So earlier today, I ran into Avast! yelling at me every so often, not very, about the file “atapi.sys” being a trojan. Naturally, I told it to delete it. Some time went by, maybe an hour or two, and it popped up again. So I delete it again. I then run Spybot S&D, and it deletes around 10 random small issues, no trojans or worms or anything. But nothing about atapi.sys. But I dont really think anything of it at the time. Avast! comes up with it again, and again I delete it. But this is where things start going bad. From then on, Avast! would come up, anywhere from every 5-10 seconds, yelling about how atapi.sys is back, and needs to be deleted.

In hindsight, I probably should have searched about it before doing anything drastic. But this had been going on for abotu 20 minutes, and was quite agitated by now. I tried all the options Avast! had. Repair, Chest, Delete. All with the same results, screaming at me a few moments later. So I tell Avast! to run a boot-scan. And then I click “Delete” one last time, and immediately reboot my PC, before the supposed trojan/worm could reinstall itself.

And this is where everything went to HELL. From then on, my PC would BSOD for maybe, a third of a second, after showing the Windows logo, while booting up, then begin to reboot. In an infinite loop. Over and over. No matter what boot choice I used.

I thought that some major virus totally just screwed my PC over. So I go over to the laptop and start searching on Google. And after an extensive search, I slowly begin to realise that this file is in fact a legitimate Windows file. And then I found this site.

http://www.malwarebytes.org/forums/index.php?showtopic=30371

So yeah, pretty much what’s happening with me, only with Avast!. I’m currently sitting at the desktop of UBCD, in Explorer, trying to find out how to restore atapi.sys, or restoring some amount of files that Avast! got rid of, or w/e.

Please, someone help, ASAP. I cant be without my PC for very long, I require it for too many things.

Welcome pogie1987

Please see reply:
http://www.malwarebytes.org/forums/index.php?s=&showtopic=30371&view=findpost&p=159299

Yes, but wouldnt they just know how to restore this system file through methods, if I was using Malwarebytes? I’m using Avast!, not Malwarebytes. Through some of the sources on their forums, since I could find this problem no where else, I can at least get my computer to turn on fully, and not just reboot cycle.

How do I get Avast! to un-do a deleted file? Like a back log or something? If no one here knows how, then yes, I will do as that post says.

Hi

Do you have an XP cd?

How do I get Avast! to un-do a deleted file?

You said earlier “Naturally I hit delete…”
It might seem natural; it is not. Always investigate first, and ask if you can’t find the answer, regarding any detection.
All AV’s and other security programs that are based on blacklists or heuristics (fancy talk for magic guesswork) will occasionally produce a false detection.
I’m not saying this was a false detection, but that when it happens, you better have a backup plan.

Yeah, I have an XPCD. SP2.

And yeah, I’ve learned a bit from this little incident. And I already tried going into the chest folder in Avast!'s program files, but theres nothing in there.

Someone help please. How do I restore this file???

I can not be without a computer for much longer, my job is too time-sensitive. I have an SP2 XP CD, I just ran Checkdisk in Recovery Command Console, or w/e its called. Fixed something, tried starting up computer, still rebooting.

If people dont know how, TELL ME, dont just ignore me. That way, I know to go somewhere else.

Hi

We won’t be able to get the one out of the chest even if it is there. We may be able to locate another copy on your harddrive.

We’ll need to use the Recovery Console that is on your CD. This will allow use to gain access to some areas of windows. We’ll look in a common place for a copy.

You computer must be able to boot from the CD.

Insert the Windows XP startup disk into the floppy disk drive, or insert the Windows XP CD-ROM into the CD-ROM drive, and then restart the computer.

1. Click to select any options that are required to start the computer from the CD-ROM drive if you are prompted.
2. When the “Welcome to Setup” screen appears, press R to start the Recovery Console.
3. You should now see a list of installations and the prompt “Which Windows Installation would you like to log on to?”
   Select the appropriate number for the Windows installation that you want to repair. If you only have one, press 1.
4. When you are prompted, type the Administrator password. If the administrator password is blank, just press ENTER.

You should now have a C:\windows> prompt

-From the recovery console, type the following command:

cd “C:\WINDOWS\ServicePackFiles\i386”

Hit enter

Note there is a space after cd. It needs to be there as do the quote marks.

