Atapi.sys infected by a Trojan Horse Packed.Protector.C

[evilfantasy]

That's better.

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]

KillAll::

FCopy::
C:\WINDOWS\$NtServicePackUninstall$\atapi.sys | C:\WINDOWS\system32\drivers\atapi.sys

Driver::
prozuaq
SASKUTIL
SASENUM

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"=-

Folder::
c:\program\Messenger


3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!



ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

[Mermaid123]

Well when Combofix was processing the logs my PC decided it needed another reboot. So I'm not sure the log is complete or usefull.

[Saving space, attachment deleted by admin]

[evilfantasy]

No it didn't finish again.

Download random's system information tool (RSIT) by random/random from and save it to your Desktop.

* Double click on RSIT.exe to run.
* Click Continue at the disclaimer screen.
* Once it has finished, two logs will open.
* log.txt <will be maximized and info.txt <will be minimized
* Please post the contents of both logs in the next reply.

[Mermaid123]

I toke "1 month" as the option. Supposing you didn't say anything I took that.

[Saving space, attachment deleted by admin]

[evilfantasy]

This is odd. I'm not finding anything.


Please go to Jotti's malware scan
(If more than one file needs scanned they must be done separately and logs posted for each one)

* Copy the file path in the below Code box:

Code: [Select]

C:\WINDOWS\system32\regedit.exe* At the upload site, click once inside the window next to Browse.
* Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.
* Next click Submit file
* Your file will possibly be entered into a queue which normally takes less than a minute to clear.
* This will perform a scan across multiple different virus scanning engines.
* Important: Wait for all of the scanning engines to complete.
* Once the scan is finished, Copy and then Paste the link in the address bar into your next reply.

[Mermaid123]

"C:\WINDOWS\system32\regedit.exe
Can't find the file.
Control the search way and the filename."

[evilfantasy]

Run this tool please. http://sourceforge.net/projects/viruseffectremo/

After that restart the computer and post a new HijackThis log.

[Mermaid123]

And here are the results

[Saving space, attachment deleted by admin]

[evilfantasy]

Open HijackThis and select Do a system scan only

Place a check mark next to the following entries: (if there)

- O4 - HKLM\..\Run: [Regedit32] C:\WINDOWS\system32\regedit.exe

Important: Close all open windows except for HijackThis and then click Fix checked.

Once completed, exit HijackThis.

----------

Panda USB and AutoRun Vaccine

Insert your flash drive before we begin. Hold down the Shift key when inserting the flash drive until Windows detects it to bypass the autorun feature. This will keep the autorun.inf from executing automatically.

Download Panda USB and AutoRun Vaccine and save it to your desktop.

* Extract (unzip) the file to your desktop and a folder named USBVaccine will be created.
* Open that folder and double-click on USBVaccine.exe to start the program.
* Click Run
* Click the button to Vaccinate computer.
* Insert your USB flash drive.
* When the name of the drive appears in the dialog box, click the button to Vaccinate USB drive(s).
* Exit Panda USB and AutoRun Vaccine when done.

Note: Computer AutoRun Vaccination will prevent any AutoRun file from running, regardless of whether the removable device is infected or not. USB Vaccination disables the autorun file so it cannot be read, modified or replaced by malicious code. The Panda Resarch Blog advises that once USB drives have been vaccinated, they cannot be reversed except with a format. If you do this, be sure to back up your data files first or they will be lost during the formatting process.

----------

How is the computer running now?

.

[Mermaid123]

I'm not sure I understood that last step. What flashdrive are we talking about?

Sorry if I'm making it hard for you.

[evilfantasy]

If you have any flash drives or portable drives. If not then just run the Panda tool anyway.

[Mermaid123]

Well I tried to reboot after the panda step and when the PC started again I got the system message that it needed to reboot. Once it did, it hit a couple of blue screens. Once it started, AVG warned me about; File name: C:\\WINDOWS\system32\drivers\cdrom.sys     Threat name:Viruus indentified Packed.Protector.C    Process name: C\\WINDOWS\system32\svchost.exe.

So i geuss not so good as it could?

[evilfantasy]

We need to run an actual antivirus scan.

ESET Online Scan

Scan your computer with the ESET FREE Online Virus Scan

* Click the ESET Online Scanner button.

* For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
* Click on the esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop
* Double click on the esetsmartinstaller_enu.exe icon on your desktop.
* Place a check mark next to YES, I accept the Terms of Use.

* Click the Start button.
* Accept any security warnings from your browser.
* Leave the check mark next to Remove found threats and place a check next to Scan archives.
* Click the Start button.
* ESET will then download updates, install, and begin scanning your computer. Please be patient as this can take some time.
* When the scan completes, click List of found threats.
* Next click Export to text file and save the file to your desktop using a name such as ESETScan. Include the contents of this report in your next reply.
* Click the <<Back button then click Finish.

In your next reply please include the ESET Online Scan Log

[Mermaid123]

Scaned and found nothing. I suppose that's also why I didn't get a log?

[evilfantasy]

This next log will be huge.

Go here and follow the instructions for posting a log from MGtools. http://forums.majorgeeks.com/showthread.php?t=137630