Avast! and atapi.sys problems

[pogie1987]

Mmmk, for one, there is no Folder named "DLLCache" in my System32 folder.  And that's not the file that's having the problems.  It's the file in the "Drivers" folder, in my System32 folder.

And no, Avast! has not told me anything is wrong with this file since I was able to start back up.  I will be following these steps with the atapi.sys file in the Drivers folder.

Here's the VirSCAN.org report.

VirSCAN.org Scanned Report :
Scanned time   : 2009/12/18 07:16:20 (CST)
Scanner results: Scanners did not find malware!
File Name      : atapi.sys
File Size      : 96512 byte
File Type      : PE32 executable for MS Windows (native) Intel 80386 32-bit
MD5            : 9f3a2f5aa6875c72bf062c712cfa2674
SHA1           : a719156e8ad67456556a02c34e762944234e7a44
Online report  : http://virscan.org/report/c1fdf5e7fa3ec2c0f132d04080f20af8.html

Scanner        Engine Ver      Sig Ver           Sig Date    Time   Scan result
a-squared      4.5.0.8         20091218060238    2009-12-18  0.08   -
AhnLab V3      2009.12.17.02   2009.12.17        2009-12-17  0.08   -
AntiVir        8.2.1.114       7.10.2.17         2009-12-17  0.42   -
Antiy          2.0.18          20091217.3494732  2009-12-17  0.12   -
Arcavir        2009            200912171244      2009-12-17  0.17   -
Authentium     5.1.1           200912170426      2009-12-17  1.45   -
AVAST!         4.7.4           091217-0          2009-12-17  0.01   -
AVG            8.5.288         270.14.112/2571   2009-12-18  0.32   -
BitDefender    7.81008.4743254 7.29494           2009-12-18  4.06   -
CA (VET)       35.1.0          7180              2009-12-16  0.08   -
ClamAV         0.95.2          10194             2009-12-17  0.02   -
Comodo         3.13            3277              2009-12-17  0.08   -
CP Secure      1.3.0.5         2009.12.18        2009-12-18  0.07   -
Dr.Web         4.44.0.9170     2009.12.17        2009-12-17  7.76   -
F-Prot         4.4.4.56        20091216          2009-12-16  1.41   -
F-Secure       7.02.73807      2009.12.17.10     2009-12-17  9.38   -
Fortinet       11.280-         11.280            2009-12-16  0.08   -
GData          19.9378/19.629  20091217          2009-12-17  0.08   -
ViRobot        20091217        2009.12.17        2009-12-17  0.08   -
Ikarus         T3.1.01.79      2009.12.17.74787  2009-12-17  4.12   -
JiangMin       13.0.900        2009.12.17        2009-12-17  0.08   -
Kaspersky      5.5.10          2009.12.17        2009-12-17  0.11   -
KingSoft       2009.2.5.15     2009.12.17.22     2009-12-17  0.08   -
McAfee         5.3.00          5835              2009-12-17  3.35   -
Microsoft      1.5302          2009.12.18        2009-12-18  0.08   -
Norman         6.01.09         6.01.00           2009-12-16  2.17   -
Panda          9.05.01         2009.12.17        2009-12-17  0.08   -
Trend Micro    9.000-1003      6.700.09          2009-12-17  0.03   -
Quick Heal     10.00           2009.12.17        2009-12-17  0.08   -
Rising         20.0            22.26.03.04       2009-12-17  0.08   -
Sophos         3.03.0          4.49              2009-12-18  2.68   -
Sunbelt        3.9.2388.2      5567              2009-12-17  0.08   -
Symantec       1.3.0.24        20091217.005      2009-12-17  0.16   -
nProtect       20091217.02     6625284           2009-12-17  0.08   -
The Hacker     6.5.0.2         v00096            2009-12-17  0.08   -
VBA32          3.12.12.0       20091216.2207     2009-12-16  2.22   -
VirusBuster    4.5.11.10       10.117.1/2006893  2009-12-17  2.39   -



There is also no "TeaTimer" box, or any boxes that have anything to do with TeaTimer in their text, in the "System Startup" list in Spybot.

Also, after running GMER, I got a notification bubble from my system tray, saying that a file was corrupt, and I should run CHKDSK.  Would running that next time I restarted my PC be a good idea?

Again also, sometime last night, I visited a perfectly secure website, with a Java game (Minecraft is the game) in the internet window.  Soon as the level loaded, that my buddy was hosting, Avast! started yelling at me about "atapi.sys."  Does that file work with Java in some way, shape or form?  Just thought I would put relavent info in this post.

