Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Atapi.sys infection?

  • This topic is locked This topic is locked
4 replies to this topic

#1 BlackClouds


  • Members
  • 22 posts
  • Local time:08:55 PM

Posted 02 April 2010 - 10:16 AM


Description Problem:
I have had a nasty infection recently which totally trashed my windows 7 installation, back then I had high memory usage errors when they should not appear. I decided to format my windows partition (C:\) and do a clean reinstallation (Do notice that I have 3 other HDD's full of stuff I do not want to lose). This is where my current problems started:
  • Google Chrome stopped functioning
  • Random pop-ups in internet explorer
  • A blue screen with an mbr.sys
  • Reinfection after clean windows 7 install and combofix
  • "Interactive Services Detection" spam (not sure if its relevant).
*Note I reinstalled it another time since these problems started happening again*

Operating System:
Windows 7

The hunt:
  • Firstly I did a quick scan with Malwarebytes' Anti-Malware. Found some things but did not fix the major problem.
  • Then I started googling for similar problems and followed one topics which suggested that combofix would fix the problem. So I ran it and it deleted the following:


    Besmet exemplaar van c:\windows\system32\DRIVERS\atapi.sys werd aangetroffen en gedesinfecteerd
    Hersteld exemplaar van - Kitty ate it :thumbsup:

    It fixed the problem for then and I could use google chrome again. But after not so long it got infected again somehow and google chrome does not work again.
  • I decided to read on and did a full GMER scan for rootkit activity (quick scan did not show anything). There I noticed again the atapi.sys with a value of suspicious modification.
  • I did a virustotal.com scan on atapi.sys . eSafe said it was a Win32.TrojanHorse and mcAfee-GW-Edition said it was a Heuristic.BehavesLike.Win32.Rootkit.H .
  • Full Malwarebytes' Anti-Malware scan newly found: sshnas21.dll
The question

Is it leftovers from the first memory stopping infection? Is the cause atapi.sys and sshnas21.dll infected and what should I do with them or am I looking at the wrong file. Since the problems seems to be coming back even after a clean reinstall and a combofix I am kind of at a loss. What would you recommend me to do?

Ofcourse I can post all the logs I have gotten so far on request or do new ones.

Hope to hear from you,


Edited by BlackClouds, 02 April 2010 - 10:17 AM.

BC AdBot (Login to Remove)


#2 BlackClouds

  • Topic Starter

  • Members
  • 22 posts
  • Local time:08:55 PM

Posted 03 April 2010 - 07:35 AM

Shameless bump.

#3 boopme


    To Insanity and Beyond

  • Global Moderator
  • 73,567 posts
  • Gender:Male
  • Location:NJ USA
  • Local time:01:55 PM

Posted 03 April 2010 - 09:43 AM

Hello, having run GMer and ComboFix,we will need to see those complete logs along with a DDS log.
Please go here....
Preparation Guide ,do steps 6 - 9.

Create a DDS log and post it in the new topic explained in step 9 and not here,thanks.

Let me know if that went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#4 BlackClouds

  • Topic Starter

  • Members
  • 22 posts
  • Local time:08:55 PM

Posted 03 April 2010 - 12:17 PM

Hey Boopme,

Thanks for redirecting me to the correct forum.

I have made a new post which you can find here: http://www.bleepingcomputer.com/forums/t/306911/atapisys-infection/


#5 Orange Blossom

Orange Blossom

    OBleepin Investigator

  • Moderator
  • 37,111 posts
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:01:55 PM

Posted 03 April 2010 - 03:37 PM


Now that you have posted a log, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a MRT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the MRT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the MRT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the MRT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MRT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Internet Security, NoScript Firefox ext.


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users