Articles

atapi.sys / redirection to shopping sites

July 5, 2010 at 16:27:24
Specs: Windows XP, 3.201 GHz / 2559 MB

Things are not going well.

When I start my machine in normal mode, after login I get an error message that says "Windows cannot find 'C:\WINDOWS\is-3U2Q5.exe. Make sure you typed the name ..." etc. It will then start up, launch all the startup programs, wait a minute or so, and then I get BSOD (this doesn't happen if I am physically disconnected from the internet). The error at the top is DRIVER_IRQL_NOT_LESS_OR_EQUAL. The technical info at the bottom is STOP: 0x...D1 (0x...40, 0x...02, 0x...00, 0xB9E2021F) [The dots stand for zeros]. atapi.sys - Address B9E2021F base at B9E18000 Datestamp 4802539d.

I have deleted atapi.sys and replaced it with a copy from an XP disc to no effect, although googling suggests that this has worked for others.

Working in safe mode I can start up OK, no error message, no BSOD, but I do get tabs popping up to shopping sites - no searches or results of searches have been redirected that I have noticed.

My situation was worse until recently; Defense Center downloaded itself and put some shortcuts to itself, a support centre and a couple of porn sites on my desktop. MBAM took care of that; it found 70 infections and after clearing them DC appeared to be gone- I erased the shortcuts manually (with Eraser). To my disappointment this did not resolve the other issues; a subsequent run of MBAM found 4 infections. I have the log for that, also for GMER and HijackThis. I have Combofix but have not run it yet. I have RapidShared the logs and can PM links if that would be useful. I'm not sure about the integrity of the GMER log - it takes at least a day and a half to run, and when I got back from work today it appeared to have finished but there was an error message about some file not being saved and data being lost - unfortunately I pressed OK before I thought to take a screenshot. This error came up again when I shutdown, but again I didn't think to snapshot it. Also, I only noticed halfway through that ADAware icon was in the intray, so there may have been a conflict? This was actually a second run of GMER, the first time ran it I got a different BSOD, something about PCTCore.sys I think? That was after 10 hours.

That's all I can think of.

So, what do you think?


See More: atapi.sys / redirection to shopping sites

Report •


#1
July 5, 2010 at 18:24:05

At least you can still run Malwarebytes & others.

Clean your temps.

ATF Cleaner
http://www.softpedia.com/get/Securi...
http://www.softpedia.com/progScreen...
http://www.atribune.org/
http://www.atribune.org/index.php?o...
Forum
http://www.atribune.org/forums/
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browser
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.
This will remove all files from the items that are checked so if you have some cookies you'd like to save, please move them to a different directory first.

Download, install, update & then run these.

Hitman Pro
http://www.softpedia.com/get/Intern...
http://www.softpedia.com/progScreen...
http://www.surfright.nl/en/HitmanPro
Review
http://www.youtube.com/watch?v=WmPQ...

Trojan Remover
http://www.softpedia.com/get/Antivi...
http://www.softpedia.com/progScreen...
http://www.simplysup.com/tremover/d...

ComboFix
http://download.bleepingcomputer.co...
http://www.techsupportforum.com/sec...
http://www.forospyware.com/sUBs/Com...
How to use ComboFix
http://www.bleepingcomputer.com/com...
http://www.jamiiforums.com/download...
http://forums.majorgeeks.com/showth...
http://www.bleepingcomputer.com/for...


Report •

#2
July 6, 2010 at 12:21:44

This is an edit of a previous message: it's not all done, by a long way! I didn't scroll to the end of the message. I'll be back with you in a day or two ... thanks very much for all your help so far.

Report •

#3
July 8, 2010 at 10:24:10

That, my friend, appears to have fixed everything. A few points which you may find helpful:

I had to run the programs you named in a different order, leaving hitman til last. I actually had the free version already installed and set to run at startup (I know, I should have mentioned this earlier- sorry, just didn't occur to me). I now realise that it was this that was probably triggering the restart. When I ran 'pro', it got just far enough to flash up that it had detected a variant of 'Alureon' and then the machine shut down- even in safe mode. I guess it didn't run at startup in safe mode, which is why I could use the machine at all that way. I guess Alureon is smart enough to know when you're on to it- it also appeared to be blocking websites that gave advice on how to kill it.

So I ran the temp cleaner first, and then ComboFix - it was ComboFix that really seemed to sort things out. I saved the log for that if you're interested.

It remains only for me to thank you again. It really is very much appreciated when smart people like you help out the amateurs among us. Good luck with whatever you do. Cheers MD.


Report •

Related Solutions

#4
July 8, 2010 at 17:20:13

"I had to run the programs you named in a different order"
Expect anything when you are dealing with infections, tomorrow it will probably be different.

"I saved the log for that if you're interested"
No thanks, if you need to research anything, this is done by googling, which is what I would have to do, millions upon millions of combination's out there, but rarely are you the first.

You now need to clean up your Restore points & ask yourself, how did I get infected. Obviously your defense system is not good enough, have listed 2 programs that will help.

How Do I Disable & Re-Enable a System Restore After a Virus Infection?
http://windowxptutortips.blogspot.c...
http://www.ehow.com/how_6012864_do-...
http://service1.symantec.com/SUPPOR...
http://service1.symantec.com/SUPPOR...

SpywareBlaster
http://www.softpedia.com/get/Intern...
http://www.softpedia.com/progScreen...
http://www.javacoolsoftware.com/spy...
FAQ
http://www.javacoolsoftware.com/spy...

No Autorun
http://www.softpedia.com/get/Antivi...
http://www.softpedia.com/progScreen...
http://noautorun.sourceforge.net/


Report •

#5
July 8, 2010 at 17:28:30

Another big hole in your defense, you must get SP3, once you are sure you are perfectly clean, done the system restore etc, that is a perfect time to install SP3 & then do all the updates.

SP3 download
http://www.microsoft.com/downloads/...
Steps to take before you install Windows XP Service Pack 3
http://support.microsoft.com/kb/950717
Windows XP SP3 - Read all prerequisites for a successful installation
http://msmvps.com/blogs/harrywaldro...
Why Service Packs are Better Than Patches
http://technet.microsoft.com/en-au/...
Windows XP Service Pack 3 - ISO-9660 CD Image File
http://www.microsoft.com/downloads/...
List of fixes that are included in Windows XP Service Pack 3
http://support.microsoft.com/kb/946...
Slipstream Service Pack 3 into Your Windows XP Installation CD
http://lifehacker.com/386526/slipst...


Report •


Ask Question