Folder AVG Forums » Other topics » Virus Removal, Tools for Removing » Possible Rootkit On atapi.sys
Page 1 of 2 12››
May 5, 2012 20:14 Possible Rootkit On atapi.sys #200665
Reply with Quote | Quick Reply | Top
eve_c

Avatar

Novice
Join Date: 5.5.2012
Posts: 3
Hello,

I am attempting to clean a Windows XP Professional SP 2 computer. I am not writing from that computer and can post more specific details in a second post. The only symptoms of a virus are DNS resolution problems. If, on boot, there is a network connection, when resolving google.com or www.google.com, it will resolve to 87.125.87.99 (not google). If a network connection is not present at boot, you can browse (firefox 12) with google's dns resolving normally after you've logged in (for example to 173.194.43.2 - which is a google ip). I've currently manually resolved that by typing in resolutions for google.com to 173.194.43.2 in the hosts file, but occasionally after I have been working on correcting the system files (as below)- that is, after I've rebooted from windows recovery, something will edit the hosts file and remove my line for www.google.com

AVG scans currently turn up only one file:

"Unknown" possible rootkit - Corrupted portion of atapi.sys - addition 1 bytes (four letter code), object is hidden

It's not corrected by removing the file.

When running in safe mode, this flag doesn't turn up in the avg scan. Attempting to clean that file does not work, it still gives the same error. I tried replacing the file in windows recovery mode by using SP2 install discs and this process to replace atapi.sys ( http://forums.avg.com/ww-en/avg-forums?sec=thread&act=show&id=63979 ), but after I replace the file and reboot, the dns problem is not corrected and there are some temporary performance problems for the computer (slow).

However, on searching the machine, I've noticed that there are several copies of atapi.sys , not only at

C:\windows\system32\drivers

but also at

C:\i386
C:\i386\SP2.CAB
C:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183de05c3e
C:\windows\system32\ReinstallBackups\0002\DriverFiles\i386
C:\windows\system32\ReinstallBackups\0003\DriverFiles\i386

Do I need to

expand atapi.sy_

to these directories while in recovery mode, also?

It's AVG Free 12 (downloaded last week)--- I don't have the version right in from of me
Other antivirus programs I tried: Spybot, Symantec (now uninstalled), Malwarebytes, Windows Security Essentials

I have also uninstalled and reinstalled TCP/IP, because I thought that the dns problem might be from a corrupted tcpip stack.

I'll post the exact error message shortly.

Thanks
eve_c
May 5, 2012 20:34 Re: Possible Rootkit On atapi.sys #200669
Reply with Quote | Quick Reply | Top
Gary Bee

Avatar

Novice
Join Date: 29.7.2010
Posts: 296
Hi Eve_C,

The problem is not in the file, it is in the memory of the process running that file. (I spent a week learning that). The indication in the AVG Scan Log is NOT clear.

This basic symptom, "Detected…but not Removed", has been common to many Posts on the Forum recently, and it very often is a Master Boot Record(MBR) virus. Unfortunately, the online AVG program, or any of the other AV utilities, is unable to detect the actual virus in the MBR. As you wait for AVG to respond to confirm this, you can perform a quick check yourself.

The Brief Suggestion: (if you are familiar with the tools and methods used on the Forum)
Check for Boot Virus with aswMBR, or if you have one on hand, a Boot Scan on the AVG Rsc CD. MBR virus can be Confirmed with one utility and Removed with another. If a virus found and removed, an offline AV scan is advisable.
(The Detailed Version, for most of the rest of us.)

If this check does not find a MBR virus, and it may not, make sure you have collected the Msinfo, GMER scans, and AVG scans, and posted output files, for diagnostic analysis by AVG (after 1 European Business Day).

Let us know what you find.
May 5, 2012 22:41 Re: Possible Rootkit On atapi.sys #200685
Reply with Quote | Quick Reply | Top
eve_c

Avatar

Novice
Join Date: 5.5.2012
Posts: 3
from logs AVG and aswMBR..

Details:

The avg version is

AVG Free 2012.0.21.69 Engine 2012.0.2411
Virus database version 2411/4969 2012-4-30

The detail of what it finds is

Object name = <unknown>
Detection name = Corrupted Section atapi.sys[.text] +0x67B4, size 1 by
Object name = file
SDK type = rootkit
Result = Object is hidden

I ran aswMBR

I'm retyping this because I'm keeping the possible infected machine isolated. It identifies


