Avast! and atapi.sys problems

[pogie1987]

So earlier today, I ran into Avast! yelling at me every so often, not very, about the file "atapi.sys" being a trojan.  Naturally, I told it to delete it.  Some time went by, maybe an hour or two, and it popped up again.  So I delete it again.  I then run Spybot S&D, and it deletes around 10 random small issues, no trojans or worms or anything.  But nothing about atapi.sys.  But I dont really think anything of it at the time.  Avast! comes up with it again, and again I delete it.  But this is where things start going bad.  From then on, Avast! would come up, anywhere from every 5-10 seconds, yelling about how atapi.sys is back, and needs to be deleted.

In hindsight, I probably should have searched about it before doing anything drastic.  But this had been going on for abotu 20 minutes, and was quite agitated by now.  I tried all the options Avast! had.  Repair, Chest, Delete.  All with the same results, screaming at me a few moments later.  So I tell Avast! to run a boot-scan.  And then I click "Delete" one last time, and immediately reboot my PC, before the supposed trojan/worm could reinstall itself.

And this is where everything went to HELL.  From then on, my PC would BSOD for maybe, a third of a second, after showing the Windows logo, while booting up, then begin to reboot.  In an infinite loop.  Over and over.  No matter what boot choice I used.

I thought that some major virus totally just screwed my PC over.  So I go over to the laptop and start searching on Google.  And after an extensive search, I slowly begin to realise that this file is in fact a legitimate Windows file.  And then I found this site.

http://www.malwarebytes.org/forums/index.php?showtopic=30371

So yeah, pretty much what's happening with me, only with Avast!.  I'm currently sitting at the desktop of UBCD, in Explorer, trying to find out how to restore atapi.sys, or restoring some amount of files that Avast! got rid of, or w/e.

Please, someone help, ASAP.  I cant be without my PC for very long, I require it for too many things.

[YoKenny]

Welcome pogie1987

Please see reply:
http://www.malwarebytes.org/forums/index.php?s=&showtopic=30371&view=findpost&p=159299

[pogie1987]

Yes, but wouldnt they just know how to restore this system file through methods, if I was using Malwarebytes?  I'm using Avast!, not Malwarebytes.  Through some of the sources on their forums, since I could find this problem no where else, I can at least get my computer to turn on fully, and not just reboot cycle.

How do I get Avast! to un-do a deleted file?  Like a back log or something?  If no one here knows how, then yes, I will do as that post says.

[oldman]

Hi

Do you have an XP cd?

[Tarq57]

How do I get Avast! to un-do a deleted file?

That's what "send to chest" is for.
Never delete; always send to the chest.
You will probably need your Windows CD.

You said earlier "Naturally I hit delete.."
It might seem natural; it is not.  Always investigate first, and ask if you can't find the answer, regarding any detection.
All AV's and other security programs that are based on blacklists or heuristics (fancy talk for magic guesswork) will occasionally produce a false detection.
I'm not saying this was a false detection, but that when it happens, you better have a backup plan.

[pogie1987]

Yeah, I have an XPCD.  SP2.

And yeah, I've learned a bit from this little incident.  And I already tried going into the chest folder in Avast!'s program files, but theres nothing in there.

[pogie1987]

Someone help please.  How do I restore this file???

I can not be without a computer for much longer, my job is too time-sensitive.  I have an SP2 XP CD, I just ran Checkdisk in Recovery Command Console, or w/e its called.  Fixed something, tried starting up computer, still rebooting.

If people dont know how, TELL ME, dont just ignore me.  That way, I know to go somewhere else.

[oldman]

Hi 

We won't be able to get the one out of the chest even if it is there.  We may be able to locate another copy on your harddrive.

We'll need to use the Recovery Console that is on your CD. This will allow use to gain access to some areas of windows. We'll look in a common place for a copy.

You computer must be able to boot from the CD.

Insert the Windows XP startup disk into the floppy disk drive, or insert the Windows XP CD-ROM into the CD-ROM drive, and then restart the computer.

1. Click to select any options that are required to start the computer from the CD-ROM drive if you are prompted.
2. When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
3. You should now see a list of installations and the prompt "Which Windows Installation would you like to log on to?"
Select the appropriate number for the Windows installation that you want to repair. If you only have one, press 1.
4. When you are prompted, type the Administrator password. If the administrator password is blank, just press ENTER.

You should now have a C:\windows> prompt

-From the recovery console, type the following command:

cd "C:\WINDOWS\ServicePackFiles\i386"

Hit enter

Note there is a space after cd. It needs to be there as do the quote marks.

If it successfully changes to the i386 directory type

dir /p

Hit enter

Note there is a space after dir.

This will give you one page of the directory at a time. Look for the presence of atapi.sys

Let us know if you find it. Also note the size.

Do not do any thing else.

Thanks

[pogie1987]

Tried this multiple times.  This is all that would come up.



C:\WINDOWS\SERVICEPACKFILES\I386>dir /p
    The volume in drive C has no label
    The volume Serial Number is ####-####

    Directory of C:\WINDOWS\SERVICEPACKFILES\I386\p

No matching files were found.

