Atapi.sys infected

Posted 3/29/2010 9:44 PM
#84382
User avatar

Shawn Johnson Member

Date Joined Nov 2016
Total Posts: 4
My wife is running windows XP. She had been using AVG- virus free for her anti - virus software.

It just popped up with a warning that a threat was detected, it said:

C:\windows\system32\drivers\atapi.sys
virus identified Win32\Patched.CG

detected on open

[/b]

I don't know enough about this to deal with the problem myself, and we can't afford to pay to get it fixed. It sounds like a windows system file has been affected otherwise I would just delete it and re-install it. Any help would be greatly appreciated.

Thank you
Posted 3/30/2010 3:19 AM
#84384
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12976
Hello and welcome :smile:







combofix are able to fix atapi ínfection, therefore ->




Please download combofix: Here

Before Saving it to Desktop, please rename it to alg.exe to stop malware from disabling it.





Disable your AntiVirus and AntiSpyware applications, they may otherwise interfere with Combofix.

There are details for disabling many programmes: Here






Now, please make sure no other programs are running, close all other windows.


Please double click on the file you downloaded. Follow the onscreen prompts to start the scan.
Once the scanning process has started please DO NOT click on the Combofix window or attempt to use your computer as this can cause the scanning process to stall.
It may take a while to complete scanning and this is normal.

You will be disconnected from the internet and your desktop icons/toolbars will disappear during scanning, do not worry, this is normal and it will be restored after
scanning has completed.

Combofix will create a logfile and display it after your computer has rebooted.

Usually located in c:\combofix.txt, please post it to your next reply


The logs will be reasonably large so you may have to divide them into sections and make several posts to post them.


[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />
[/color]
Do not PM me with logfiles. They will be deleted.


Posted 3/31/2010 3:20 PM
#84418
User avatar

Shawn Johnson Member

Date Joined Nov 2016
Total Posts: 4
Thank you for repsonding.

I ran combofix, and here are the logs

ComboFix 10-03-29.04 - My Love 03/31/2010 11:11:31.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.492 [GMT -4:00]
Running from: c:\documents and settings\My Love\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((( Files Created from 2010-02-28 to 2010-03-31 )))))))))))))))))))))))))))))))
.

2010-03-30 01:10 . 2010-03-30 01:10 -------- d-----w- C:\$AVG
2010-03-12 14:56 . 2010-03-12 14:56 360584 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys
2010-03-12 14:56 . 2010-03-12 14:56 333192 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgldx86.sys
2010-03-12 14:56 . 2010-03-12 14:56 28424 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgmfx86.sys
2010-03-12 14:55 . 2010-03-12 14:55 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-03-10 05:18 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-03-07 20:37 . 2010-03-07 20:37 -------- d-----w- c:\program files\Nucleosys
2010-03-01 15:28 . 2010-03-01 15:28 -------- d-----w- c:\program files\ASC Games
2010-03-01 15:28 . 1997-08-26 17:06 315904 ----a-w- c:\windows\IsUninst.exe
2010-03-01 15:28 . 2010-03-01 15:28 -------- d-----w- c:\documents and settings\My Love\WINDOWS

.
Posted 3/31/2010 3:21 PM
#84419
User avatar

Shawn Johnson Member

Date Joined Nov 2016
Total Posts: 4
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-30 00:51 . 2009-12-05 01:45 79488 ----a-w- c:\documents and settings\My Love\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-03-16 19:10 . 2009-10-08 12:40 -------- d-----w- c:\program files\World of Warcraft
2010-03-12 14:55 . 2009-12-28 18:13 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-03-12 14:55 . 2009-12-28 18:13 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-03-12 14:55 . 2009-12-28 18:13 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-02-27 22:12 . 2009-11-28 01:21 -------- d-----w- c:\program files\The Adventure Company
2010-02-25 06:24 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-23 20:34 . 2009-10-08 14:48 28472 ----a-w- c:\documents and settings\My Love\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-18 23:39 . 2009-12-28 18:13 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2010-02-15 20:40 . 2010-02-15 19:07 -------- d-----w- c:\program files\Dracula - The Last Sanctuary
2010-02-12 18:16 . 2009-10-07 17:08 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-10 22:56 . 2009-12-06 00:55 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-02-10 02:55 . 2010-01-31 18:10 -------- d-----w- c:\program files\Viva Media
2010-02-09 23:06 . 2010-02-09 23:06 61440 ----a-r- c:\documents and settings\My Love\Application Data\Microsoft\Installer\{E60ED9F4-AEAB-41F3-ABE1-9030C0845CD1}\NewShortcut4_E60ED9F4AEAB41F3ABE19030C0845CD1.exe
2010-02-09 23:06 . 2010-02-09 23:06 61440 ----a-r- c:\documents and settings\My Love\Application Data\Microsoft\Installer\{E60ED9F4-AEAB-41F3-ABE1-9030C0845CD1}\NewShortcut31_E60ED9F4AEAB41F3ABE19030C0845CD1.exe
2010-02-09 23:06 . 2010-02-09 23:06 61440 ----a-r- c:\documents and settings\My Love\Application Data\Microsoft\Installer\{E60ED9F4-AEAB-41F3-ABE1-9030C0845CD1}\NewShortcut3_E60ED9F4AEAB41F3ABE19030C0845CD1.exe
2010-02-09 23:06 . 2010-02-09 23:06 22382 ----a-r- c:\documents and settings\My Love\Application Data\Microsoft\Installer\{E60ED9F4-AEAB-41F3-ABE1-9030C0845CD1}\NewShortcut2_BE7A070E822C4104AAE21780CEB0AE2E.exe
2010-02-09 23:06 . 2010-02-09 23:06 22382 ----a-r- c:\documents and settings\My Love\Application Data\Microsoft\Installer\{E60ED9F4-AEAB-41F3-ABE1-9030C0845CD1}\ARPPRODUCTICON.exe
2010-02-09 23:02 . 2010-02-09 23:02 -------- d-----w- c:\program files\10TACLE STUDIOS
2010-02-07 20:20 . 2010-02-07 20:20 -------- d-----w- c:\program files\Private Moon Studios
2010-01-31 18:27 . 2010-01-31 18:27 -------- d-----w- c:\program files\QuickTime
2010-01-31 18:27 . 2010-01-31 18:27 -------- d-----w- c:\documents and settings\All Users\Application Data\QuickTime
2010-01-31 18:10 . 2010-01-31 18:10 -------- d-----w- c:\program files\OXXOGames
2009-12-31 16:50 . 2004-08-04 12:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-02-23 1664256]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2010-02-23 18:04 1664256 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-02-23 1664256]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-02-23 1664256]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-10-26 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]
"D-Link RangeBooster G WUA-2340"="c:\program files\D-Link\RangeBooster G WUA-2340\AirPlusCFG.exe" [2008-09-24 1667072]
"ANIWZCS2Service"="c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2007-01-19 49152]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-01 136600]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-08-09 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-08-09 81920]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-11-21 12669544]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-11-21 110184]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-01-31 98304]

