Atapi.sys infected by a Trojan Horse Packed.Protector.C

[Mermaid123]

Hey!

My AVG tells my i got this infection and i also had a par of blue screens today. I'm not sure it's related but it never happend to me before and i didn't do anything out of the ordinarier. I scanned with avg and other malvare programs but it keeps coming back.

I'm no good with pc's so if i could get some help it would be awesome!

Here are the logs;

[Saving space, attachment deleted by admin]

[evilfantasy]

Hello Mermaid123.

This is a bad infection that takes special tools to cure it. But, we know how to handle it.

Please do this in order.

Disable Spybot's TeaTimer

While TeaTimer is an excellent tool for the prevention of spyware, it can also interfere with our fixes. Please disable TeaTimer for now until you are clean.

1. Right click Spybot in the System Tray (looks like a calendar with a padlock symbol). Choose Exit Spybot S&D Resident
2. Run Spybot S&D
3. Go to the Mode menu, and make sure Advanced Mode is selected.
4. On the left hand side, choose Tools > Resident
uncheck Resident TeaTimer and OK any prompt and Restart your computer.

Note: If TeaTimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.

If TeaTimer will not turn off then uninstall Spybot until we are done cleaning.

----------

Open HijackThis and select Do a system scan only

Place a check mark next to the following entries: (if there)

• O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

Important: Close all open windows except for HijackThis and then click Fix checked.

Once completed, exit HijackThis.

----------

Please download SystemLook from one of the below links and save it to your desktop.

Link #1
Link #2

Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

* Double-click SystemLook.exe to run it.
* Copy the contents of the following codebox into the main textfield.

Code: [Select]

:filefind
atapi.sys

* Click the Look button to start the scan.
* Note: The scan may take some time so please just let it do its work and be patient (or do something else unrelated to the computer).
* When finished, a notepad window will open with the results of the scan. Please post the log.

The log can also be found on your desktop entitled SystemLook.txt

[Mermaid123]

First of all thanks for helping!

And here is the log! I'm not sure i got everything turned off that i was suppose to turn off. But i think so.

[Saving space, attachment deleted by admin]

[evilfantasy]

First of all thanks for helping!

Your welcome.

Go to Start > Run > type Notepad.exe and click OK to open Notepad.

Copy all of the text in the below Code box into Notepad.

Code: [Select]

@echo off
copy C:\WINDOWS\$NtServicePackUninstall$\atapi.sys c:\atapi.sys
exit
In Notepad go to File > Save as, choose to save it to your desktop and name it event.bat

Now double click the event.bat file you just created and let it finish.

You will know it's finished when there is a new file on your desktop.

----------

Now download The Avenger by Swandog46 and save it to your desktop.

* Extract avenger.exe from the Zip file and save it to your Desktop
* Run avenger.exe by double-clicking on it.
* Do not change any check box options!!
* Copy everything in the Code box below, and paste it into the Input script here window:

Code: [Select]

Comment:

Files to move:
c:\atapi.sys | C:\WINDOWS\system32\drivers\atapi.sys
* Now click the Execute button.
* Click Yes to the prompt to confirm you want to execute.
* Click Yes to the "Reboot now?" question that will appear when Avenger finishes running.
* Your PC should reboot, if not, reboot it yourself.
* A log file from Avenger will be produced at C:\avenger.txt and it will pop-up for you to view when you login after reboot.

Add The Avenger log in your next post.

[Mermaid123]

Go to Start > Run > type Notepad.exe and click OK to open Notepad.

Copy all of the text in the below Code box into Notepad.

Code: [Select]

@echo off
copy C:\WINDOWS\$NtServicePackUninstall$\atapi.sys c:\atapi.sys
exit
In Notepad go to File > Save as, choose to save it to your desktop and name it event.bat

Now double click the event.bat file you just created and let it finish.

You will know it's finished when there is a new file on your desktop.

When I do this, a black window pops up for half a sec and then closes, I've waited a while for a file but nothing happends. Shall i wait even more or am i doing something wrong?

