Welcome guest. Before posting on our computer help forum, you must register. Click here it's easy and free.

Author Topic: infected atapi.sys  (Read 11861 times)

0 Members and 1 Guest are viewing this topic.

shamsheer

  • Guest
infected atapi.sys
« on: February 28, 2010, 08:21:09 PM »
My atapi.sys file seems to be infected. symantec endpoint protection detects this as a threat. my google searches are being redirected and the last 5-6 times i tried to restart my laptop it showed a blue screen which said something about atapi.sys. how do i fix this problem? i read about combofix on other forums but they all advised not to take action unless advised to by more experienced people. please help. i have attached my hijack this log.   

[Saving space, attachment deleted by admin]

SuperDave

  • Malware Removal Specialist


  • Genius
  • Thanked: 1020
  • Certifications: List
  • Experience: Expert
  • OS: Windows 10
Re: infected atapi.sys
« Reply #1 on: March 01, 2010, 12:13:42 PM »
Hello shamsheer. I'm analyzing your HJT log now. I'll be back in a flash with some more instructions.
Windows 8 and Windows 10 dual boot with two SSD's

SuperDave

  • Malware Removal Specialist


  • Genius
  • Thanked: 1020
  • Certifications: List
  • Experience: Expert
  • OS: Windows 10
Re: infected atapi.sys
« Reply #2 on: March 01, 2010, 12:21:59 PM »
Hello shamsheer and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer. I am working under the guidance of one of the specialist of this forum so it may take a bit longer to process your logs.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

I need the SAS and MBAM logs

The first thing I will need you to do is to go to this link and follow the directions precisely. If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line. If you can't run any step, just jump to the next one. Please let me know how you are doing or have any questions. Initially, I will need the SuperAntiSpyware and  MBAM logs. Please post any logs that you can generate.
===============================

Download Disable/Remove Windows Messenger to the desktop to remove Windows Messenger.

Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Unzip the file on the desktop. Open the MessengerDisable.exe and choose the bottom box - Uninstall Windows Messenger and click Apply.

Exit out of MessengerDisable then delete the two files that were put on the desktop.

==========================================
Open HijackThis and select Do a system scan only

Place a check mark next to the following entries: (if there)

R3 - URLSearchHook: (no name) -  - (no file)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O4 - HKUS\S-1-5-19\..\RunOnce: []  (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: []  (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: []  (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: []  (User 'Default user')
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe


Important: Close all open windows except for HijackThis and then click Fix checked.

Once completed, exit HijackThis.

===================================

Download ComboFix by sUBs from one of the below links.  Be sure to save it to the Desktop.

link # 1
link #2

Close any open web browsers (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your anti-virus, and any anti-spyware real-time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Vista users Right-click combofix.exe and select Run as Administrator and follow the prompts. (you will receive a UAC prompt, please allow it)

Double-click combofix.exe and follow the prompts.
When finished, ComboFix will produce a log for you.
Post the ComboFix log and a new HijackThis log in your next reply.

NOTE: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your anti-virus and anti-spyware protection when ComboFix is complete.

If you have problems with ComboFix usage, see How to use ComboFix

Please attach the SAS, MBAM and ComboFix logs
Windows 8 and Windows 10 dual boot with two SSD's