c:\documents and settings\My Love\Start Menu\Programs\Startup\
SDK Tray Menu.lnk - c:\sun\SDK\jdk\bin\javaw.exe [2009-12-1 139264]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-03-12 14:55 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.1.3.9947-to-3.2.0.10192-enUS-downloader.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10192-to-3.2.0.10314-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10314-to-3.2.2.10482-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.2.10482-to-3.2.2.10505-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [12/28/2009 2:13 PM 216200]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [12/28/2009 2:13 PM 242696]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [3/12/2010 10:55 AM 916760]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [3/12/2010 10:55 AM 308064]
R3 JSWSCIMD;jswscimd Service;c:\windows\system32\drivers\jswscimd.sys [10/8/2009 11:52 AM 57440]
S3 A5AGU;D-Link USB Wireless Network Adapter Service;c:\windows\system32\drivers\A5AGU.sys [5/8/2006 10:10 PM 386784]
S3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\D-Link\RangeBooster G WUA-2340\JSWUtil\jswpsapi.exe [10/8/2009 11:52 AM 356434]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-nwiz - nwiz.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, https://www.gmer.net
Rootkit scan 2010-03-31 11:17
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3440)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-03-31 11:18:46
ComboFix-quarantined-files.txt 2010-03-31 15:18

Pre-Run: 274,754,408,448 bytes free
Post-Run: 275,622,899,712 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 583A4ABDAC3D8B1977D5E39E67E7D9F0
Posted 4/1/2010 2:23 AM
#84425
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12976
That´s odd, it looks clean :rolleyes:





However, will you please check C:\windows\system32\drivers\atapi.sys


Here-> https://www.virustotal.com/en/indexf.html





Post back the results


[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />
[/color]
Do not PM me with logfiles. They will be deleted.


Posted 4/1/2010 5:08 PM
#84438
User avatar

Shawn Johnson Member

Date Joined Nov 2016
Total Posts: 4







Ok here is the report from VirusTotal.



File atapi.sys received on 2010.04.01 13:29:17 (UTC)
Current status: finished

Result: 1/42 (2.38%)




User image https://www.threatexpert.com/report.aspx?md5=9f3a2f5aa6875c72bf062c712cfa2674
[tr class=odd][td ]ssdeep: 1536:MwXpkfV74F1D7yNEZIHRRJMohmus27G1j/XBoDQi7oaRMJfYHFktprll1KbDD0uu:MQ+N74vkEZIxMohjsimBoDTRMBwFktZu[/td][/tr][tr ][td ]sigcheck: publisher....: Microsoft Corporation
copyright....: (c) Microsoft Corporation. All rights reserved.
product......: Microsoft_ Windows_ Operating System
description..: IDE/ATAPI Port Driver
original name: atapi.sys
internal name: atapi.sys
file version.: 5.1.2600.5512 (xpsp.080413-2108)
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
[/td][/tr][tr class=odd][td ]PEiD : -[/td][/tr][tr ][td ]packers (Kaspersky): PE_Patch[/td][/tr][tr class=odd][td ]RDS : NSRL Reference Data Set[/td][/tr]
  • Unread posts or replies
  • No unread posts or replies
  • Unread Posts (Read Only Forum)
  • No Unread Posts (Read Only Forum)

Forum Information

Currently it is Sunday, October 21, 2018, 10:01 AM (GMT +2)
There are a total of 61,680 posts in 13,587 threads.
In the last 3 days there were 0 new threads and 0 reply posts.

Who's online

This forum has 38,401 registered members. Please welcome our newest member, Gegh1.
There are currently no users on-line.
We use cookies to ensure that we give you the best experience on our website. By continuing to browse, we are assuming that you have no objection in accepting cookies. You can change your cookie settings at any time.