[evilfantasy]

Download ComboFix© by sUBs and save it to the Desktop. ComboFix.exe

**Note:  It is important that it is saved directly to your Desktop

DO NOT run it yet!

Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system

Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]

KillAll::

FCopy::
C:\WINDOWS\$NtServicePackUninstall$\atapi.sys | C:\WINDOWS\system32\drivers\atapi.sys


3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!



ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

[Mermaid123]

I struck some problems. When combo fix had rebooted and was dealing with logs, i got a system error and PC reboted before i ever saw the logs. Once it was about to start again it hit a bluescreen and rebooted again did that twice, then i started it in safe-mod, rebooted and here i am.

Btw should the anispyware programs still be disabled?

[evilfantasy]

Look in C:\combofix.txt for a log.

[Mermaid123]

Might it be this one?

[Saving space, attachment deleted by admin]

[evilfantasy]

It was cut off but that's what I needed.

How is the computer running now?

[Mermaid123]

While it's running it seems fine as far as I can c. But when I try to start it, I meet a blue screen and this time it took the PC 8 reboots before it starts.

[evilfantasy]

Try this again and let me know what happens.

Go to Start > Run > type Notepad.exe and click OK to open Notepad.

Copy all of the text in the below Code box into Notepad.

Code: [Select]

@echo off
copy C:\WINDOWS\$NtServicePackUninstall$\atapi.sys c:\atapi.sys
exit
In Notepad go to File > Save as, choose to save it to your desktop and name it event.bat

Now double click the event.bat file you just created and let it finish.

You will know it's finished when there is a new file on your desktop.

[Mermaid123]

Samething happend. Nothing that is.

[evilfantasy]

I think we are getting close. Just need one of the fixes to complete.

Turn off your antivirus.

Double-click Combo-Fix and let it run. Post the log it creates.

[Mermaid123]

Here

[Saving space, attachment deleted by admin]

[evilfantasy]

That's better.

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]

KillAll::

FCopy::
C:\WINDOWS\$NtServicePackUninstall$\atapi.sys | C:\WINDOWS\system32\drivers\atapi.sys

Driver::
prozuaq
SASKUTIL
SASENUM

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"=-

Folder::
c:\program\Messenger


3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!



ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

[Mermaid123]

Well when Combofix was processing the logs my PC decided it needed another reboot. So I'm not sure the log is complete or usefull.

[Saving space, attachment deleted by admin]

[evilfantasy]

No it didn't finish again.

Download random's system information tool (RSIT) by random/random from and save it to your Desktop.

* Double click on RSIT.exe to run.
* Click Continue at the disclaimer screen.
* Once it has finished, two logs will open.
* log.txt <will be maximized and info.txt <will be minimized
* Please post the contents of both logs in the next reply.

[Mermaid123]

I toke "1 month" as the option. Supposing you didn't say anything I took that.

[Saving space, attachment deleted by admin]

[evilfantasy]

This is odd. I'm not finding anything.


Please go to Jotti's malware scan
(If more than one file needs scanned they must be done separately and logs posted for each one)

* Copy the file path in the below Code box:

Code: [Select]

C:\WINDOWS\system32\regedit.exe* At the upload site, click once inside the window next to Browse.
* Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.
* Next click Submit file
* Your file will possibly be entered into a queue which normally takes less than a minute to clear.
* This will perform a scan across multiple different virus scanning engines.
* Important: Wait for all of the scanning engines to complete.
* Once the scan is finished, Copy and then Paste the link in the address bar into your next reply.

[Mermaid123]

"C:\WINDOWS\system32\regedit.exe
Can't find the file.
Control the search way and the filename."

[evilfantasy]

Run this tool please. http://sourceforge.net/projects/viruseffectremo/

After that restart the computer and post a new HijackThis log.

[Mermaid123]

And here are the results

[Saving space, attachment deleted by admin]

[evilfantasy]

Open HijackThis and select Do a system scan only

Place a check mark next to the following entries: (if there)

- O4 - HKLM\..\Run: [Regedit32] C:\WINDOWS\system32\regedit.exe

Important: Close all open windows except for HijackThis and then click Fix checked.

