# Trojan Virus Infection atapi.sys - drivers/dllcache



## SunilGoyal4 (Nov 21, 2009)

I am using Windows XP -SP 1 & 2; have AVG Anti-Virus Free & Zone Alarm Firewall free installed. From yesterday morning on opening the system AVG is giving alert as follow:

Trojan horse Packed.Protector.C;"C:\WINDOWS\system32\drivers\atapi.sys";"Object is white-listed (critical/system file that should not be removed)";"11/20/2009, 3:40:15 AM";"file";"C:\WINDOWS\system32\svchost.exe"
Trojan horse Packed.Protector.C;"C:\WINDOWS\system32\dllcache\atapi.sys";"Moved to Virus Vault";"11/20/2009, 3:40:15 AM";"file";"C:\WINDOWS\system32\svchost.exe
"Trojan horse BackDoor.Agent.ACVO;"C:\WINDOWS\system32\drivers\qol5dbf.sys";"Moved to Virus Vault";"11/20/2009, 4:38:50 AM";"file";"System"

Alerts are repeating whenever system is opened.
The virus is unable to heal/remove (& reappear after moving to vault).

System is unable to restore to back date.

Please guide me what to do?

I thought of removing the infected file with fresh one but unable to find the same new file - not sure whether this would remove the problem. There was compulsory system shut down by NT system also once in begginning today.

Hoping early help from advanced adviser.

Thanks,

Sunil Goyal


----------



## Phantom010 (Mar 9, 2009)

Please click on the *Report* button and kindly ask to be moved to the *Malware Removal* forum.


----------



## SunilGoyal4 (Nov 21, 2009)

As instruction given, I have requested to move to Malware removal forum.

Thanks,
Sunil Goyal


----------



## dvk01 (Dec 14, 2002)

=====
*GMER:*
=====








Download *GMER Rootkit Scanner *from *here* or *here*.

Ensure you have uninstalled any CD Emulation programs before you run GMER as outlined *here*


 Extract the contents of the zipped file to desktop. 
 Double click GMER.exe. 
 If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on *NO*, then use the following settings for a more complete scan..

 
_Click the image to enlarge it_

 In the right panel, you will see several boxes that have been checked. Ensure the following are *UNCHECKED* ...
 Sections
 IAT/EAT
 Drives/Partition other than Systemdrive (typically C:\) 
 Show All (don't miss this one)

 Then click the Scan button & wait for it to finish. 
 Once done click on the *[Save..]* button, and in the File name area, type in *"ark.txt"*

Save it where you can easily find it, such as your desktop

_**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries _

then

Download to Desktop: DDS by sUBs from one of these locations:

http://download.bleepingcomputer.com/sUBs/dds.com
http://download.bleepingcomputer.com/sUBs/dds.scr
http://www.forospyware.com/sUBs/dds

double click DDS.scr to run

When complete, DDS.txt will open.

Click Yes for Optional Scan.
Save both reports to your desktop.
DDS.txt
Attach.txt

Attach the contents of both logs back here.


----------



## SunilGoyal4 (Nov 21, 2009)

Hi Dvk,
Thanks for help. I will Give the report after completing instructions. Now system is becoming slow may take longer time.
Sunil Goyal


----------



## SunilGoyal4 (Nov 21, 2009)

Hi Derek,
I have to uninstall AVG as it has (slow down system - speed improve after AVG removal) blocked scan run two times and shut Zone alarm also. File are attached.
Thanks,
Sunil Goyal


----------



## dvk01 (Dec 14, 2002)

That was only part of the dds log

Delete any existing version of ComboFix you have sitting on your desktop
*Please read and follow all these instructions very carefully*​
Download ComboFix from *Here* to your Desktop.

***Note: It is important that it is saved directly to your desktop and run from the desktop and not any other folder on your computer***
--------------------------------------------------------------------
1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.


*Very Important!* *Temporarily disable* your *anti-virus* and *anti-malware* real-time protection and any *script blocking components of them or your firewall*_* before* _performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause _"unpredictable results" or stop combofix running at all_
Click on *THIS LINK * to see instructions on how to temporarily disable many security programs while running combofix. The list does not cover every program. If yours is not listed and you don't know how to disable it, please ask.
*Remember to re enable the protection again after combofix has finished*
--------------------------------------------------------------------
2. Close any open browsers and any other programs you might have running 
Double click on *combofix.exe* & follow the prompts.​If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?"
Please select yes & let it download the files it needs to do this 
When finished, it will produce a report for you. 
Please post the *"C:\ComboFix.txt" *along with a *new HijackThis log* for further review

*****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze *****

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read  HERE  why we disable autoruns

*Please do not install any new programs or update anything unless told to do so while we are fixing your problem. *


----------



## SunilGoyal4 (Nov 21, 2009)

Hi Derek,
I had attached DDS.txt file, now attaching all files (thought not required).
Further new files will attach after completing new instructions.
Thanks,
Sunil Goyal


----------



## SunilGoyal4 (Nov 21, 2009)

Hi Derek,
Attaching Combofix log.
Unable to understand "newHijack log"
Please clarify - will do as instructions given.
Thanks,
Sunil Goyal


----------



## dvk01 (Dec 14, 2002)

I need to examine some files before we can go any further

Download suspicious file packer from http://www.safer-networking.org/en/tools/index.html (direct download http://www.safer-networking.org/files/sfp.zip )

Unzip it to desktop, open it & paste in the list of files below, press next & it will create an archive (zip/cab file) on desktop

please upload that to http://www.thespykiller.co.uk/index.php?board=1.0 so we can examine the files