[oldman]

Hi pogie1987,

C:\WINDOWS\system32\dllcache\atapi.sys does exist unless OTL was was telling us a fib. If you would have used copy and paste as instructed, the file would have been submitted and scanned, I realize which file you are having problems with, I was looking for a clean copy. This malware does have the ability to show a clean copy when it's scanned.

atapi is your disk controller so it's difficult to say exactly what it's going to interact with especially if it's infected or hijacked.

It's very improtant that you delete the copy of combofix that you have. A new limited release version is available.

Please read through these instructions to familarize yourself with what to expect when this tool runs

Download ComboFix from :

Link 1

* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.  Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable your Security Programs
  
  
• Double click on ComboFix.exe & follow the prompts.
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.  It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you.  Please include the C:\ComboFix.txt in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. CF disconnects your machine from the internet.  The connection is automatically restored before CF completes its run.  If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Please post the combofix log.

Thanks

[pogie1987]

Well, I downloaded the ComboFix.exe from the link you provided, but a couple things are strange.  A, which I dont believe is all that important, is that its named "KittyFix.exe," and B, when I try and run it, it says there is a newer version available.  Should I update to the newer version, then run the scan, or run the scan with the version you linked me?

Will run the scan once I get a reply, then post the log.

And by the way, no, I *don't* have a "DLLCache" folder ->LINK<- (Hidden files and folders are SHOWN, as well as showing system files/folders)

[oldman]

Hi pogie1987,

I'm not going to argue the point but that path is in the OTL log.

kitty.exe is the name the author used for this version of combofix. It has the ability to update now that the problem has been rectified, so go ahead and update it and then run it

Thanks.

[pogie1987]

Well, I ran ComboFix last night.  It ran fine.  It restarted my system, and when my Windows finished booting up, continued itself, and said it was making a log, and not to run any other programs.  I then noticed Avast! was on, and doing something, and I remembered that ComboFix said not to have anti-virus going when it's working, so I right clicked it, and said "Stop on-access protection."  ComboFix kept going, creating it's log, for another 2-5 minutes, when my Windows crashed.  Saw a flash of a BSOD, and it was rebooting.  At this point, I knew this couldnt be good.  As it was starting up, it flashed a BSOD again, and rebooted, just like it was doing before, in an infinite boot cycle.  Only this time, it was doing it before the Windows logo load screen even appeared.  I tried booting it in Safe Mode, and Last Known Working Config.  Each got the same results.

Great.  Now what do I do.

Thank you for your continued help.

[oldman]

Hi pogie1987,

This one is being stubborn.

If Recovery Console is already installed:

You be able to tell if it is installed as there will be a brief screen with the option listed below.

1. Restart your computer
2. Before Windows loads, you will be prompted to choose which Operating System to start
3. Use the up and down arrow key to select Microsoft Windows Recovery Console
4. You must enter which Windows installation to log onto. Type 1 and press enter.
5. At the C:\Windows prompt, type the following bolded text, and press Enter:

cd erdnt\subs


6. At the next prompt, type the following bolded text, and press Enter:

batch erdnt.con

7. The erunt backups will begin copying.
8. At the next prompt, type the following bolded text, and press Enter:

exit

Windows will now begin loading.

If you are able to now get into windows, please look for the combofix log at C:\combofix.txt

[pogie1987]

On a side-note, I tried to run Recovery Console normally, only whenever I tried, all I would get is the message:

NTLDR is compressed.
Press CTRL+ALT+DEL to restart.

I had to use my Windows CD to run the Recovery Consol successfully.  I guess its just another problem that I need to somehow fix with my poor desktop.

I followed your instructions, and it copied about 10 files, I didnt count, just a guess.  I restarted using exit, and tried to run windows, but once again, it's restarting before the logo load screen.  Tried booting Normally, in Safe Mode, and Last Known Good Config, all the same results.

If it's worth anything, I had a thumbdrive.  Is there a way to move/copy the log you need using the Recovery Console?

[oldman]

Hi pokey1987,

Try replacing atapi.sys but this time we'll rename the copy that is there first.

Back in the Recovery Console at the prompt, type the following 2 lines in the code box, hitting enter after each.

Note: in the first line there is a space after ren and a space after atapi.sys
the cursor should just move down with a new prompt.

in the second line there is a space after copy and a space after I386\atapi.sys"

You should get a message similar to "one file copied"

When finished type exit, hit enter.

Code: [Select]

ren c:\windows\system32\drivers\atapi.sys atapi.old
copy "C:\WINDOWS\SERVICEPACKFILES\I386\atapi.sys" "c:\windows\system32\drivers\atapi.sys"

[pogie1987]

Done.  And I'm now on my desktop.

