Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infection in atapi.sys


  • Please log in to reply
2 replies to this topic

#1 DanniD

DanniD

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Location:United States
  • Local time:08:24 AM

Posted 20 June 2010 - 02:20 PM

I am taking care of a family member's computer, and have noticed an infection in atapi.sys which is referred to as Win32/Patched.CG. After running Malwarebytes numerous times, the AVG alert still pops up. The web browsers pop up new tabs and redirect to questionable sites, and the startup theme often reverts to Windows Classic theme with no way of recovering XP themes. Are these problems related to the infection?

Additional Information:

The OS is Windows XP home edition.
The primary Web browser is Firefox, used with several add-ons (WOT, Adblock and Adreplace) for security.
The antivirus software in use is AVG free.
This computer has had several problems with viruses in the past, and I recently removed 10 infections with Malwarebytes.

EDIT: Moved from MRL, no logs ~ Hamluis.

Edited by hamluis, 20 June 2010 - 02:35 PM.


BC AdBot (Login to Remove)

 


#2 computerxpds

computerxpds

    Bleepin' Comp


  • Moderator
  • 4,457 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:24 AM

Posted 20 June 2010 - 02:37 PM

can you post the malwarebytes log that shows the 10 infections? :thumbsup:

sigcomp.png 
If I have replied to a topic and you reply and I haven't gotten back to you within 48 hours (2 days) then send me a P.M.
Some important links: BC Forum Rules | Misplaced Malware Logs | BC Tutorials | BC Downloads |
Follow BleepingComputer on: Facebook! | Twitter! | Google+| Come join us on the BleepingComputer Live Chat too! |


#3 DanniD

DanniD
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Location:United States
  • Local time:08:24 AM

Posted 20 June 2010 - 03:09 PM

can you post the malwarebytes log that shows the 10 infections? :thumbsup:


Sorry if this is in the wrong area, I'm new to forums.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4052

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

6/19/2010 11:22:35 PM
mbam-log-2010-06-19 (23-22-35).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 247579
Time elapsed: 1 hour(s), 23 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 2
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{9b127297-4782-49fa-a472-91d01e6060e5} (Password.Stealer) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9b127297-4782-49fa-a472-91d01e6060e5} (Password.Stealer) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{9b127297-4782-49fa-a472-91d01e6060e5} (Password.Stealer) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9b127297-4782-49fa-a472-91d01e6060e5} (Password.Stealer) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CLASSES_ROOT\.exe\shell\open\command\(default) (Hijack.ExeFile) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\secfile\shell\open\command\(default) (Rogue.MultipleAV) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CLASSES_ROOT\CLSID\{35CEC8A3-2BE6-11D2-8773-92E220524153}\InprocServer32\(default) (Hijack.Tray) -> Bad: (C:\WINDOWS\TEMP\9568547367.dll) Good: (stobject.dll) -> Quarantined and deleted successfully.
HKEY_LOCAL_MA\Local Settings\Application Data\av.exe" /START "C:\Program Files\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\jbwonjm.dll (Malware.Packer.Gen) -> Delete on reboot.
C:\Documents and Settings\Beverly\My Documents\downloads\eXplorer.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users