Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

atapi.sys virus


  • This topic is locked This topic is locked
16 replies to this topic

#1 jillmarten

jillmarten

  • Members
  • 102 posts
  • OFFLINE
  •  
  • Local time:09:37 PM

Posted 01 April 2010 - 08:23 AM

Hello, My computer keeps restarting, I can't get into in safemode either, So when it restarts is goes to a blue screen and says the atapi.sys. I Can't get into safe mode or regular mode... Please help

Jill M***Butterfly Kisses


BC AdBot (Login to Remove)

 


#2 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:05:37 AM

Posted 01 April 2010 - 10:07 AM

Hi,


Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.
-- If you encounter any problems, try running GMER in safe mode.
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning
.



Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#3 jillmarten

jillmarten
  • Topic Starter

  • Members
  • 102 posts
  • OFFLINE
  •  
  • Local time:09:37 PM

Posted 01 April 2010 - 02:10 PM

I can't get into windows regular or safemode....So that might be a problem downloading it to the infected computers desktop... Any other suggestions? Thanks for the fast reply

Jill M***Butterfly Kisses


#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,708 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:37 AM

Posted 01 April 2010 - 04:04 PM

Hi jillmarten,

Welcome to Virus/Trojan/Spyware/Malware Removal (VTSMR) forum. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.

Please bear in mind that your detailed feedback will be needed to diagnose and help you better.

Please tell me if you have Windows XP or Vista and if you have a Windows installation CD (for XP) or Windows Installation DVD (for Vista).
Tell me also of anything you noticed prior to boot problem, like any particular type of infection, etc.



#5 jillmarten

jillmarten
  • Topic Starter

  • Members
  • 102 posts
  • OFFLINE
  •  
  • Local time:09:37 PM

Posted 05 April 2010 - 07:57 PM

Hello sorry it took me a couple days to get back to you. I was out of town for an appointment, and forgot my computer. Yes I do have a winxp cd. And the only thing in the begining when the computer is starting up is ALERT! Cover was previously removed. I went into the menu so i could choose the option to "disable automatic restart on system failure" if i don't choose that option the computer just keeps restarting. Then it stops at the blue screen of death and the technical information is as follows:
*** STOP: 0x0000007E (0xC0000005, 0xF75343C0, 0xF7AD552C, 0xF7ad5228)
*** adtapi.sys - address F75343C0 base at F751E000, DateStamp 41107b4d

again I am sorry for not getting back to you right away....Thanks in advanced

Jill M***Butterfly Kisses


#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,708 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:37 AM

Posted 06 April 2010 - 04:50 AM

No worries for the delay.

Please read all the post carefully with the comments. If not needed you don't have to apply all the commands.
  1. Enter the Recovery Console, to do that:
    • Insert the Windows XP cd in your computer.
    • Restart your computer so you are booting off of the CD. When you see "press any key to boot off CD ..." press a key. (if you don't get this you have to change the boot order from the BIOS).
    • When the Welcome to Setup screen appears, press the R button on your keyboard to start the Recovery Console.
    • The Recovery Console will start and ask you which Windows installation you would like to log on to. If you have multiple Windows installations, it will list each one, and you would enter the number associated with the installation you would like to work on and press enter. If you have just one Windows installation, type 1 and press enter.
    • It will then prompt you for the Administrator's password. If there is no password, simply press enter. Otherwise type in the password and then press enter. If you do not know your password then see this.
    • If you entered the correct password you will now be presented with a C:\Windows> prompt and you can start using the Recovery Console.

  2. Type map and press enter.
    It will give you the drive letters. Note down the letter of you CD-ROM. If it is a letter other than E you should repolce the letter e when applying the expand command later on if the command is needed to be applied.
    You have to be precise with typing. Note also the spaces, the command is like this: commandspaceline1spaceline2

    Type the following bold lines one by one and press Enter after each line:

    ren c:\windows\system32\drivers\atapi.sys atapi.old
    (It will returns to the prompt again without notification)

    Copy c:\windows\servicepackfiles\i386\atapi.sys c:\windows\system32\drivers
    (Important note, please read: If you get a notification "1 file(s) copied" you don't need to do the next expand command and go to exit command. But if you get notification that the file doesn't exist proceed with expand command)

    expand e:\I386\atapi.sy_ c:\windows\system32\drivers
    (You should be notified that the file expanded)
    exit

    You may remove the CD or let Windows boot normally. Tell me if you could boot and we will proceed from there.