Once completed, exit HijackThis.

----------

Panda USB and AutoRun Vaccine

Insert your flash drive before we begin. Hold down the Shift key when inserting the flash drive until Windows detects it to bypass the autorun feature. This will keep the autorun.inf from executing automatically.

Download Panda USB and AutoRun Vaccine and save it to your desktop.

* Extract (unzip) the file to your desktop and a folder named USBVaccine will be created.
* Open that folder and double-click on USBVaccine.exe to start the program.
* Click Run
* Click the button to Vaccinate computer.
* Insert your USB flash drive.
* When the name of the drive appears in the dialog box, click the button to Vaccinate USB drive(s).
* Exit Panda USB and AutoRun Vaccine when done.

Note: Computer AutoRun Vaccination will prevent any AutoRun file from running, regardless of whether the removable device is infected or not. USB Vaccination disables the autorun file so it cannot be read, modified or replaced by malicious code. The Panda Resarch Blog advises that once USB drives have been vaccinated, they cannot be reversed except with a format. If you do this, be sure to back up your data files first or they will be lost during the formatting process.

----------

How is the computer running now?

.

[Mermaid123]

I'm not sure I understood that last step. What flashdrive are we talking about?

Sorry if I'm making it hard for you.

[evilfantasy]

If you have any flash drives or portable drives. If not then just run the Panda tool anyway.

[Mermaid123]

Well I tried to reboot after the panda step and when the PC started again I got the system message that it needed to reboot. Once it did, it hit a couple of blue screens. Once it started, AVG warned me about; File name: C:\\WINDOWS\system32\drivers\cdrom.sys     Threat name:Viruus indentified Packed.Protector.C    Process name: C\\WINDOWS\system32\svchost.exe.

So i geuss not so good as it could?

[evilfantasy]

We need to run an actual antivirus scan.

ESET Online Scan

Scan your computer with the ESET FREE Online Virus Scan

* Click the ESET Online Scanner button.

* For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
* Click on the esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop
* Double click on the esetsmartinstaller_enu.exe icon on your desktop.
* Place a check mark next to YES, I accept the Terms of Use.

* Click the Start button.
* Accept any security warnings from your browser.
* Leave the check mark next to Remove found threats and place a check next to Scan archives.
* Click the Start button.
* ESET will then download updates, install, and begin scanning your computer. Please be patient as this can take some time.
* When the scan completes, click List of found threats.
* Next click Export to text file and save the file to your desktop using a name such as ESETScan. Include the contents of this report in your next reply.
* Click the <<Back button then click Finish.

In your next reply please include the ESET Online Scan Log

[Mermaid123]

Scaned and found nothing. I suppose that's also why I didn't get a log?

[evilfantasy]

This next log will be huge.

Go here and follow the instructions for posting a log from MGtools. http://forums.majorgeeks.com/showthread.php?t=137630

[Mermaid123]

Here is the Zip file, that's what you wanted correct?

[Saving space, attachment deleted by admin]

[evilfantasy]

Download OTM by OldTimer to your desktop.

Note: If you are running on Vista, right-click on OTM.exe and choose Run As Administrator.

* Save it to your Desktop.
* Double-click OTM.exe to run it.
* Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy)

Code: [Select]

:Processes
explorer.exe

:services

:reg
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
"Regedit32"=-

:files
C:\WINDOWS\temp\

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]

* Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
* Click the red Moveit! button.
* Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.

* Close OTM

Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes. If not, reboot anyway.

[Mermaid123]

I did it twice, because I thought I did it wrong the first time(blame the beer), so the first log disappeared but here it's the last one;

[Saving space, attachment deleted by admin]

[evilfantasy]

How is the computer now?

[Mermaid123]

As far as I can c it's good!

[evilfantasy]

Time to clean up.

* Click START then RUN
* Now type Combofix /Uninstall in the runbox
* Make sure there's a space between Combofix and /Uninstall
* Then hit Enter.

The above procedure will:
* Delete: ComboFix and its associated files and folders.
* Reset the clock settings.
* Hide file extensions, if required.
* Hide System/Hidden files, if required.
* Set a new, clean Restore Point.

