Avast! and atapi.sys problems

Hi pogie1987,

This one is being stubborn.

If Recovery Console is already installed:

You be able to tell if it is installed as there will be a brief screen with the option listed below.

  1. Restart your computer
  2. Before Windows loads, you will be prompted to choose which Operating System to start
  3. Use the up and down arrow key to select Microsoft Windows Recovery Console
  4. You must enter which Windows installation to log onto. Type 1 and press enter.
  5. At the C:\Windows prompt, type the following bolded text, and press Enter:

cd erdnt\subs

  1. At the next prompt, type the following bolded text, and press Enter:

batch erdnt.con

  1. The erunt backups will begin copying.
  2. At the next prompt, type the following bolded text, and press Enter:

exit

Windows will now begin loading.

If you are able to now get into windows, please look for the combofix log at C:\combofix.txt

On a side-note, I tried to run Recovery Console normally, only whenever I tried, all I would get is the message:

NTLDR is compressed.
Press CTRL+ALT+DEL to restart.

I had to use my Windows CD to run the Recovery Consol successfully. I guess its just another problem that I need to somehow fix with my poor desktop.

I followed your instructions, and it copied about 10 files, I didnt count, just a guess. I restarted using exit, and tried to run windows, but once again, it’s restarting before the logo load screen. Tried booting Normally, in Safe Mode, and Last Known Good Config, all the same results.

If it’s worth anything, I had a thumbdrive. Is there a way to move/copy the log you need using the Recovery Console?

Hi pokey1987,

Try replacing atapi.sys but this time we’ll rename the copy that is there first.

Back in the Recovery Console at the prompt, type the following 2 lines in the code box, hitting enter after each.

Note: in the first line there is a space after ren and a space after atapi.sys
the cursor should just move down with a new prompt.

in the second line there is a space after copy and a space after I386\atapi.sys"

You should get a message similar to “one file copied”

When finished type exit, hit enter.

ren c:\windows\system32\drivers\atapi.sys atapi.old
copy "C:\WINDOWS\SERVICEPACKFILES\I386\atapi.sys" "c:\windows\system32\drivers\atapi.sys"

Done. And I’m now on my desktop.

The ComboFix log isnt in C:, though I did find one that I’m PRETTY sure is the log you’re looking for, due to the fact that I recognize some of the deletions. Was in C:\KittyFix.

Also, this is a little weird, but, upon starting up, a notification bubble popped up in my system tray, telling me some Avast! things are turned off, Automatic updates are turned off, and something else was off, I dont quite recall. Also, a CMD window opened randomly, as well. I dont know what to do with it, so it’s sitting open right now. “C:\WINDOWS\TEMP\win16.exe” is the CMD window’s title.

EDIT:
Ah, nevermind. I remembered, that CF resets the Security Center alerts back to default.

Hi pogie1987,

Good. Did the file rename go ok? Is avast still complaining?

Unfortunately combofix was interupted before it could finish the log but a couple of things were removed. I’m a little leary about using combofix at the moment to fix anything.

Close the command window with the X

We’ll use OTL with these settings

[*]Double click on OTL.exe to run it. Make sure all other windows are closed and to let it run uninterrupted.
[*]When the window appears, underneath Output at the top change it to Minimal Output
[*]UNCheck the boxes beside LOP Check and Purity Check.
[*]Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open a notepad window. OTL.Txt

Next

In Windows Explorer, navigate to this folder C:\Qoobox

Please post the contents of ComboFix-quarantined-files.txt along with the OTL log.

Thanks

Yeah, the file rename went okay. Avast! hasnt said anything about anything yet. Let me go to the Java browser game page that activated the alert last time.

Nope, nothing. Avast! hasnt said anything to me yet.

Um, in the Qoobox folder, I dont see any .txt file other than one labeled ComboFix2. There are a couple folders (BackEnv, LastRun, Quarentine, Test, and TestC) as well. And a .DAT file, titled “SnapShot@2009-10-06_07.02.09”. In the Quarentine folder, there’s a .txt called “catchme.”

Hi pogie1987,

Looks like combofix didn’t have a chance to create the file.

We’ll leave the renamed fle for now. It won’t run.

Are you using any Symantec (Norton) products as I see several references to it in the logs.

You have some old vulnerable java installed. Go to Add/Remove programs and uninstall

Java™ 6 Update 3
Java™ 6 Update 5
Java™ 6 Update 7

Do not uninstall Java™ 6 Update 17

Next, Double click on OTL.exe
[*]Under the Custom Scans/Fixes box at the bottom, paste in the following
[*]Do Not copy the word CODE
[*]please note the fix starts with the :

:OTL
O4 - HKLM..\Run: [combofix] C:\KittyFix\CF14473.cfx File not found
O20 - Winlogon\Notify\winjqa32: DllName - winjqa32.dll - C:\WINDOWS\System32\winjqa32.dll ()
[2009/12/12 11:12:48 | 00,037,888 | ---- | M] () -- C:\WINDOWS\System32\winmty32.dll

:Commands
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

Then click the Run Fix button at the top

[*]Let the program run unhindered
[*]Please save the resulting log to be posted in your next reply.
[*]Reboot your computer
Please post the OTL fix log.

Mmmk heres the fix log. I renamed it. And no, I dont use any Symantec stuff. That I know of, at least.