[pogie1987]

Though "dir /p" didnt work, "dir" did what you wanted.  Here's what was listed, character for character, once I found "atapi.sys."



4/13/08    11:40a    -----c--    96512    atapi.sys

[oldman]

Hi pogie1987,

Good job. We'll try to replace the file. Please note this file may also be infectec so don't let avast delete it or send it to the chest.

Ok, go back into the recovery console as you did before.

At the prompt type all the text in the codebox. Do not type the word code. It's all one line.

Code: [Select]

copy "C:\WINDOWS\SERVICEPACKFILES\I386\atapi.sys" "c:\windows\system32\drivers\atapi.sys"
Hit enter

note there is a space after copy and a space after I386\atapi.sys"

You should get a message similar to "one file copied"

Once you recieve that mesage type exit

Remove the Windows Setup floppy or Windows CD-ROM and restart the system normally.

Let us know how you make out and we will continue.

Thanks

[pogie1987]

Mk, copied the file.  Thought, strangely, I got the message "Overwrite current 'atapi.sys'?" and hit Yes.

When I rebooted, I chose "Start Windows normally," and almost instantaneously, upon reaching the Windows logo loadbar screen, got BSOD'd for a split second, and it rebooted.

But then, I chose "Start with last known good config" and it booted up fine.  I wont be turning my PC off any time soon again, until I know that this is fixed properly, so I happily await a reply on my MAIN machine now.  Thanks for your efforts thus far, and I hope we can find out if this is just an FP, or if something is actually affecting my PC.

And just as a note, I will be running CCleaner in a moment, as well as scanning once again with Spybot S&D.  If need be, I also have ComboFix, which I have used in the past.

[oldman]

Hi pogie1987

I also have ComboFix

Do not use this program on this type of infection. This infection has been "improved" to resist combofix and can cause an unbootable computer. As a result the author has pulled combofix until a solution can be found.


Let's try to see what is going on.


Download OTL to your desktop.

• Double click on OTL.exe  to run it. Make sure all other windows are closed and to let it run uninterrupted.
  
• When the window appears, underneath Output at the top change it to Minimal Output
  
• Check the boxes beside LOP Check and Purity Check.
  
• In the window under Custom Scans/fixes, copy and paste the following bold text

%SYSTEMDRIVE%\*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
/md5stop
%systemroot%\*. /mp /s

• Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  

When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.

Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in or attach them.

[pogie1987]

Heres the logs that you requested.  Hope they hold the info your looking for.

[oldman]

Hi pogie1987,

Some malware showing in your logs. Are you still having problems with avast detecting atapi.sys"

We need some file informantion

• Make sure to use Internet Explorer for this
• Please go to VirSCAN.org FREE on-line scan service
  
• Copy and paste the following file path, one at a time if more than file is listed, into  the  "Suspicious files to scan" box on the top of the page:
  
  C:\WINDOWS\System32\dllcache\atapi.sys
  
  
• Click on the Upload button
  
• Please ensure the scan is complete and the results saved before submitting the next.
• If a pop-up appears saying the file has been scanned already, please select the ReScan button.
  
• Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  
• Paste the contents of the Clipboard in your next reply.

.
A couple of things to do first. Please disable this program and leave it disabled until we are done.

SPYBOT TEATIMER

• Launch Spybot S&D, go to the Mode menu and make sure "Advanced Mode" is selected.
  
• On the left hand side, click on Tools, then click on the Resident Icon in the list.
• Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
  
• Click on the "System Startup" icon in the List
• Uncheck the "TeaTimer" box and "OK" any prompts.
  
• If Teatimer gives you a warning that changes were made, click the "Allow Change" box when prompted.
• Exit Spybot S&D when done.
• (When we are done, you can re-enable Teatimer using the same steps but this time place a check next to "Resident TeaTimer" and check the "TeaTimer" box in System Startup.]
  

.
You have a program that may interfer with our tools. I'll have you download and run a little tool that will temporarily disable the programs drivers.

Please download DeFogger to your desktop.

Double click DeFogger to run the tool.

• The application window will appear
• Click the Disable button to disable your CD Emulation drivers.
  
• Click Yes to continue
  
• A 'Finished!' message will appear
  
• Click OK
  
• DeFogger will now ask to reboot the machine - click OK
  

Do not re-enable these drivers until otherwise instructed. 

I will give you the instructions to re-enable the drivers later in the fix.


.
NEXT

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.



Download GMER Rootkit Scanner from here or here.

• Extract the contents of the zipped file to desktop.
• Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
• If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  
  
  Click the image to enlarge it
  
  
• In the right panel, you will see several boxes that have been checked. Uncheck the following ...
• Sections
• IAT/EAT
• Drives/Partition other than Systemdrive (typically C:\)
• Show All (don't miss this one)

• Then click the Scan button & wait for it to finish.
• Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  
  
• Save it where you can easily find it, such as your desktop, and post it in your next reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


.
Please post back with

• VirScan results
• GMER log

Thanks