Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

atapidrv.sys? Where is it?


  • Please log in to reply
2 replies to this topic

#1 phd2010

phd2010

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:12 PM

Posted 09 July 2010 - 04:13 AM

I confess: my wife was right, I was wrong: that strange behavior from Windows was actually a virus. Several, in fact. In the process of trying to clean it up I downloaded five new programs, including Prevx (free version) and HiJack This. Prevx reported up to 13 different infections. Now I have it knocked down to three (the most difficult to remove so far being "cbss.dll"), all related to the "atapidrv.sys" trojan.

Prevx says there's a file c:\windows\system32\drivers\atapidrv.sys and two registry entries. I do *not* see the file at all, even when invoking the hidden file options (dir /a:h from the command prompt, showing all hidden and system files from explorer). However I do see several entries in the registry. When I delete those entries and reboot, they're back, so *something* is putting them there.

There is also the file "atapi.sys" in the same directory where atapidrv.sys is reported to be, which I now read is also a frequent target for Trojans - could this be responsible?

I ran Hijack This and Spybot and they do not mention anything related to atapidrv.sys.

Bright ideas, anyone? I'd like to keep my record of not having to pay money to get rid of these things...
-phd2010

BC AdBot (Login to Remove)

 


#2 phd2010

phd2010
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:12 PM

Posted 10 July 2010 - 02:11 PM

Jayson201 wrote:
> Heres 2 more programs you should try out.
> Malwarebytes Anti Malware ( Malwarebytes.org )
> download, install, update, do a full scan.
> Microsoft Security Essentials ( http://www.microsoft.com/security_essentials/?mkt=en-us )
> Download, install, update, do a full scan.
> Also check this one out: http://www.eset.com/online-scanner
> If you would, after the scans are finished, report the Mbam log here, and also what viruses ESET and MSE detect.
> Tip: Dont do all three scans at once.

Thanks Jayson. I took a detour because my wife inadvertently let a whole bunch more viruses reinfect the computer!
Boy what a time-waster, having to deal with this stuff.

So anyway, after getting rid of the majority of the problems (or so I thought) using MBAM, I got back to where
I was at the time of the first post - three items related to "atapidrv.sys" - one file that doesn't exist and two registry
keys that point to said file. At this point I did as follows:

Executive Summary:
--------------------------
2 Quick scans with MBAM
1 Full scan with MBAM
Tried to use Microsoft Security Essentials but the setup application failed to run "out of the box"
Downloaded the ESET online scanner and ran that.
Still the atapidrv.sys tags refuse to go away.
All logs are attached.

Details:
---------
The first MBAM quick scan found several viruses but also reported the atapidrv.sys keys and claims to have cleaned them;
however they were there again after i rebooted the machine.

The second MBAM quick scan found these two keys again, and that's all. Once again it reported that it had deleted them,
but they were there again after I rebooted.

The third MBM scan was a full scan that found the two keys a third time plus two Trojans camping out in the
"c:\System Volume Information" directory. Still the keys were there again when I rebooted.

So then I tried to download Microsoft Security Essentials, but it failed to run the setup.exe, saying,
"The volume for a file has been externally altered so that the opened file is no longer valid"

So then I went to www.eset.com and downloaded their Online Scanner application (I was using Firefox)
and then executed the scan/fix. It found 37 items! However it did not find the atapidrv.sys keys, even
though I could see them in regedit. The log is attached. So after it was done again those keys were
still there. Nothing seems to be able to get rid of them.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4296

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

7/10/2010 9:35:39 AM
mbam-log-2010-07-10 (09-35-39).txt

Scan type: Quick scan
Objects scanned: 159804
Time elapsed: 12 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 15
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{afd4ad01-58c1-47db-a404-fbe00a6c5486} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6fd31ed6-7c94-4bbc-8e95-f927f4d3a949} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{014da6c1-189f-421a-88cd-07cfe51cff10} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{014da6c9-189f-421a-88cd-07cfe51cff10} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1a26f07f-0d60-4835-91cf-1e1766a0ec56} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{549b5ca7-4a86-11d7-a4df-000874180bb3} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{afd4ad01-58c1-47db-a404-fbe00a6c5486} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\EWABQAF7KL (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Malware Defense (Rogue.MalwareDefense) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Handle (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Paladin Antivirus (Rogue.PaladinAntivirus) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\pragma (Rootkit.TDSS) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AtapiDrv.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\AtapiDrv.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4296

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

7/10/2010 10:09:26 AM
mbam-log-2010-07-10 (10-09-26).txt

Scan type: Quick scan
Objects scanned: 159531
Time elapsed: 10 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AtapiDrv.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\AtapiDrv.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4299