----------

1. Double click OTM to launch it.
Vista users right click and choose Run As Administrator
2. Click on the CleanUp! button.
3. OTM will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)
5. When finished exit out of OTM.

----------

Go to the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.

----------

Use the Secunia Software Inspector to check for out of date software.

• Click Start Now
  
• Check the box next to Enable thorough system inspection.
  
• Click Start
  
• Allow the scan to finish and scroll down to see if any updates are needed.
• Update anything listed.

.
----------

Go to Microsoft Windows Update and get all critical updates.

----------

I recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no realtime protection so will not interfere with each other. They do not use any significant amount of resources (except a little disk space) until you run a scan.

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.

[Mermaid123]

During this steps I got several messages from my system saying that Services.exe wants to restart the PC, because of the code "-1073741819". And then it did, sometimes i got bluescreen. Sometimes it happend again.

[evilfantasy]

because of the code "-1073741819".

I need the complete error code/message.

[Mermaid123]

Alright. Will try to write it up since my PC locks up and i only have 60 secs to write it down it might take a while.
While in the restarting progress my AVG found more Packed.Protector.C in C:\\WINDOWS\system32\driver\cdrom.sys and C:\\WINDOWS\system32\dllcache\cdrom.sys. Tho I could choose as option to remove them in AVG this time, not sure that is enough tho?
And my DAEMON tools tells me; "You need at least Windows 2000 with SPTD 1.51 or higher. Karnel debugging have to be inactivated" every start up.

[evilfantasy]

Download GMER Dootkit Detector and save it your desktop.
 
* Extract it to your desktop and double-click GMER.exe
* Click the Rootkit tab and then Scan.
* Don't check the Show All box while scanning in progress!
* When scanning is finished click Copy.
* This copies the log to clipboard
* Post the log in your reply.

[Mermaid123]

So I ran the scan and it had ran for 4-5 hour's when I got a bluescreen. So I will try to run it again asap. Tho there was a log file created on my desktop. It says it was made the 19Th tho. But I'm pretty sure it's new;

Edit*
The 2nd scan was alot faster infact I got passed the files i struck a bluescreen on in mather of seconds tho I got a blue screen again so no log now either.

[Saving space, attachment deleted by admin]

[evilfantasy]

Do you have an XP CD?

If so, place it in your CD ROM drive and follow the instructions below:

• Click on Start > Run and type sfc /scannow then press Enter (note the space between scf and /scannow)
  • Let this run undisturbed until the window with the blue  progress bar goes away

SFC - Which stands for System File Checker, retrieves the correct version of the file from %Systemroot%\System32\Dllcache or the Windows installation source files, and then replaces the incorrect file.

[Mermaid123]

I took some time to get hold of an CD but now that's done.

[evilfantasy]

And were any errors found/fixed?

[Mermaid123]

How where u suppose to c that?

[evilfantasy]

Right-click My Computer and click on Manage.

In the new window that appears, expand the Event Viewer (by clicking on the + symbol next to it) and then click on System.

See if anything in there tells you if it was repaired or replaced.

Also, how is the computer running now?

[Mermaid123]

AVG still gives me warnings. And I can't find the "System" window. Merry Christmas btw!

[evilfantasy]

What warnings? The same ones?

Have you updated AVG recently? What version are you using, 8.5 or 9.0?

[Mermaid123]

Same Protector C trojan but on some cdrom system file or smth like that.

I got the 9.0 and it's updated every day so should be fine. But I alsoe noticed that my net is very slow on this pc and some websites can't even be opend.

[evilfantasy]

Can you give me the exact file path that's being detected?

Let's get a fresh CF scan.

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note:  It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.
 
Double click combofix.exe & follow the prompts.
Vista users Right-Click on ComboFix.exe and select Run as administrator (you will receive a UAC prompt, please allow it)
When finished ComboFix will produce a log for you.
Post the ComboFix log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

If you have problems with ComboFix usage, see How to use ComboFix

[Mermaid123]

This time it was; C:\System Volume Information\_restore{6C61C8AE-354846D5-8365-5D6833B7B259}\RP11\A0017677.sys
But it seems to be diffrent everytime.