#7 jillmarten

jillmarten
  • Topic Starter

  • Members
  • 102 posts
  • OFFLINE
  •  
  • Local time:09:37 PM

Posted 06 April 2010 - 02:20 PM

Hello, reached a little problem,
the COPY command line came back with a "the system cannot find the file specified"
the EXPAND command line came back with a" The file could not be expanded"

What now?

Jill M***Butterfly Kisses


#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,708 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:37 AM

Posted 06 April 2010 - 02:34 PM

type dir e:\I386\atapi.sy_ and press Enter. Tell me what you get.

#9 jillmarten

jillmarten
  • Topic Starter

  • Members
  • 102 posts
  • OFFLINE
  •  
  • Local time:09:37 PM

Posted 06 April 2010 - 02:53 PM

When I type that it says

The volume in drive D is VRMHFPP_EN
The volume Serial Number is 7b82-960c

Directory of d:\I386\atapi.sy_

08-04-04 07:00a --r----- 49558 ATAPI.SY_
1 file(s) 49558 bytes
0 bytes free

Jill M***Butterfly Kisses


#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,708 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:37 AM

Posted 06 April 2010 - 03:21 PM

Did you replace e with d when you run type the command?

Type the following lines one by one and press Enter:

expand d:\I386\atapi.sy_ c:\
copy c:\atapi.sys c:\windows\system32\drivers


#11 jillmarten

jillmarten
  • Topic Starter

  • Members
  • 102 posts
  • OFFLINE
  •  
  • Local time:09:37 PM

Posted 06 April 2010 - 03:59 PM

Yes I replaced the e with d, because my cdrom drive is D... I tried to do this before posting on here but my commands were off or something, I knew I had to replace and copy the file from my xp disk but my commands were wrong. I do have pretty good knowledge of computers. Whew that worked!!!! 1 file copied. I then typed exit and restarted the compupter. WIndows is now starting but it gets stuck on the blue screen that says welcome and u can see the cursor

Jill M***Butterfly Kisses


#12 jillmarten

jillmarten
  • Topic Starter

  • Members
  • 102 posts
  • OFFLINE
  •  
  • Local time:09:37 PM

Posted 06 April 2010 - 04:10 PM

ITs in windows finally!!!! Now what? Should I do what the first post said? This is actually a friends computer not mine that i am trying to fix.. I can probably do the rest myself now but I will listen to what you said. It is an old dell OptiPlex gx1 with winxp. They don't have the money to buy a new one so they keep using this. it normally works fine, but the got some viruses from what I am seeing now that I am in windows. Looks tlike there is antiVUris Plus on there...Please advise

Edited by jillmarten, 06 April 2010 - 04:18 PM.

Jill M***Butterfly Kisses


#13 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,708 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:37 AM

Posted 06 April 2010 - 04:15 PM

Try safe mode and tell me if you can get to Windows:

Start in Safe Mode Using the F8 key:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
  • Log to your usual account.
  • If you couldn't log reboot again and this time try to log into Administrator account.
  • Please give me feedback about it.


#14 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,708 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:37 AM

Posted 06 April 2010 - 04:18 PM

I saw your second post. Great. thumbup2.gif

It is up to you if you can do the rest. Please let me know your decision. smile.gif

#15 jillmarten

jillmarten
  • Topic Starter

  • Members
  • 102 posts
  • OFFLINE
  •  
  • Local time:09:37 PM

Posted 06 April 2010 - 04:19 PM

I will do the rest now... Thanks for your help.... I know what to do now.. Is there anywhere that you know I can read up on the commands and things that we did in the recovery console? And one more thing If I have a problem removing things should I post it again in here or start a new thread. I don't imagine there will be a problem tho.

Jill M***Butterfly Kisses





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users