If it successfully changes to the i386 directory type

dir /p

Hit enter

Note there is a space after dir.

This will give you one page of the directory at a time. Look for the presence of atapi.sys

Let us know if you find it. Also note the size.

Do not do any thing else.

Thanks

Tried this multiple times. This is all that would come up.

C:\WINDOWS\SERVICEPACKFILES\I386>dir /p
The volume in drive C has no label
The volume Serial Number is ####-####

Directory of C:\WINDOWS\SERVICEPACKFILES\I386\p

No matching files were found.

Though “dir /p” didnt work, “dir” did what you wanted. Here’s what was listed, character for character, once I found “atapi.sys.”

4/13/08 11:40a -----c-- 96512 atapi.sys

Hi pogie1987,

Good job. We’ll try to replace the file. Please note this file may also be infectec so don’t let avast delete it or send it to the chest.

Ok, go back into the recovery console as you did before.

At the prompt type all the text in the codebox. Do not type the word code. It’s all one line.

copy "C:\WINDOWS\SERVICEPACKFILES\I386\atapi.sys" "c:\windows\system32\drivers\atapi.sys"

Hit enter

note there is a space after copy and a space after I386\atapi.sys"

You should get a message similar to “one file copied”

Once you recieve that mesage type exit

Remove the Windows Setup floppy or Windows CD-ROM and restart the system normally.

Let us know how you make out and we will continue.

Thanks

Mk, copied the file. Thought, strangely, I got the message “Overwrite current ‘atapi.sys’?” and hit Yes.

When I rebooted, I chose “Start Windows normally,” and almost instantaneously, upon reaching the Windows logo loadbar screen, got BSOD’d for a split second, and it rebooted.

But then, I chose “Start with last known good config” and it booted up fine. I wont be turning my PC off any time soon again, until I know that this is fixed properly, so I happily await a reply on my MAIN machine now. Thanks for your efforts thus far, and I hope we can find out if this is just an FP, or if something is actually affecting my PC.

And just as a note, I will be running CCleaner in a moment, as well as scanning once again with Spybot S&D. If need be, I also have ComboFix, which I have used in the past.

Hi pogie1987

I also have ComboFix

Let’s try to see what is going on.

Download OTL to your desktop.

[*]Double click on OTL.exe to run it. Make sure all other windows are closed and to let it run uninterrupted.
[*]When the window appears, underneath Output at the top change it to Minimal Output
[*]Check the boxes beside LOP Check and Purity Check.
[*]In the window under Custom Scans/fixes, copy and paste the following bold text

%SYSTEMDRIVE%*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
/md5stop
%systemroot%*. /mp /s

[*]Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.

Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in or attach them.

Heres the logs that you requested. Hope they hold the info your looking for.

Hi pogie1987,

Some malware showing in your logs. Are you still having problems with avast detecting atapi.sys"

We need some file informantion

[]Make sure to use Internet Explorer for this
[]Please go to VirSCAN.org FREE on-line scan service
[*]Copy and paste the following file path, one at a time if more than file is listed, into the “Suspicious files to scan” box on the top of the page:

C:\WINDOWS\System32\dllcache\atapi.sys

[*]Click on the Upload button
[*]Please ensure the scan is complete and the results saved before submitting the next.
[*]If a pop-up appears saying the file has been scanned already, please select the ReScan button.
[*]Once the Scan is completed, click on the “Copy to Clipboard” button. This will copy the link of the report into the Clipboard.
[*]Paste the contents of the Clipboard in your next reply.

.
A couple of things to do first. Please disable this program and leave it disabled until we are done.

SPYBOT TEATIMER

[*]Launch Spybot S&D, go to the Mode menu and make sure “Advanced Mode” is selected.
[*]On the left hand side, click on Tools, then click on the Resident Icon in the list.
[*]Uncheck the “Resident “TeaTimer” (Protection of overall system settings) active.” box.
[*]Click on the “System Startup” icon in the List
[*]Uncheck the “TeaTimer” box and “OK” any prompts.
[*]If Teatimer gives you a warning that changes were made, click the “Allow Change” box when prompted.
[*]Exit Spybot S&D when done.
[*](When we are done, you can re-enable Teatimer using the same steps but this time place a check next to “Resident TeaTimer” and check the “TeaTimer” box in System Startup.]

