Atapi.sys infected by a Trojan Horse Packed.Protector.C

[Mermaid123]

Hey!

My AVG tells my i got this infection and i also had a par of blue screens today. I'm not sure it's related but it never happend to me before and i didn't do anything out of the ordinarier. I scanned with avg and other malvare programs but it keeps coming back.

I'm no good with pc's so if i could get some help it would be awesome!

Here are the logs;

[Saving space, attachment deleted by admin]

[evilfantasy]

Hello Mermaid123.

This is a bad infection that takes special tools to cure it. But, we know how to handle it.

Please do this in order.

Disable Spybot's TeaTimer

While TeaTimer is an excellent tool for the prevention of spyware, it can also interfere with our fixes. Please disable TeaTimer for now until you are clean.

1. Right click Spybot in the System Tray (looks like a calendar with a padlock symbol). Choose Exit Spybot S&D Resident
2. Run Spybot S&D
3. Go to the Mode menu, and make sure Advanced Mode is selected.
4. On the left hand side, choose Tools > Resident
uncheck Resident TeaTimer and OK any prompt and Restart your computer.

Note: If TeaTimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.

If TeaTimer will not turn off then uninstall Spybot until we are done cleaning.

----------

Open HijackThis and select Do a system scan only

Place a check mark next to the following entries: (if there)

• O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

Important: Close all open windows except for HijackThis and then click Fix checked.

Once completed, exit HijackThis.

----------

Please download SystemLook from one of the below links and save it to your desktop.

Link #1
Link #2

Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

* Double-click SystemLook.exe to run it.
* Copy the contents of the following codebox into the main textfield.

Code: [Select]

:filefind
atapi.sys

* Click the Look button to start the scan.
* Note: The scan may take some time so please just let it do its work and be patient (or do something else unrelated to the computer).
* When finished, a notepad window will open with the results of the scan. Please post the log.

The log can also be found on your desktop entitled SystemLook.txt

[Mermaid123]

First of all thanks for helping!

And here is the log! I'm not sure i got everything turned off that i was suppose to turn off. But i think so.

[Saving space, attachment deleted by admin]

[evilfantasy]

First of all thanks for helping!

Your welcome.

Go to Start > Run > type Notepad.exe and click OK to open Notepad.

Copy all of the text in the below Code box into Notepad.

Code: [Select]

@echo off
copy C:\WINDOWS\$NtServicePackUninstall$\atapi.sys c:\atapi.sys
exit
In Notepad go to File > Save as, choose to save it to your desktop and name it event.bat

Now double click the event.bat file you just created and let it finish.

You will know it's finished when there is a new file on your desktop.

----------

Now download The Avenger by Swandog46 and save it to your desktop.

* Extract avenger.exe from the Zip file and save it to your Desktop
* Run avenger.exe by double-clicking on it.
* Do not change any check box options!!
* Copy everything in the Code box below, and paste it into the Input script here window:

Code: [Select]

Comment:

Files to move:
c:\atapi.sys | C:\WINDOWS\system32\drivers\atapi.sys
* Now click the Execute button.
* Click Yes to the prompt to confirm you want to execute.
* Click Yes to the "Reboot now?" question that will appear when Avenger finishes running.
* Your PC should reboot, if not, reboot it yourself.
* A log file from Avenger will be produced at C:\avenger.txt and it will pop-up for you to view when you login after reboot.

Add The Avenger log in your next post.

[Mermaid123]

Go to Start > Run > type Notepad.exe and click OK to open Notepad.

Copy all of the text in the below Code box into Notepad.

Code: [Select]

@echo off
copy C:\WINDOWS\$NtServicePackUninstall$\atapi.sys c:\atapi.sys
exit
In Notepad go to File > Save as, choose to save it to your desktop and name it event.bat

Now double click the event.bat file you just created and let it finish.

You will know it's finished when there is a new file on your desktop.

When I do this, a black window pops up for half a sec and then closes, I've waited a while for a file but nothing happends. Shall i wait even more or am i doing something wrong?

[evilfantasy]

Download ComboFix© by sUBs and save it to the Desktop. ComboFix.exe

**Note:  It is important that it is saved directly to your Desktop

DO NOT run it yet!

Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system

Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]

KillAll::

FCopy::
C:\WINDOWS\$NtServicePackUninstall$\atapi.sys | C:\WINDOWS\system32\drivers\atapi.sys


3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!



ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

[Mermaid123]

I struck some problems. When combo fix had rebooted and was dealing with logs, i got a system error and PC reboted before i ever saw the logs. Once it was about to start again it hit a bluescreen and rebooted again did that twice, then i started it in safe-mod, rebooted and here i am.

Btw should the anispyware programs still be disabled?

[evilfantasy]

Look in C:\combofix.txt for a log.

[Mermaid123]

Might it be this one?

[Saving space, attachment deleted by admin]

[evilfantasy]

It was cut off but that's what I needed.

How is the computer running now?

[Mermaid123]

While it's running it seems fine as far as I can c. But when I try to start it, I meet a blue screen and this time it took the PC 8 reboots before it starts.

[evilfantasy]

Try this again and let me know what happens.

Go to Start > Run > type Notepad.exe and click OK to open Notepad.

Copy all of the text in the below Code box into Notepad.

Code: [Select]

@echo off
copy C:\WINDOWS\$NtServicePackUninstall$\atapi.sys c:\atapi.sys
exit
In Notepad go to File > Save as, choose to save it to your desktop and name it event.bat

Now double click the event.bat file you just created and let it finish.

You will know it's finished when there is a new file on your desktop.

[Mermaid123]

Samething happend. Nothing that is.

[evilfantasy]

I think we are getting close. Just need one of the fixes to complete.

Turn off your antivirus.

Double-click Combo-Fix and let it run. Post the log it creates.

[Mermaid123]

Here

[Saving space, attachment deleted by admin]