Closed Thread

[Masley]

UPDATE: Help not given to original post starter.  Please view Masley posts on this thread!

Had an avast pop-up box appear stating a virus was found.  Says malware name is Win32:Alureon-EU .  File name: C:\\WINDOWS\system32\drivers\atapi     Not sure if the box itself was malware, so I ran an avast scan, came back clean.  Finally I clicked as directed onto "Move to Chest", the box disappeared, then reappeared.

Have other problems I'm sure are related. Ex: "iexplore application error" and "cannot find logon.exe".  Pretty certain I contracted the Trojan Generic and guessing registries and/or DNS changed even though I think the virus itself gone.

I've researched on a friends computer, disabled add-ons and can't fix this!!  I'm a novice at this stuff and terrified of doing anything else, especially messing with registries.  I would be grateful for any help!!

[Masley]

Update!  Computer crashed, using another to write this.

Before crash I reran Malwarebytes, O infections anywhere.  In Avast Virus Warning window that keeps popping up I clicked onto Schedule Boot Scan.  It stated that it needed to restart, so I clicked onto OK.  Upon restart I got the blue screen of death!!  Said I needed to check for viruses on any new hardware I'd installed.  1st of all I hadn't installed any and 2nd I have no idea how to remove a virus in blue screen.

I'm clueless on what to do now.

[Jtaylor83]

That means the atapi.sys driver is patched.

Download and run ComboFix by sUBs from here and save it as a different name or CFix will not run correctly (Note: This is a beta version)

Double click on ComboFix and follow the prompts. CFix will alert you if a rootkit is found. CFix will replace the infected atapi.sys driver with a clean one.

When CFix is finished, it will create a log. Post or attach the log.

[DavidR]

Not sure if it is available as it was pulled recently because of a problem with a particular rootkit and I don't know if that is it.

[cakedoer2]

Help, I have the same problem, the infected file is atapi.sys, I have tried to delete and move it to chest but to no avail.

Avast can't delete it, what can? I refuse to reboot because I've heard machines crash after that.

Running XP Pro SP3 with an Intel Pentium Dual Core processor

Help as soon as you can! The infection was just around 20 minutes ago

EDIT: I have recently ran a suspicious exe that deleted itself when I double-clicked.

EDIT 2: Avast stopped notifying, I think it got healed or something.

[polonus]

Hi cakedoer2,

Yes...a large number of victims we've seen for the past 2 weeks that were infected with malware also had this Atapi.sys rootkit.  If you're searches are getting redirected and you've scanned with just about every thing you can think of then there's a pretty good chance your atapi.sys has been patched (Microsoft Security Essentials detects a spawned dll from this rootkit...I think it's called AlureonCT).

One easy way to find out if you have a patched Atapi.sys is to run the latest copy of GMER Anti-RootKit.  Upon opening GMER it will run a very fast quick scan.  If you see any entries like \DEVICEHARDDISK\Atapi (something like that) or Atapi.sys "suspicious modification" (especially this one) then your probably dealing with this very nasty rootkit.

For clients that run Windows XP I've just been using Combofix (Combofix disinfects Atapi.sys).  For other operating systems (32-bit) I've just been using a bootable anti-malware disc (bartpe) and replacing atapi.sys with one from the Windows disc. Combofix comes from here: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
or
http://www.forospyware.com/sUBs/ComboFix.exe

Download Combofix to your desktop.
Rename ComboFix te Combo--Fix when saving it to the desktop
Temporarily disable your antivirus and actual antispyware real-time protection before running a scan with Combo-fix. Here is a list of programs that has to be exited for security reasons: http://www.bleepingcomputer.com/forums/topic114351.html

Doubleclick Combo-Fix.exe & follow instructions.

Vista-users - right click your mouse on Combo-Fix.exe and select Execute as administrator (you will receide a UAC-prompt, please allow)

Do not click in the Combo- Fix window as it runs this can cause it to hang. You do not wanna do that.

When the san has been performed a txt-window will open up.

Post the contents of this log as an attached txt file in your next posting.

Do not forget to re-enable your av- and antispyware software when ComboFix has finished,

polonus

[essexboy]

Combofix is currently pulled - there is a limited access version but can only be used where it is really needed.  If you try to delete the file your system will die, a fightback by the rootkit was the reason that CF was pulled   

For Atapi.sys - nvata.sys and various other animals then use the following programme as the first stage in clearing the infection

• Download TDSSKiller and save it to your Desktop.
  
• Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  
• Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.
  
  "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v
  
  
  
• If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  
• When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.

[cakedoer2]

Hello,

I finally shut down because hundreds of system errors before getting a reply, so all is lost.

Or not?

Because of luck perhaps I had a second OS on this computer which I rarely use - Windows 7. However I have little space (less than 60 MB) so I can't do much. Any ideas? My XP is still intact but it gives some sort of error when trying the XP install disc I have (probably the virus, since it gets some sort of wierd text [understandable, but some sort of boot failure things which I barely understood and hardly remember]), and it got a blue screen of death after trying to boot normally. Any way I can make my XP work while running Windows 7? Can I replace atapi.sys or something? Thank you in advance!

By the way, help would be very very very much appreciated, thank you, again!

I think this is the first time Avast has really let me down. But I suppose this is somehow my fault as well.

-CakeDoer

EDIT: Holy f***, my Windows 7 F-Secure found a virus when I highlighted atapi.sys! Hope this will fix everything.

Here is the message:

"The virus was removed, but your computer remains infected until it is restarted. Restart your computer now to complete the cleaning process"

The details show a lot of rootkits, here it is, all "Rootkit:W32/TDSS.Gen!D", which is also known as Alureon.

Please reply soon guys, and again, thank you for your replies!

[cakedoer2]

Sorry to double post;

apparently F-Secure has also tried to quarantine, block, replace, rename and remove the virus multiple times and now it wants me to restart to fix atapi.sys. I'm guessing some other program/process is continuously retrieving it. I'm not sure what to do now.

[essexboy]

Can you access the XP partition ?

Atapi.sys need to be replaced without the hook in it, but to get it back up and running again you may replace it and then go through the cleaning routine .  Unfortunately it looks like your AV may have killed the file thereby stopping you from booting 

From 7 replace the atapi.sys file then boot into XP

Having done that then run Tdsskiller as detailed in my previous post

[cakedoer2]

Yes, I can access the XP partition through 7. However I am not sure if replacing will work (so far running XP has only caused blue screens) and the atapi gets back and back and back and back... and back. I will gladly try replacing but I need something to replace it with first.

-XP is SP3 Professional 32-bit-

[polonus]

Hi cakedoer,

Here is another solution that was successful for someone.

So you can fix this using your XP Sp3 cd ...
browse the cd to I386 folder in the command line and 'expand atapi.sy_ c:\atapi.sys'
Install the recovery console ( http://support.microsoft.com/kb/307654 )
reboot, in the boot menu, booted into the recovery console
browse to c:\windows\system32\drivers and delete the infected file - 'del atapi.sys'
copy the fresh atapi that you just expanded from your XP disc - 'copy c:\atapi.sys c:\windows\system32\drivers'
do the same for c:\windows\system32\dllcache (that is, delete the atapi.sys in dllcache, and copy the fresh one in)
[note: before deleting the infected atapi files, you rename them and copy them to another folder in case that something goes wrong]

Then you just will reboot and open up your browser to test it ... and ...

polonus

[essexboy]

Look in the following locations on your XP files then copy it to the C:\Windows\System32\drivers folder

C:\Windows\System32\dllcache
C:\i386
C:\WINDOWS\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7
C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_b12d8e84\atapi.sys

[cakedoer2]

Hi cakedoer,

Here is another solution that was successful for someone.

So you can fix this using your XP Sp3 cd ...
browse the cd to I386 folder in the command line and 'expand atapi.sy_ c:\atapi.sys'
Install the recovery console ( http://support.microsoft.com/kb/307654 )
reboot, in the boot menu, booted into the recovery console
browse to c:\windows\system32\drivers and delete the infected file - 'del atapi.sys'
copy the fresh atapi that you just expanded from your XP disc - 'copy c:\atapi.sys c:\windows\system32\drivers'
do the same for c:\windows\system32\dllcache (that is, delete the atapi.sys in dllcache, and copy the fresh one in)
[note: before deleting the infected atapi files, you rename them and copy them to another folder in case that something goes wrong]

Then you just will reboot and open up your browser to test it ... and ...

polonus

I said I can't run the install CD.

I'm trying EssexBoy's thing right now.

[cakedoer2]

Update:

EssexBoy's suggestion did not work as well. A very short blue screen appears when I try to run the system for less than a second, not enough to see what is written.

I may have to resort to saving all precious data and a full system format.