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

7/10/2010 3:44:21 PM
mbam-log-2010-07-10 (15-44-21).txt

Scan type: Full scan (C:\|)
Objects scanned: 261438
Time elapsed: 1 hour(s), 58 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AtapiDrv.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\AtapiDrv.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1551\A0196480.dll (Trojan.Monkif.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1551\A0196483.com (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Apps\WxBugManUpgrade605.exe	a variant of Win32/Toolbar.MyWebSearch application	deleted - quarantined
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentsvc.zip	Win32/Bagle.gen.zip worm	cleaned by deleting - quarantined
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentsvc1.zip	Win32/Bagle.gen.zip worm	cleaned by deleting - quarantined
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinFraudLoadss.zip	Win32/Bagle.gen.zip worm	cleaned by deleting - quarantined
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinFraudLoadss1.zip	Win32/Bagle.gen.zip worm	cleaned by deleting - quarantined
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinFraudLoadss2.zip	Win32/Bagle.gen.zip worm	cleaned by deleting - quarantined
C:\Program Files\Common Files\Symantec Shared\ccApp.exe	Win32/TrojanDownloader.Unruy.BN trojan	cleaned by deleting - quarantined
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1548\A0196045.ini	Win32/Adware.Virtumonde.NEO application	cleaned by deleting - quarantined
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1548\A0196072.exe	Win32/TrojanDownloader.Unruy.BN trojan	cleaned by deleting - quarantined
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1548\A0196074.exe	Win32/TrojanDownloader.Unruy.BN trojan	cleaned by deleting - quarantined
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1548\A0196075.exe	Win32/TrojanDownloader.Unruy.BN trojan	cleaned by deleting - quarantined
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1548\A0196076.exe	Win32/TrojanDownloader.Unruy.BN trojan	cleaned by deleting - quarantined
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1548\A0196077.exe	Win32/TrojanDownloader.Unruy.BN trojan	cleaned by deleting - quarantined
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1548\A0196078.exe	Win32/TrojanDownloader.Unruy.BN trojan	cleaned by deleting - quarantined
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1548\A0196079.exe	Win32/TrojanDownloader.Unruy.BN trojan	cleaned by deleting - quarantined
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1548\A0196080.exe	Win32/TrojanDownloader.Unruy.BN trojan	cleaned by deleting - quarantined
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1548\A0196081.exe	Win32/TrojanDownloader.Unruy.BN trojan	cleaned by deleting - quarantined
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1548\A0196082.exe	Win32/TrojanDownloader.Unruy.BN trojan	cleaned by deleting - quarantined
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1548\A0196083.exe	Win32/TrojanDownloader.Unruy.BN trojan	cleaned by deleting - quarantined
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1548\A0196084.exe	Win32/TrojanDownloader.Unruy.BN trojan	cleaned by deleting - quarantined
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1548\A0196085.exe	Win32/TrojanDownloader.Unruy.BN trojan	cleaned by deleting - quarantined
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1548\A0196086.exe	Win32/TrojanDownloader.Unruy.BN trojan	cleaned by deleting - quarantined
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1548\A0196087.exe	Win32/TrojanDownloader.Unruy.BN trojan	cleaned by deleting - quarantined
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1548\A0196088.exe	Win32/TrojanDownloader.Unruy.BN trojan	cleaned by deleting - quarantined
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1548\A0196089.exe	Win32/TrojanDownloader.Unruy.BN trojan	cleaned by deleting - quarantined
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1548\A0196090.exe	Win32/TrojanDownloader.Unruy.BN trojan	cleaned by deleting - quarantined
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1548\A0196091.exe	Win32/TrojanDownloader.Unruy.BN trojan	cleaned by deleting - quarantined
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1548\A0196092.exe	Win32/TrojanDownloader.Unruy.BN trojan	cleaned by deleting - quarantined
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1548\A0196276.exe	Win32/TrojanDownloader.Unruy.BN trojan	cleaned by deleting - quarantined
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1548\A0196277.exe	Win32/TrojanDownloader.Unruy.BN trojan	cleaned by deleting - quarantined
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1548\A0196278.exe	Win32/TrojanDownloader.Unruy.BN trojan	cleaned by deleting - quarantined
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1548\A0196279.exe	Win32/TrojanDownloader.Unruy.BN trojan	cleaned by deleting - quarantined
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1548\A0196292.exe	Win32/TrojanDownloader.Unruy.BN trojan	cleaned by deleting - quarantined
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1551\A0196383.exe	Win32/TrojanDownloader.Unruy.BN trojan	cleaned by deleting - quarantined
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1551\A0196481.exe	Win32/TrojanDownloader.Unruy.BN trojan	cleaned by deleting - quarantined
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1551\A0196482.exe	Win32/TrojanDownloader.Unruy.BN trojan	cleaned by deleting - quarantined
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1551\A0196484.exe	Win32/TrojanDownloader.Unruy.BN trojan	cleaned by deleting - quarantined
C:\WINDOWS\SYSTEM32\rstwa.bak1	Win32/Adware.Virtumonde.NEO application	cleaned by deleting - quarantined
C:\WINDOWS\SYSTEM32\rstwa.bak2	Win32/Adware.Virtumonde.NEO application	cleaned by deleting - quarantined
C:\_OTM\MovedFiles\07092010_012157\C_WINDOWS\system32\sshnas21.dll	Win32/TrojanDownloader.FakeAlert.ARF trojan	cleaned by deleting - quarantined


#3 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,807 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:12:12 PM

Posted 10 July 2010 - 09:11 PM

Hello,

Given what you've already done, please follow the instructions in ==>This Guide<== starting at Step 6.

Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<== Please include the link to this topic in your new topic and a description of your computer issues.

If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users