[Saving space, attachment deleted by admin]

[evilfantasy]

C:\System Volume Information\_restore <- These are Restore Points and we can clean that by resetting it.

Disable/Enable the System Restore Utility to flush old infected restore points

1) Right click the My Computer icon on the Desktop and click on Properties.
2) Click on the System Restore tab.
3) Put a check mark next to Turn off System Restore on All Drives
4) Click the OK button.
5) You will be prompted to restart the computer. Click the Yes button.

Now re-enable System Restore

To re-enable the System Restore Utility, follow steps one to five and on step three remove the check mark next to 'Turn off System Restore on All Drives'.

1) Right click the My Computer icon on the Desktop and click on Properties.
2) Click on the System Restore tab.
3) Remove the check mark next to Turn off System Restore on All Drives
4) Click the OK button.

[Mermaid123]

Done. The PC seems fine now!

[Mermaid123]

Hey. I'm not sure it's related but my PC started freezing, sometimes only after a few seconds of use and sometimes several minuets.

At first I can't click anything, then my mouse changes icon to the "loading one" then my sound hangs up and it's an endlees "beep" or whatever the last sounds was played on the PC then my mouse freezes to and all I can do is to restart it "the hard" way. It started when i turned off the vaccine in panda vaccine, and used the hdd I used to vaccine.

[evilfantasy]

Is it still happening after a restart?

[Mermaid123]

Yep. Im currently in safe mode becouse it gives me more time before it freezes.

[evilfantasy]

Update and run Malwarebytes please. Post the log.

[Mermaid123]

Just got a blue screen. The first one I've got since this problem. I'll try to translate it as good as I can;

"There was a error and windows have shut down to prevent problems with your PC.

IRQL_NOT_LESS_OR_EQUAL

If this is the first time you see this message, you should restart the PC. If the message is shown again you should do following:

Controll that all new hard- and software are correctly installed. If this is a new installation, you can contact the hard- or software makers if you need special files for Windows.

If the problem remains you can try to inactivate or uninstall new installed hard- or software. Deactivate alternative for BIOS-memory like for an example caching or shadowing.
This is how you do if you have to use Safe-mode to uninstall or deactivate components: Restart the PC, press F8 to show the list for Advanced start up alternative and choose Safe-mod.

Technical information:

*** STOP: 0x0000000A (0xffffff94, 0x0000001C, 0x00000000, 0x80500155)
Starting dumping of physical memory.
Dumping of the physical memory finished. Contact the systemadminister or technical support if you need help."

Should I restart it and run the scan? Got it before I read your post.

[evilfantasy]

Have a look here for the stop error information. http://support.microsoft.com/kb/314063

[Mermaid123]

That didn't work. When I tried to repair my installation. It told my I don't have a harddrive.
I ran the malware scan but I got the same blue screen, so I did it in safe mod.

[Saving space, attachment deleted by admin]

[evilfantasy]

Try this.

Do you have an XP CD?

If so, place it in your CD ROM drive and follow the instructions below:

• Click on Start > Run and type sfc /scannow then press Enter (note the space between scf and /scannow)
  • Let this run undisturbed until the window with the blue  progress bar goes away

SFC - Which stands for System File Checker, retrieves the correct version of the file from %Systemroot%\System32\Dllcache or the Windows installation source files, and then replaces the incorrect file.

[Mermaid123]

Didn't solve it.

[evilfantasy]

I'm not sure whats wrong. Have you tried a repair install? http://www.michaelstevenstech.com/XPrepairinstall.htm

[Mermaid123]

Could it be hardware problem then? My fan is running on high-speed and in Everest my CPU heat is 75-80 degrees Celsius in safe-mod.

[evilfantasy]

That is very possible.

I'm pretty sure we removed the malware but the damage it did may be more than we can see. You may need to reinstall.

[Mermaid123]

Alright. Well thanks a lot for the help! It might take some days till I get it reinstalled.