atapi.sys infected with rootkit

[Stillborn]

It was an empty folder which is gone now. I ran AVG and had it just can C:\Windows\System32\drivers\ and it came back clean. I also had VirusTotal scan the new atapi.sys which came back clean as well. I'm currently running MBAM and a full AVG scan and installing CCleaner. I'll also run an online scan after CCleaner is installed and ran and let you know, but as of right now seems like it's gone.

I have a question though. I obviously tried the ComboFix to try to replace atapi.sys and when I got the warning I decided to come here. My first instict after that though was to get into safe mode with command prompt and copy the files that way. Would it have worked? and if not would running a command prompt from a restore cd/flash drive and copying the file have worked?

[evilfantasy]

Yes you most likely could have copied it a number of ways. You just have to be very careful with that file. Without it Windows will not boot. Which is why AVG wouldn't remove it.

Hopefully nothing else will be found but since the other file that we deleted was there then you never know what else might come up. And as a precaution we should run a scanner that doesn't remove what it finds to be on the safe side.

Use Panda instead of ESET.

Scan your computer with Panda ActiveScan

* Once you are on the Panda site click the Scan your PC now button.
* A new window will open...click the Scan Now button.
* If it wants to install an ActiveX component allow it.
* It will start downloading the files it requires for the scan. (Note: It may take a couple of minutes)
* You may get a warning from Internet Explorer that Panda is ready to install, please allow it.
* The scan will begin. Please be patient as it can take an hour or more to complete.
* When the scan completes, if anything malicious is detected, click the Export to: button (looks like a little Notepad).
* Save the ActiveScan.txt to a convenient location like your desktop.
* Note: You do not need to select any of the Disinfect options. We will remove any threats manually.

* Post the contents of the ActiveScan report in your next reply.

[Stillborn]

;*****************************************************************************
ANALYSIS: 2009-11-15 02:48:51
PROTECTIONS: 1
MALWARE: 7
SUSPECTS: 3
;*****************************************************************************
PROTECTIONS
Description                                  Version                       Active    Updated
;====================================================================
AVG Anti-Virus Free                                                        Yes       Yes
;====================================================================
MALWARE
Id        Description                        Type                Active    Severity  Disinfectable  Disinfected Location
;====================================================================
00020386  Application/MotherboardMonitor.A   HackTools           No        0         Yes            No           c:\program files\mirc\moo.dll
00139064  Cookie/Atlas DMT                   TrackingCookie      No        0         Yes            No           c:\users\stillborn\appdata\roaming\microsoft\windows\cookies\low\stillborn@atdmt[1].txt
00145457  Cookie/FastClick                   TrackingCookie      No        0         Yes            No           c:\users\stillborn\appdata\roaming\microsoft\windows\cookies\low\stillborn@fastclick[1].txt
00168056  Cookie/YieldManager                TrackingCookie      No        0         Yes            No           c:\users\stillborn\appdata\roaming\microsoft\windows\cookies\low\[email protected][2].txt
00168056  Cookie/YieldManager                TrackingCookie      No        0         Yes            No           c:\users\stillborn\appdata\roaming\microsoft\windows\cookies\[email protected][2].txt
00815304  mIRC/Gen                           Virus/Worm          No        0         Yes            No           c:\program files\mirc\backups\aliases.ini
00954094  Rootkit/Bagle.UV                   Virus/Worm          No        1         Yes            No           c:\avenger\utizmjqx.sys
03074964  Trj/CI.A                           Virus/Trojan        No        0         Yes            No           c:\avenger\atapi.sys
;====================================================================
SUSPECTS
Sent      Location
;====================================================================
No        c:\program files\mirc\backups\mirc.exe
No        c:\program files\mirc\mirc-keygen\keygen.exe
No        c:\users\stillborn\documents\utilities and installers\uniblue powersuite 2009\setup.exe
;====================================================================
VULNERABILITIES
Id        Severity       Description
;====================================================================

[evilfantasy]

Using cracks will get you infected every time...



Download OTM by OldTimer to your desktop.

Note: If you are running on Vista, right-click on OTM.exe and choose Run As Administrator.

* Save it to your Desktop.
* Double-click OTM.exe to run it.
* Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy)

Code: [Select]

:Processes
explorer.exe

:services

:reg

:files
c:\program files\mirc
c:\avenger\utizmjqx.sys
c:\avenger\atapi.sys

:Commands
[purity]
[emptytemp]
[start explorer]

* Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
* Click the red Moveit! button.
* Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.

* Close OTM

Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes.

[Stillborn]

The system required reboot so I wasn't able to copy the results and post them. I checked everything under the "files" list and they're all gone.

[evilfantasy]

Sounds good. Time to finish up.

1. Double click OTM to launch it.
Vista users right click and choose Run As Administrator
2. Click on the CleanUp! button.
3. OTM will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)
5. When finished exit out of OTM.

----------

Use the Secunia Software Inspector to check for out of date software.

• Click Start Now
  
• Check the box next to Enable thorough system inspection.
  
• Click Start
  
• Allow the scan to finish and scroll down to see if any updates are needed.
• Update anything listed.

.
----------

Go to Microsoft Windows Update and get all critical updates.

----------

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.

[chuckaes]

Had the same problem. Use Hitman Pro. Works fantastic to get rid of atapi. sys root....

[evilfantasy]

Hitman Pro can not fix this infection. In fact, there is no AV now that can do it. It takes specialized tools and/or knowledge of how to replace the infected file which is a legitimate Windows file and why the AV's can't fix it.

Kaspersky has developed a tool, TDSSKiller, that will clean and replace the infected atapi.sys file then clean the registry of the TDL3 rootkit. But TDL3 has evolved and that doesn't even work much of the time now. http://support.kaspersky.com/viruses/solutions?qid=208280684