Hi pogie1987,

Some remnants of Norton (Symantec) showed in both combofix and OTL logs.

Download the Norton Removal Tool from HERE and save it to your desktop.

Next Double click on Norton_Removal_Tool.exe to run the tool.

Follow the on-screen instructions.
Your computer may be restarted more than once, and you may be asked to repeat some steps after the computer restarts.

Next

[b]Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don’t go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your antivirus along with your antispyware programs.

Please go to Kaspersky website and perform an online antivirus scan.

[*]Read through the requirements and privacy statement and click on Accept button.
[*]It will start downloading and installing the scanner and virus definitions.
[*]You will be prompted to install an application from Kaspersky. Click Run.
[*]When the downloads have finished, click on Settings.
[*]Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button

[*]Spyware, Adware, Dialers, and other potentially dangerous programs
[*]Archives
[*]Mail databases

[*]Click on My Computerr under Scan.
[*]Once the scan is complete, it will display the results. Click on View Scan Report.
[*]You will see a list of infected items there. Click on Save Report As
[*]Change the Files of type to Text file (.txt)
[*]Set the Save In to Desktop
[]click the Save button.
[
]Please post this log in your next reply.

Please post back with the Kaspersky log and a new OTL log.

Thanks

Sorry it took me so long, but here are the logs.

Hi pogie1987,

Looks good. A little tidying up to do and remove the tools.

uTorrent
You have uTorrent, a P2P/file sharing programs installed on your computer. P2P applications like it are the largest source of malware we see. You’ll be doing yourself a favor by removing it. It’s not the program itself that is the problem, but what can be downloaded with it, usually from an unknown source.

References for the risk of these programs can be found in these links:
http://www.microsoft.com/windows/ie/commun…protection.mspx

http://www.internetworldstats.com/articles/art053.htm://http://www.techweb.com/wire/1605005…cles/art053.htm

I would recommend that you uninstall uTorrent, however that choice is up to you. If you choose to remove this program, you can do so via Control Panel >> Add or Remove Programs.

If no other problems, we can clean up our tools. We will ise Degogger in a few minutes so don’t delete it.

From your desktop, please delete
[]any notepads/logs that we created
[
]GMER.zip
[*]GMER.exe

In Windows Explorer, you can delete this file

C:\WINDOWS\atapi.old

Next

Click the Start button, click Run. Copy and paste the following line into the run box and click OK
Combofix /uninstall

Open OTL then click the Clean Up button. You may get prompted by your firewall that OTL wants to contact the internet - allow this. A cleanup.txt will be downloaded, a message dialog will ask you if you want to proceed with the cleanup process, click Yes. This will do some clean up tasks and delete some of the tools you have downloaded plus itself.

I suggest you keep MBAM. Keep it updated and use it regularly.

Now use Defogger,

To re-enable your Emulation drivers, double click DeFogger to run the tool.

[*] The application window will appear
[*] Click the Re-enable button to re-enable your CD Emulation drivers
[*] Click Yes to continue
[*] A ‘Finished!’ message will appear
[*] Click OK
[*] DeFogger will now ask to reboot the machine - click OK

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_enable which will appear on your desktop.

Your Emulation drivers are now re-enabled

Updates and upgrades

You have an older version of Adobe Reader. You can download the current version HERE

You may want to consider Foxit Reader instead. It may be a bit lighter on resources.

Visit their support forum
Foxit Forum

In either case you should uninstall Adobe Reader 8.1.7 first. Be sure to move any PDF documents to another folder first though.

Some Recommendations and prevention tips

Basic security consists of 1 antivirus program, 1 resident antispyware program, 1 on demand antispyware program and a firewall. Just add a firewall and keep TeaTimer enabled.

  • If you are behind a router Windows firewall should be fine. Otherwise a 3rd party firewall with outbound monitoring is recommended.

Click FIREWALL for tips, reviews and links to good, free and paid for firewalls. (Note: Zone Alarm is becoming bloatware, imo)

You should also use Spyware Blaster to help immunize your computer.

  • SpywareBlaster will add a large list of programs and sites into your Internet Explorer
    settings that will protect you from running and downloading known malicious programs.

-Secure your Internet Explorer

From within Internet Explorer click on the Tools menu and then click on Options.
[*]Click once on the Security tab
[*]Click once on the Internet icon so it becomes highlighted.
[*]Click once on the Custom Level button.
[*]Change the Download signed ActiveX controls to Prompt
[*]Change the Download unsigned ActiveX controls to Disable
[*]Change the Initialize and script ActiveX controls not marked as safe to Disable
[*]Change the Installation of desktop items to Prompt
[*]Change the Launching programs and files in an IFRAME to Prompt
[*]Change the Navigate sub-frames across different domains to Prompt
[*]When all these settings have been made, click on the OK button.
[*]If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.

  • Keeping your Windows up-to-date is crucial to your computer’s security. Please go to the Windows Update Site (using Internet Explorer) and download and install all critical updates on a regular basis

  • Ensure that Automatic Update is turned on so you get all the latest patches.
    Click start, control panel, click Security Center.

  • Keep your antivirus program updated, as well as any other security programs you have.

  • You may also want to read this article By Tony Klein
    http://www.freedomlist.com/forum/viewtopic.php?t=22879

Take care

Hi Folks
Similar prob to Pogie here. Tried the recover from disk as quoted