Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan in atapi.sys


  • Please log in to reply
13 replies to this topic

#1 Karthik Murali

Karthik Murali

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:09 PM

Posted 12 December 2009 - 12:25 PM

Below is the log of Avast Antivirus Scan

1360 Sign of "Win32:Cutwail-AD [Trj]" has been found in "C:\WINDOWS\system32\drivers\atapi.sys" file.
Please help me how to remove the above trojan

I have a Windows XP SP2 and have Avast Antivirus

Thanks
Karthik Murali

BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,993 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:02:39 AM

Posted 12 December 2009 - 08:30 PM

As no logs have been posted, I am shifting this topic from the specialized HiJack This forum to the Am I Infected forum.

==>PLEASE DO NOT NOW POST LOGS<== unless a log is specifically requested.
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 Karthik Murali

Karthik Murali
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:09 PM

Posted 12 December 2009 - 11:17 PM

Hi
thanks fr the quick reply...........
can i know wat i should do now....... or which log i should post, for you to check......
I am kinda unsure.. Pls help, As every time i open my computer, avast says, thers a virus in operating memory as well as detecting the trojan in atapi.sys


THanks
Karthik Murali

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,252 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:39 AM

Posted 13 December 2009 - 03:12 PM

Hello, please post me a GMER log.

GMER
-------
Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 Karthik Murali

Karthik Murali
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:09 PM

Posted 14 December 2009 - 01:18 AM

GMER 1.0.15.15279 - http://www.gmer.net
Rootkit scan 2009-12-14 10:23:42
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: C:\DOCUME~1\KARTHI~1\LOCALS~1\Temp\fxldqpow.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xF20356B8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xF2035A52]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xF203514C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xF203564E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xF203576E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xF203572E]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[1440] ntdll.dll!NtQueryDirectoryFile + 6 7C90DF64 4 Bytes [90, 61, A7, 00]

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\services.exe[604] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00370002
IAT C:\WINDOWS\system32\services.exe[604] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00370000

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\atapi \Device\Ide\IdePort0 [84D5A572] atapi.sys[.reloc]
Device \Driver\atapi \Device\Ide\IdePort1 [84D5A572] atapi.sys[.reloc]
Device \Driver\atapi \Device\Ide\IdePort2 [84D5A572] atapi.sys[.reloc]
Device \Driver\atapi \Device\Ide\IdePort3 [84D5A572] atapi.sys[.reloc]
Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-7 [84D5A572] atapi.sys[.reloc]
Device \Driver\atapi \Device\Ide\IdePort4 [84D5A572] atapi.sys[.reloc]
Device \Driver\atapi \Device\Ide\IdePort5 [84D5A572] atapi.sys[.reloc]
Device \Driver\atapi \Device\Ide\IdeDeviceP4T0L0-16 [84D5A572] atapi.sys[.reloc]

AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x1B 0x25 0xE9 0x05 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x1B 0x25 0xE9 0x05 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x1B 0x25 0xE9 0x05 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x1B 0x25 0xE9 0x05 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{2E5B96D3-0338-9372-D274-4CB45EA1BE75}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{2E5B96D3-0338-9372-D274-4CB45EA1BE75}@pagobikkmnalfeldkoaeioekmfjfnban 0x69 0x61 0x65 0x70 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{2E5B96D3-0338-9372-D274-4CB45EA1BE75}@oamohgnebodiibdaopffkldbbcjlmf 0x69 0x61 0x65 0x70 ...

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,252 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:39 AM

Posted 14 December 2009 - 02:27 AM

Are you experiencing any redirects when browsing the internet?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 Karthik Murali

Karthik Murali
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:09 PM

Posted 14 December 2009 - 02:45 AM

Hi

I am nt experiencing any redirects
I use only firefox , and all websites seem to open fine

everytime i start my computer , Avast prompts to show the trojan in atapi and says ,its dangerous to have the virus in operating memory
i also noticed yesterday that, svchost.exe was runnign 48 % of the CPU , which is usually unsual , though it didnt surface today , when i started my computer today morning

Thanks a lot
Karthik Murali

#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,252 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:39 AM

Posted 14 December 2009 - 09:32 AM

It looks like this is a false positive from Avast, but lets doublecheck that. Please do the following.

Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.

Now restart your computer and let me know if Avast still detects atapi.sys

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 Karthik Murali

Karthik Murali
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:09 PM

Posted 16 December 2009 - 10:30 AM

Hi
thanks for the reply

my computer has stopped booting , and it doesnt go past the startup screen
hence i think the only option is to format my C: and install XP again

#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,252 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:39 AM

Posted 16 December 2009 - 10:49 AM

If you choose not to re-install yet, please tell me what you did prior to this problem. Did you run a tool or try something right before this bootproblem?

Also, can you try to be as specific as possible to when the problem occurs? Do you still see the XP splash screen and if so, does it just flash, or does it stay on longer?

Just let me know what you are going to do :thumbsup:

If you decide to give this a try, please keep your XP CD at hand, because we might need it.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 Karthik Murali

Karthik Murali
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:09 PM

Posted 16 December 2009 - 11:39 PM

When i switched on the comp , i heard a beeping tone, and then it displayed the message , ur PC was shutdown due to thermal overheating
after an hour , i swithced on again , it booted up properly.
i ran the gmer test . and copied the results in the site, i just shut down my PC normally , in the morning

In the evening , when i came back and switched my computer on , i logged in , and then i got the msg ,
windows had to terminate "services.exe"
and then the 60 secs countdown timer came
( the Similar screen you get , if anyone end tasks the svchost.exe process)
after that i restarted my comp.. the first screen displayed , and as usual , with the msg
press f2 for bios
after that , the screen becomes blank , the processor is on , but doesnt run anything.........

now i am unable to go beyond this blank screen. is formatting the only option ?
i think i got the XP cd with me ......
and also , i have already backed up my C drive.. I just cant afford to lose data in my d,e,f drives.....
i can only format c : . worst case

Thanks a lot for the help......

#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,252 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:39 AM

Posted 17 December 2009 - 03:13 AM

Can you please try the following? Let me know if you are able to complete the steps and if not, what error did you receive.
  • Insert the Windows XP CD-ROM into the CD-ROM drive, and then restart the computer.

  • If your PC is not booting from the CD, you need to change the boot order:
    • Restart your PC
    • As soon as you get an image, press the Setup key. This is usually F2, or Del. On some machines the key can also be a different one. It should, however, be stated on the screen which key is the setup key.
    • Once you enter the computer's BIOS, use the arrow keys and tab key to move between elements. Press enter to select an item to change.
    • Navigate to the tab, where you can set the boot order. It should be called Boot or Boot order
    • The tab should now show your current boot order.
      If the CD-drive is not at the top, please navigate to the CD-Rom drive with the keys arrows. Then move it to the top of the list. The keys for switching boot position are usually + to move up and - to move down. However they can be different, but they should be stated in the help, so that you can find them easily.
    • Once the CD-drive is on top of the boot order, navigate to Exit and select Exit saving changes.
  • Your PC should now boot from your XP-CD.
    Click to select any options that are required to start the computer from the CD-ROM drive if you are prompted.

  • When the "Welcome to Setup" screen appears, press R to start the Recovery Console.

  • When you are prompted, type the Administrator password. If the administrator password is blank, just press ENTER.

  • A command prompt will open
Type EXIT and press enter to restart your computer.

Let me know how this went.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 Karthik Murali

Karthik Murali
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:09 PM

Posted 19 December 2009 - 12:18 PM

Hi Elise.
Thanks for the reply.. I tried recovering , but didnt work.. A few errors occurred ,and it kept saying
it cant copy some dll files from the cd.
and asked me to try again
this happened quite a few times
Hence i jus opted for formatting my C drive ( I already had taken backup and hence formatted my system)


Its working fine though .....
Thanks for your patient help though..... It was really useful
Karthik Murali

#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,252 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:39 AM

Posted 19 December 2009 - 01:22 PM

Sorry to hear you had to reformat. I hope things will stay fine now!

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users