Disk 0 (boot) \Device\Harddisc0 \DR0 -> Device\IDE\IDEDevice P0T0L0 - 3

When it gets to

service scanning
(in yellow)
Service ACPI C:\Windows\System32\Drivers\ACPI.sys **Locked** 32
modules scanning
Disk 0 trace - called modules:
(in red)
ntkrnlpa.exe CLASSPNP.SYS Disk.sys ACPI.sys hal.dll atapi.sys >>UNKNOWN [0x86d861e1]<<
(not colored)
Int! IofCallDriver -> Int!IofCallDriver -> \Device\0000006a [0x86d69d98]
5 ACPI.sys [f750a620] -> nt!IofCallDriver -> \Device\IDE\IDEDevice P0T0L0 - 3 [0x86d69d98]

thanks,
eve_c
May 5, 2012 22:54 Re: Possible Rootkit On atapi.sys #200689
Reply with Quote | Quick Reply | Top
eve_c

Avatar

Novice
Join Date: 5.5.2012
Posts: 3
Also, Gary Bee, I read your instructions on using aswMBR to remove MBR viruses. When the scan completed, the [FIX] button was greyed out, but the [FIXMBR] button to the left was black and "click-able"-- Did your instructions about using this apply to the [FIXMBR] as well (hold power button for one second and then click fix)?

Thanks
eve_c
May 6, 2012 00:58 Re: Possible Rootkit On atapi.sys #200701
Reply with Quote | Quick Reply | Top
Gary Bee

Avatar

Novice
Join Date: 29.7.2010
Posts: 296
Eve_C,

Sorry, I didn't see your reply and respond sooner.

I'm not familiar with the behavior of the utility under all possible infections (and there are many). My understanding, and if you read the instructions on the aswMBR site, is that the [FIX] is enabled for some problems, and the [MBRFIX] for others, but it is always enabled when I have run the utility. I had the [FIX] button become enabled even though no lines were displayed in red.

My understanding of the [FIXMBR] is that it just overwrites the MBR, but I have not used it. You can also perform a MBR overwrite from the Win Recovery Console or Environment, you mentioned you had available. Immediately powering down is necessary with either button in aswMBR because the virus is active in memory and will usually overwrite your correction.

As I mentioned in the big post, any method involves some risk. I believe those to be small, but the techs for the companies (AVG, Microsoft, etc.) have lawyers looking over their shoulders.
May 6, 2012 01:24 Re: Possible Rootkit On atapi.sys #200705
Reply with Quote | Quick Reply | Top
temp_r_c

Avatar

Novice
Join Date: 6.5.2012
Posts: 3
from eve_c under different account-- scan logs..

These files are

gmer log
avg scan no 1
May 6, 2012 01:28 Re: Possible Rootkit On atapi.sys #200707
Reply with Quote | Quick Reply | Top
temp_r_c

Avatar

Novice
Join Date: 6.5.2012
Posts: 3
another file..

aswMBR output

EDIT.. I can't attach msinfo-- it's a system info file. It says that zip files are also not accepted.
May 6, 2012 16:00 Re: Possible Rootkit On atapi.sys #200775
Reply with Quote | Quick Reply | Top
Gary Bee

Avatar

Novice
Join Date: 29.7.2010
Posts: 296
temp_r_c wrote
another file...aswMBR output

While your specific infection is not recognized with a name by aswMBR, this log file definitely indicates a virus in your boot sequence, particularly the lines:
- Service ACPI C:\WINDOWS\system32\DRIVERS\ACPI.sys **LOCKED** 32
- Modules scanning
- Disk 0 trace - called modules:
- ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys >>UNKNOWN [0x86d861e1]<<

Have you replaced the MBR with one of the Windows Offline Utilities? It is the preferred remedy for a MBR Rootkit. I am fairly certain that tomorrow, after they have had a chance to review, AVG will respond with their standard pre-prepared recommendation found in many of the recent Threads.
May 7, 2012 06:20 Re: Possible Rootkit On atapi.sys #200893
Reply with Quote | Quick Reply | Top
temp_r_c

Avatar

Novice
Join Date: 6.5.2012
Posts: 3
post windows recovery fixmbr and avg rescue boot cd..

I am posting an aswMBR log from after a successful windows recovery fixmbr, immediately followed by booting with the AVG rescue cd and a scan. The scan turned up one file:

/mnt/sda/WINDOWS/system32/drivers/acpi.sys

Trojan horse agent3.WJV; Object is white-listed (critical/system file that should not be removed)

Therefore I booted in windows recovery again and expanded that file from the XP SP2 disc into the C:\windows\system32\drivers

Then I booted from hdd and ran the aswMBR scan that I post the log for now.

Nothing comes up in red or yellow on the aswMBR scan. Is it clean?

Nothing is found in an avg GUI scan. I've attached that log, also.
May 7, 2012 08:58 Re: Possible Rootkit On atapi.sys #200927
Reply with Quote | Quick Reply | Top
nemethste

Avatar

Administrator
Join Date: 1.11.2011
Posts: 1730
Hello temp_r_c,

AVG scan results indicate that infection had been removed so if your computer should be clean now.

If the issue reappears please let us know.

Thank you.



AVG Team
How-To articles | FAQ | Free Support
Page 1 of 2 12››