.
You have a program that may interfer with our tools. I’ll have you download and run a little tool that will temporarily disable the programs drivers.

Please download DeFogger to your desktop.

Double click DeFogger to run the tool.

[*] The application window will appear
[*] Click the Disable button to disable your CD Emulation drivers.
[*] Click Yes to continue
[*] A ‘Finished!’ message will appear
[*] Click OK
[*] DeFogger will now ask to reboot the machine - click OK

Do not re-enable these drivers until otherwise instructed.

I will give you the instructions to re-enable the drivers later in the fix.

.
NEXT

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

http://img.photobucket.com/albums/v666/sUBs/gmer_zip.gif

Download GMER Rootkit Scanner from here or here.

[*] Extract the contents of the zipped file to desktop.
[*] Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
[*] If it gives you a warning about rootkit activity and asks if you want to run scan…click on NO.

http://i266.photobucket.com/albums/ii277/sUBs_/th_Gmer_initScan.gif

Click the image to enlarge it

[] In the right panel, you will see several boxes that have been checked. Uncheck the following …
[] Sections
[] IAT/EAT
[] Drives/Partition other than Systemdrive (typically C:)
[*] Show All (don’t miss this one)

[*] Then click the Scan button & wait for it to finish.
[*] Once done click on the [Save…] button, and in the File name area, type in “Gmer.txt” or it will save as a .log file which cannot be uploaded to your post.

[*]Save it where you can easily find it, such as your desktop, and post it in your next reply.

Caution
Rootkit scans often produce false positives. Do NOT take any action on any “<— ROOKIT” entries

.
Please post back with
[]VirScan results
[]GMER log

Thanks

Mmmk, for one, there is no Folder named “DLLCache” in my System32 folder. And that’s not the file that’s having the problems. It’s the file in the “Drivers” folder, in my System32 folder.

And no, Avast! has not told me anything is wrong with this file since I was able to start back up. I will be following these steps with the atapi.sys file in the Drivers folder.

Here’s the VirSCAN.org report.

VirSCAN.org Scanned Report :
Scanned time : 2009/12/18 07:16:20 (CST)
Scanner results: Scanners did not find malware!
File Name : atapi.sys
File Size : 96512 byte
File Type : PE32 executable for MS Windows (native) Intel 80386 32-bit
MD5 : 9f3a2f5aa6875c72bf062c712cfa2674
SHA1 : a719156e8ad67456556a02c34e762944234e7a44
Online report : http://virscan.org/report/c1fdf5e7fa3ec2c0f132d04080f20af8.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.8 20091218060238 2009-12-18 0.08 -
AhnLab V3 2009.12.17.02 2009.12.17 2009-12-17 0.08 -
AntiVir 8.2.1.114 7.10.2.17 2009-12-17 0.42 -
Antiy 2.0.18 20091217.3494732 2009-12-17 0.12 -
Arcavir 2009 200912171244 2009-12-17 0.17 -
Authentium 5.1.1 200912170426 2009-12-17 1.45 -
AVAST! 4.7.4 091217-0 2009-12-17 0.01 -
AVG 8.5.288 270.14.112/2571 2009-12-18 0.32 -
BitDefender 7.81008.4743254 7.29494 2009-12-18 4.06 -
CA (VET) 35.1.0 7180 2009-12-16 0.08 -
ClamAV 0.95.2 10194 2009-12-17 0.02 -
Comodo 3.13 3277 2009-12-17 0.08 -
CP Secure 1.3.0.5 2009.12.18 2009-12-18 0.07 -
Dr.Web 4.44.0.9170 2009.12.17 2009-12-17 7.76 -
F-Prot 4.4.4.56 20091216 2009-12-16 1.41 -
F-Secure 7.02.73807 2009.12.17.10 2009-12-17 9.38 -
Fortinet 11.280- 11.280 2009-12-16 0.08 -
GData 19.9378/19.629 20091217 2009-12-17 0.08 -
ViRobot 20091217 2009.12.17 2009-12-17 0.08 -
Ikarus T3.1.01.79 2009.12.17.74787 2009-12-17 4.12 -
JiangMin 13.0.900 2009.12.17 2009-12-17 0.08 -
Kaspersky 5.5.10 2009.12.17 2009-12-17 0.11 -
KingSoft 2009.2.5.15 2009.12.17.22 2009-12-17 0.08 -
McAfee 5.3.00 5835 2009-12-17 3.35 -
Microsoft 1.5302 2009.12.18 2009-12-18 0.08 -
Norman 6.01.09 6.01.00 2009-12-16 2.17 -
Panda 9.05.01 2009.12.17 2009-12-17 0.08 -
Trend Micro 9.000-1003 6.700.09 2009-12-17 0.03 -
Quick Heal 10.00 2009.12.17 2009-12-17 0.08 -
Rising 20.0 22.26.03.04 2009-12-17 0.08 -
Sophos 3.03.0 4.49 2009-12-18 2.68 -
Sunbelt 3.9.2388.2 5567 2009-12-17 0.08 -
Symantec 1.3.0.24 20091217.005 2009-12-17 0.16 -
nProtect 20091217.02 6625284 2009-12-17 0.08 -
The Hacker 6.5.0.2 v00096 2009-12-17 0.08 -
VBA32 3.12.12.0 20091216.2207 2009-12-16 2.22 -
VirusBuster 4.5.11.10 10.117.1/2006893 2009-12-17 2.39 -

