atapi.sys infected with Win32 Alureon-EU

[wiz733]

Hi,
i have a computer that was infected with malwares/viruses.
i scanned the pc with malwarebytes and avast. it did find some things and removed them.

i have 2 errors in the event viewer every time the pc boot:
"Event ID: 45 Source: ftdisk" and "Event ID: 49 Source: ftdisk".
i found some messages that said to try to rename the atapi.sys file and then
the windows system will create a new atapi.sys file. windows system did create a new one but then i got a warning message from avast that saying it found the virus "Win32 Alureon-EU" in the atapi.sys file.

i also noticed that drive "c" is not showing up in Disk Management, only drive "d" which is another hard disk and drive "e" which is the cd-rom.
i am able to see and access drive "c" using explorer with no problem.

do i have this virus or is it something else?

Thanks for any help.

[chachazero-tan]

Unfortunately this is a FP (False Positive), which means Avast! is wrongly detecting a valid Windows' system file as a virus/trojan. Best course of action is not to do ANYTHING and wait for a new VPS (Virus definitions file) to be released that deals with the issue.

Atapi.sys is a Windows system file that deals with input/output access to devices (harddisks, cdroms, etc) that comply with such an interface (connector type and data bus). It is not a file that can be targeted for virus/malware infection since it is always in use and its deletion or modification leads to system unstability or unuseability which would essentially negate the purpose of the trojan or virus, which is either theft or to spread.

Since one of your HDDs has "disappeared", I'd advice to perform a system restore so that the earlier settings are recovered. Once you recover, if Avast! nags about atapi.sys being infected, click on "ignore" or "do nothing" until the alert goes away & wait for the VPS update.

Best of luck.

[Onix]

Try to check the file to http://www.virustotal.com/ and post the link to results here.(atapi.sys is located in the folder C:\Windows\System32\drivers)

[wiz733]

Try to check the file to http://www.virustotal.com/ and post the link to results here.(atapi.sys is located in the folder C:\Windows\System32\drivers)

Thank you, i'll try that.
i saw a thread in another forum where another person had the problem of not be able to see the "c" drive in Disk Management. in the end it was some kind of a virus that caused it.
should i run malwarebytes again?  or maybe other scan program?

[Onix]

Follow these instructions of essexboy:
http://forum.avast.com/index.php?topic=53205.msg451521#msg451521

[wiz733]

i uploaded the atapi.sys file to www.virustotal.com
http://www.virustotal.com/analisis/0e6b23a80f171550575bebc56f7500cd87a5cf03b2b9fdc49bc3de96282cd69d-1263275504

[Onix]

Did you use Combofix?

[wiz733]

Did you use Combofix?

not yet, i'm not near that pc right now.
i'll try to run Combofix later.

i didn't really understand what was the result on virustotal.com scan.

Thanks.

[Onix]

The file is clear...

[wiz733]

i'm having some problems with the pc power supply so i need to replace it.
i hope i'll do that in a couple of days and then i will run Combofix and i'll post
the LOG file here.

btw, if i decide to format the pc, i'll want to backup some files before.
what tools can i use to check those backup files for any viruses or malwares?
is using avast and malwarebytes to scan those files is enough?

Thanks.

[Onix]

You can use also Dr.Web Cureit or Kaspersky Removal Tool

[chulmleigh24]

I am getting the same false positive with atapi.sys in the \drivers subdirectory but it only shows on a defrag, not at system startup and not if this and two other copies are individually scanned both by avast, by 2 online scanners and by actually submitting the file to a remote scanning site. I've simply ignored it from the start and machine is working no differently. Latest update from Avast was today but it is still showing as infected if I do a defrag.

[micky77]

I am getting the same false positive with atapi.sys

There has been an incredible amount of true atapi.sys infections recently. This infection is a rootkit. For confirmation of whether this is malware or a fp please scan with Gmer and report the findings

http://www.gmer.net/

[essexboy]

atapi.sys can be infected along with other system files by the TDSS rootkit - this hooks the file, so if it is uploaded to a virus checker it will show clean

Are you getting any redirects or slowdowns on your system ? If not then it may well be a false positive