Just press new topic, fill in the needed details and just give a link to your post here & then press the browse button and then navigate to & select the files on your computer, When the file is listed in the windows press send to upload the file

*
c:\windows\system32\dllcache\atapi.sys
c:\windows\system32\drivers\atapi.sys
c:\windows\system32\kernel32.dll
*


----------



## SunilGoyal4 (Nov 21, 2009)

Hi Derek,
File Uploaded, Link below - topic - trojan virus
http://thespykiller.co.uk/index.php/topic,8978.new.html#new
Thanks, 
Sunil Goyal


----------



## SunilGoyal4 (Nov 21, 2009)

Hi Derek,
There may be mistake (in link) if require give instrction for doing again.
Thanks,
Sunil Goyal


----------



## dvk01 (Dec 14, 2002)

I am not guaranteeing this will work & we might have to replace the infected files uisng the recovery console but lets try this first

Download the attached CFScript.txt and save it to your desktop ( click on the link underneath this post & if you are using internet explorer when the "File download" pop up comes press *SAVE * and choose desktop in the list of selections in that window & press save)

*Disable any antivirus/antimalware/firewall realtime protection or script blocking in the same way you did previously before running combofix & remember to re-enable it when it has finished *

Close any open browsers 
Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.










This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply

*Note: these instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system and will not fix your problem. If you have a similar problem start your own topic in the malware fixing forum *


----------



## dvk01 (Dec 14, 2002)

If you haven't already performed the steps in post #13

Rather than following my last post please do this instead

combofix has been updated to hopefully deal with this problem

Delete any existing version of ComboFix you have sitting on your desktop
*Please read and follow all these instructions very carefully*​
Download ComboFix from *Here* to your Desktop.

***Note: It is important that it is saved directly to your desktop and run from the desktop and not any other folder on your computer***
--------------------------------------------------------------------
1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.


*Very Important!* *Temporarily disable* your *anti-virus* and *anti-malware* real-time protection and any *script blocking components of them or your firewall*_* before* _performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause _"unpredictable results" or stop combofix running at all_
Click on *THIS LINK * to see instructions on how to temporarily disable many security programs while running combofix. The list does not cover every program. If yours is not listed and you don't know how to disable it, please ask.
*Remember to re enable the protection again after combofix has finished*
--------------------------------------------------------------------
2. Close any open browsers and any other programs you might have running 
Double click on *combofix.exe* & follow the prompts.​If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?"
Please select yes & let it download the files it needs to do this 
When finished, it will produce a report for you. 
Please post the *"C:\ComboFix.txt" * for further review

*****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze *****

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read  HERE  why we disable autoruns

*Please do not install any new programs or update anything unless told to do so while we are fixing your problem. *


----------



## SunilGoyal4 (Nov 21, 2009)

Hi Derek,
File enclosed.
Thanks,
Sunil Goyal


----------



## dvk01 (Dec 14, 2002)

looks a lot better

are you getting any antivirus alerts now


----------



## SunilGoyal4 (Nov 21, 2009)

Hi Derek,
This is first time I am taking help at forum. I was not aware of HJT. After search I came to know about this. Now it may / may not require. Anyway, attaching log file of HJT.
Thanks a lot for help and immediate response.
Sunil Goyal


----------



## SunilGoyal4 (Nov 21, 2009)

Hi Derek, 
I had uninstall AVG. Should I install now AVG or any other free anti virus as you recommand.
Thanks,
Sunil Goyal


----------



## dvk01 (Dec 14, 2002)

just a little bit of clearing up to do

Download the attached CFScript.txt and save it to your desktop ( click on the link underneath this post & if you are using internet explorer when the "File download" pop up comes press *SAVE * and choose desktop in the list of selections in that window & press save)

*Disable any antivirus/antimalware/firewall realtime protection or script blocking in the same way you did previously before running combofix & remember to re-enable it when it has finished *

Close any open browsers 
Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

Once that is done then install an antivirus of your choice

if you are happy with AVG, then sticvk with it 
I quite like Microsoft MSE as a free one ( if it is available in your territory)

http://www.microsoft.com/Security_Essentials/

whichever one you do install, do a full system scan & post back with what it finds










This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply .

*Note: these instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system and will not fix your problem. If you have a similar problem start your own topic in the malware fixing forum *


----------



## SunilGoyal4 (Nov 21, 2009)

Hi Derek,
Attaching Combofix log.
Now install AVG, will post report.
Thanks,
Sunil Goyal


----------



## SunilGoyal4 (Nov 21, 2009)

Hi Derek,
There was virus in system restore point & That request zip which was uploaded - all that was removed by AVG. 
No virus found in system windows working directory.
Thanks again for your lot of timely help.
Sunil Goyal


----------



## dvk01 (Dec 14, 2002)

looks fine now

*Follow these steps to uninstall Combofix and the other tools it downloaded to remove the malware*
* Click *START* then * RUN*
* Now type *Combofix /Uninstall * in the runbox and click *OK*. Note the *space *between the *X* and the */U*, it needs to be there.









This will also purge the restore folder and clear any malware that has been put in there. Now Empty Recycle bin on desktop Then reboot.

go here* http://www.thespykiller.co.uk/index.php?page=3 *for info on how to tighten your security settings and how to help prevent future attacks.

and scan here* http://secunia.com/software_inspector/ * for out of date & vulnerable common applications on your computer and update whatever it suggests

Then pay an urgent visit to windows update & make sure you are fully updated, that will help to plug the security holes that let these pests on in the first place


----------



## SunilGoyal4 (Nov 21, 2009)

Hi Derek,
Thanks I will do as suggested.
Sunil Goyal


----------