There is also no “TeaTimer” box, or any boxes that have anything to do with TeaTimer in their text, in the “System Startup” list in Spybot.

Also, after running GMER, I got a notification bubble from my system tray, saying that a file was corrupt, and I should run CHKDSK. Would running that next time I restarted my PC be a good idea?

Again also, sometime last night, I visited a perfectly secure website, with a Java game (Minecraft is the game) in the internet window. Soon as the level loaded, that my buddy was hosting, Avast! started yelling at me about “atapi.sys.” Does that file work with Java in some way, shape or form? Just thought I would put relavent info in this post.

Hi pogie1987,

C:\WINDOWS\system32\dllcache\atapi.sys does exist unless OTL was was telling us a fib. If you would have used copy and paste as instructed, the file would have been submitted and scanned, I realize which file you are having problems with, I was looking for a clean copy. This malware does have the ability to show a clean copy when it’s scanned.

atapi is your disk controller so it’s difficult to say exactly what it’s going to interact with especially if it’s infected or hijacked.

It’s very improtant that you delete the copy of combofix that you have. A new limited release version is available.

Please read through these instructions to familarize yourself with what to expect when this tool runs

Download ComboFix from :

Link 1

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable your Security Programs

[*]Double click on ComboFix.exe & follow the prompts.

[*]As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.

http://img.photobucket.com/albums/v706/ried7/RC1.png

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:

1.Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer’s settings, including making I-E the default browser.
3. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Please post the combofix log.

Thanks

Well, I downloaded the ComboFix.exe from the link you provided, but a couple things are strange. A, which I dont believe is all that important, is that its named “KittyFix.exe,” and B, when I try and run it, it says there is a newer version available. Should I update to the newer version, then run the scan, or run the scan with the version you linked me?

Will run the scan once I get a reply, then post the log.

And by the way, no, I don’t have a “DLLCache” folder ->LINK<- (Hidden files and folders are SHOWN, as well as showing system files/folders)

Hi pogie1987,

I’m not going to argue the point but that path is in the OTL log.

kitty.exe is the name the author used for this version of combofix. It has the ability to update now that the problem has been rectified, so go ahead and update it and then run it

Thanks.

Well, I ran ComboFix last night. It ran fine. It restarted my system, and when my Windows finished booting up, continued itself, and said it was making a log, and not to run any other programs. I then noticed Avast! was on, and doing something, and I remembered that ComboFix said not to have anti-virus going when it’s working, so I right clicked it, and said “Stop on-access protection.” ComboFix kept going, creating it’s log, for another 2-5 minutes, when my Windows crashed. Saw a flash of a BSOD, and it was rebooting. At this point, I knew this couldnt be good. As it was starting up, it flashed a BSOD again, and rebooted, just like it was doing before, in an infinite boot cycle. Only this time, it was doing it before the Windows logo load screen even appeared. I tried booting it in Safe Mode, and Last Known Working Config. Each got the same results.

Great. Now what do I do.

Thank you for your continued help.