Please delete the RKill icon from your desktop.

Remove GMER

Delete the GMER icon from your desktop, it will be named iswt95z6.exe

Clean up with OTL

  • Double-click OTL.exe to start the program. This will remove all the tools we used to clean your pc.
  • Close all other programs apart from OTL as this step will require a reboot
  • On the OTL main screen, press the CleanUp! button
  • Say Yes to the prompt and then allow the program to reboot your computer.

Create a new, clean System Restore point which you can use in case of future system problems:

  • Press Start >> All Programs >> Accessories >>System Tools >> System Restore
  • Select Create a restore point, then Next, type a name like All Clean then press the Create button and once it's done press Close
  • Now remove old, infected System Restore points:
  • Next click Start >> Run and type cleanmgr in the box and press OK
  • Ensure the boxes for Recycle Bin, Temporary Files and Temporary Internet Files are checked, you can choose to check other boxes if you wish but they are not required.
  • Select the More Options tab, under System Restore press Clean up... and say Yes to the prompt
  • Press OK and Yes to confirm

Update your AntiVirus Software and keep your other programs up-to-date

Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.

You can use one of these sites to check if any updates are needed for your pc.

Secunia Software Inspector

F-secure Health Check

Security Updates for Windows, Internet Explorer & Microsoft Office

Whenever a security problem in its software is found, Microsoft will usually create a patch so that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC. Keeping up with these patches will help to prevent malicious software being installed on your PC. Ensure you are registered for Windows updates via Start > right-click on My Computer > Properties > Automatic Updates tab or visit the Microsoft Update site on a regular basis.

Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

Using SpywareBlaster to protect your computer from Spyware and Malware

Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

Here are some additional utilities that will enhance your safety

Also, please read this great article by Tony Klein So How Did I Get Infected In First Place

Happy surfing and stay clean!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.