The ComboFix log isnt in C:\, though I did find one that I'm PRETTY sure is the log you're looking for, due to the fact that I recognize some of the deletions.  Was in C:\KittyFix.

Also, this is a little weird, but, upon starting up, a notification bubble popped up in my system tray, telling me some Avast! things are turned off, Automatic updates are turned off, and something else was off, I dont quite recall.  Also, a CMD window opened randomly, as well.  I dont know what to do with it, so it's sitting open right now.  "C:\WINDOWS\TEMP\win16.exe" is the CMD window's title.


EDIT:
Ah, nevermind.  I remembered, that CF resets the Security Center alerts back to default.

[oldman]

Hi pogie1987,

Good. Did the file rename go ok? Is avast still complaining?

Unfortunately combofix was interupted before it could finish the log but a couple of things were removed. I'm a little leary about using combofix at the moment to fix anything.

Close the command window with the X

We'll use OTL with these settings

• Double click on OTL.exe  to run it. Make sure all other windows are closed and to let it run uninterrupted.
  
• When the window appears, underneath Output at the top change it to Minimal Output
  
• UNCheck the boxes beside LOP Check and Purity Check.
  
• Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  

When the scan completes, it will open a notepad window. OTL.Txt

Next

In Windows Explorer, navigate to this folder C:\Qoobox

Please post the contents of ComboFix-quarantined-files.txt along with the OTL log.

Thanks

[pogie1987]

Yeah, the file rename went okay.  Avast! hasnt said anything about anything yet.  Let me go to the Java browser game page that activated the alert last time.

Nope, nothing.  Avast! hasnt said anything to me yet.

Um, in the Qoobox folder, I dont see any .txt file other than one labeled ComboFix2.  There are a couple folders (BackEnv, LastRun, Quarentine, Test, and TestC) as well.  And a .DAT file, titled "SnapShot@2009-10-06_07.02.09".  In the Quarentine folder, there's a .txt called "catchme."

[oldman]

Hi pogie1987,

Looks like combofix didn't have a chance to create the file.

We'll leave the renamed fle for now. It won't run.

Are you using any Symantec (Norton) products as I see several references to it in the logs.

You have some old vulnerable java installed. Go to Add/Remove programs and uninstall

Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7

Do not uninstall Java(TM) 6 Update 17

Next, Double click on OTL.exe

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
• Do Not copy the word CODE
  
• please note the fix starts with the :
  

Code: [Select]

:OTL
O4 - HKLM..\Run: [combofix] C:\KittyFix\CF14473.cfx File not found
O20 - Winlogon\Notify\winjqa32: DllName - winjqa32.dll - C:\WINDOWS\System32\winjqa32.dll ()
[2009/12/12 11:12:48 | 00,037,888 | ---- | M] () -- C:\WINDOWS\System32\winmty32.dll

:Commands
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]
Then click the Run Fix button at the top

• Let the program run unhindered
• Please save the resulting log to be posted in your next reply.
• Reboot your computer

Please post the  OTL fix log.

[pogie1987]

Mmmk heres the fix log.  I renamed it.  And no, I dont use any Symantec stuff.  That I know of, at least.

[oldman]

Hi pogie1987,

Some remnants of  Norton (Symantec) showed in both combofix and OTL logs.

Download the Norton Removal Tool from HERE and save it to your desktop.

Next  Double click on Norton_Removal_Tool.exe  to run the tool.

Follow the on-screen instructions.
Your computer may be restarted more than once, and you may be asked to repeat some steps after the computer restarts.

Next

*Note*
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your antivirus along with your antispyware programs.


Please go to Kaspersky website and perform an online antivirus scan.

• Read through the requirements and privacy statement and click on Accept button.
  
• It will start downloading and installing the scanner and virus definitions.
• You will be prompted to install an application from Kaspersky. Click Run.
  
• When the downloads have finished, click on Settings.
  
• Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button
  
  • Spyware, Adware, Dialers, and other potentially dangerous programs
    
  • Archives
    
  • Mail databases
    
• Click on My Computerr under Scan.
  
• Once the scan is complete, it will display the results. Click on View Scan Report.
  
• You will see a list of infected items there. Click on Save Report As....
  
• Change the Files of type to Text file (.txt)
  
• Set the Save In to Desktop
  
• click the Save button.
• Please post this log in your next reply.

Please post back with the Kaspersky log and a new OTL log.

Thanks

[pogie1987]

Sorry it took me so long, but here are the logs.