I am attempting to clean a Windows XP Professional SP 2 computer. I am not writing from that computer and can post more specific details in a second post. The only symptoms of a virus are DNS resolution problems. If, on boot, there is a network connection, when resolving google.com or www.google.com, it will resolve to 18.104.22.168 (not google). If a network connection is not present at boot, you can browse (firefox 12) with google's dns resolving normally after you've logged in (for example to 22.214.171.124 - which is a google ip). I've currently manually resolved that by typing in resolutions for google.com to 126.96.36.199 in the hosts file, but occasionally after I have been working on correcting the system files (as below)- that is, after I've rebooted from windows recovery, something will edit the hosts file and remove my line for www.google.com
AVG scans currently turn up only one file:
"Unknown" possible rootkit - Corrupted portion of atapi.sys - addition 1 bytes (four letter code), object is hidden
It's not corrected by removing the file.
When running in safe mode, this flag doesn't turn up in the avg scan. Attempting to clean that file does not work, it still gives the same error. I tried replacing the file in windows recovery mode by using SP2 install discs and this process to replace atapi.sys ( http://forums.avg.com/ww-en/avg-forums?sec=thread&act=show&id=63979 ), but after I replace the file and reboot, the dns problem is not corrected and there are some temporary performance problems for the computer (slow).
However, on searching the machine, I've noticed that there are several copies of atapi.sys , not only at
The problem is not in the file, it is in the memory of the process running that file. (I spent a week learning that). The indication in the AVG Scan Log is NOT clear.
This basic symptom, "Detected…but not Removed", has been common to many Posts on the Forum recently, and it very often is a Master Boot Record(MBR) virus. Unfortunately, the online AVG program, or any of the other AV utilities, is unable to detect the actual virus in the MBR. As you wait for AVG to respond to confirm this, you can perform a quick check yourself.
The Brief Suggestion: (if you are familiar with the tools and methods used on the Forum)
Check for Boot Virus with aswMBR, or if you have one on hand, a Boot Scan on the AVG Rsc CD. MBR virus can be Confirmed with one utility and Removed with another. If a virus found and removed, an offline AV scan is advisable. (The Detailed Version, for most of the rest of us.)
Also, Gary Bee, I read your instructions on using aswMBR to remove MBR viruses. When the scan completed, the [FIX] button was greyed out, but the [FIXMBR] button to the left was black and "click-able"-- Did your instructions about using this apply to the [FIXMBR] as well (hold power button for one second and then click fix)?
Sorry, I didn't see your reply and respond sooner.
I'm not familiar with the behavior of the utility under all possible infections (and there are many). My understanding, and if you read the instructions on the aswMBR site, is that the [FIX] is enabled for some problems, and the [MBRFIX] for others, but it is always enabled when I have run the utility. I had the [FIX] button become enabled even though no lines were displayed in red.
My understanding of the [FIXMBR] is that it just overwrites the MBR, but I have not used it. You can also perform a MBR overwrite from the Win Recovery Console or Environment, you mentioned you had available. Immediately powering down is necessary with either button in aswMBR because the virus is active in memory and will usually overwrite your correction.
As I mentioned in the big post, any method involves some risk. I believe those to be small, but the techs for the companies (AVG, Microsoft, etc.) have lawyers looking over their shoulders.
While your specific infection is not recognized with a name by aswMBR, this log file definitely indicates a virus in your boot sequence, particularly the lines: - Service ACPI C:\WINDOWS\system32\DRIVERS\ACPI.sys **LOCKED** 32
- Modules scanning
- Disk 0 trace - called modules:
- ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys >>UNKNOWN [0x86d861e1]<<
Have you replaced the MBR with one of the Windows Offline Utilities? It is the preferred remedy for a MBR Rootkit. I am fairly certain that tomorrow, after they have had a chance to review, AVG will respond with their standard pre-prepared recommendation found in many of the recent Threads.