Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

atapi.sys.vir


  • This topic is locked This topic is locked
3 replies to this topic

#1 silverbullet10

silverbullet10

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:43 PM

Posted 07 December 2010 - 01:07 PM

Hello,
i have two questions.
1. i ran a complete scan using norton and at the end it said i have a backdoor.tidserv.I!inf
so i looked it up on google and got the tts removal tool, disable sys restore, ran tts removal tool and at the end it said i do not have backdoor. tidserv.
however, i also looked on my c drive and found

c\Qoobox\Quarantine\c\windows\sys32\driver\atape.sys.vir

so:
1. do you think i am infected with backdoor tidserv?
2. can i delete the 'c\Qoobox\Quarantine\c\windows\sys32\driver\atape.sys.vir' file??

btw.. my machine is running well... recently cleaned using one of your excellent co-workers

Silverbullet10

BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:07:43 PM

Posted 07 December 2010 - 03:24 PM

Good evening. :)

Although it is recommended elsewhere to disable System Restore when infected, personally I wouldn't. The logic is that SR, when it creates Restore Points, may back-up any infections that are present and disabling SR will remove these infected RPs. While this is true, unless you use SR and choose an infected point there is no risk to your PC.
The greater risk to you is that something goes wrong during a removal attempt and while normally you could give SR a go to see if it will undo the oops that has occurred, if it is already disabled it won't do any good.

Leave SR alone and fix any problem you have. If something goes wrong, then run SR and hope it puts it right. If nothing goes wrong, create a new, clean, Restore Point and call it something that will enable you to identify it and do not use any RP from before this time. Eventually SR will run out of space and delete the oldest RPs as it is programmed to - this will eventually delete any infected points and all is well with the world.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

You don't say what file(s) Norton is detecting as tidserv, but if it is c\Qoobox\Quarantine\c\windows\sys32\driver\atape.sys.vir you don't have an issue.

The location is where ComboFix stores back-ups of any files that it removes, just in case they are needed for some reason, so it is an old infection. CF also adds a .vir file extension to the file, which further disables it to leave it as nothing more than a reminder of what you once had on your system.

Simply delete the file as you would any other and find something better to do with the rest of your evening. :)

So long, and thanks for all the fish.

 

 


#3 silverbullet10

silverbullet10
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:43 PM

Posted 08 December 2010 - 01:15 AM

good news.. thks,

i ran the two scripts that were suggested and here they are..

my plan..
delete the files and enjoy the night.
both files were too big to upload, so i'm done!1

thanks again

Silverbullet10

#4 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:07:43 PM

Posted 08 December 2010 - 03:20 PM

Always a pleasure. :) As this issue appears to have been resolved, this thread is now closed - happy days!

So long, and thanks for all the fish.

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users