Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google / Search Engine Hijacker - Atapi.sys rootkit


  • This topic is locked This topic is locked
13 replies to this topic

#1 fm_

fm_

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:06:03 AM

Posted 18 December 2009 - 08:14 PM

FINALLY I GOT IT FIXXED!

So what was happening was that any search result from Google, Yahoo, Bing, etc all were affected. When clicking on a search result, i get redirected to some spam sites instead. This affected all browsers that i use: Firefox, Chrome, IE (in fact it was chrome that got me infected...)

I have been searching around for a solution, and finally found it! ... I have seen MANY people in recent days on forums boards with this same issue so I thought I would share.



I had run MANY scans using MANY tools ... none of which worked (altho they found a lot of junk that was included with the same infection, multi-bug infection?)
I had tried, SpybotSnD, Avast, Malware Bytes, Hijackthis, Rootkit revealer, Adaware, Combofix (until it was offlined), and a handful more tools ...

Finally after reading more forum posts, and trying out new tools, i tried out GMER.
When i did a scan using GMER, one of the entries (out of some other normal entries, mostly avast) was Atapi.sys with a "suspicious modification" note.

so i did some more googling and found some reports similar to this one http://remove-malware.com/malware/malware-...-is-everywhere/

Atapi.sys Rootkit is EVERYWHERE!

Posted by malwarekilla in Malware News on 12 8th, 2009 | 15 responses

Man...every client I've seen for the past 2 weeks who was infected with malware also had this Atapi.sys rootkit. I know I've written about this about 2 weeks ago, but I wanted to keep this fresh. If you're searches are getting redirected and you've scanned with just about every thing you can think of then there's a pretty good chance your atapi.sys has been patched (Microsoft Security Essentials detects a spawned dll from this rootkit...I think it's called AlureonCT).

One easy way to find out if you have a patched Atapi.sys is to run the latest copy of GMER Anti-RootKit. Upon opening GMER it will run a very fast quick scan. If you see any entries like \DEVICEHARDDISK\Atapi (something like that) or Atapi.sys "suspicious modification" (especially this one) then your probably dealing with a very nasty rootkit.

For clients that run Windows XP I've just been using Combofix (Combofix disinfects Atapi.sys). For other operating systems (32-bit) I've just been using a bootable anti-malware disc (bartpe) and replacing atapi.sys with one from the Windows disc.

Aha! ... nasty rootkit!


So to fix this I got out my XP Sp3 cd ...
browsed the cd to I386 folder in the command line and 'expand atapi.sy_ c:\atapi.sys'
Installed the recovery console ( http://support.microsoft.com/kb/307654 )
reboot, in the boot menu, booted into the recovery console
browsed to c:\windows\system32\drivers and deleted the infected file - 'del atapi.sys'
copied the fresh atapi that i just expanded from my XP disc - 'copy c:\atapi.sys c:\windows\system32\drivers'
did the same for c:\windows\system32\dllcache (that is, i deleted the atapi.sys in dllcache, and copied the fresh one in)
[note: before i deleted the infected atapi files, I renamed them and copied them to another folder incase something went wrong]

Then i just rebooted and opened up a browser to test it ... and ...
FREEDOM! DELIVERANCE!


hope this helps!

Edited by Amazing Andrew, 20 December 2009 - 06:03 AM.
Mod Edit: Moved From AII - AA


BC AdBot (Login to Remove)

 


#2 homersimpson

homersimpson

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:03 AM

Posted 11 January 2010 - 08:18 PM

Had the same. Finally fixed it today. In my case GMER didn't find a thing. Hitman Pro did. But their delete-on-boot didn't get rid of it, and I ended up copying the file myself from another OS.

#3 jr02

jr02

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:09:03 AM

Posted 10 February 2010 - 09:30 PM

Thanks much... fixed the problem. ;)

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 32,116 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:03 AM

Posted 11 February 2010 - 08:49 AM

Keep in mind that not all users have advanced knowledge or ability to make such a repair on their own.

GMER is a stand-alone tool that will help investigate for the presence of rootkits. It will not actually tell you if you are infected or not unless you know what you're looking for.

Not all hidden components detected by ARKs are malicious. It is normal for a Firewall, some Anti-virus and Anti-malware software (ProcessGuard, Prevx1, AVG AS), sandboxes, virtual machines and Host based Intrusion Prevention Systems (HIPS) to hook into the OS kernal/SSDT in order to protect your system. SSDT (System Service Descriptor Table) is a table that stores addresses of functions that are used by Windows. Whenever a function is called, Windows looks in this table to find the address for it. Both Legitimate programs and rootkits can hook into and alter this table. You should not be alarmed if you see any hidden entries created by legitimate programs after performing a scan.

If you're unsure how to use a particular anti-rootkit (ARK) tool, then you should not be using it. Some ARKs are intended for advanced users or to be used under the guidance of an expert who can interpret the log results. Further, such tools are powerful and using them incorrectly could lead to disastrous problems with your operating system.

To those who do have advanced knowledge, I'm glad to hear you were able to fix this infection. To those reading this topic who don't, its best to ask for guided help by an expert.
Microsoft MVP - Consumer Security 2007-2014 MVP.gif

Member of UNITE, Unified Network of Instructors and Trusted Eliminators

#5 vcrain

vcrain

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:06:03 AM

Posted 20 February 2010 - 04:26 PM

Apologies if this reply should be posted as a new topic in a different section, but:

You have diagnosed the issue with my computer correctly. I have redirected search clicks and AVG has noticed a rootkit in atapi.sys, however the object is white listed so the software refuses to help me :thumbsup:.

Could someone please explain how I can use combofix or another tool to fix this issue, as I lack the knowledge to do so on my own, and am afraid to further my problems by screwing up my system files.

PLEASE HELP
Thank you

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 32,116 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:03 AM

Posted 20 February 2010 - 05:22 PM

Welcome to BC vcrain

Yes you should start your own topic if you have an issue or problem you would like to discuss, and based on the the issues you are dealing with, do that in the Am I infected? What do I do? forum. Doing that will help to avoid the confusion that often occurs when trying to help two or more members at the same time in the same thread. Even if your problem is similar to the original poster's problem, the solution could be different based on the kind of hardware, software, system requirements, etc. you are using and the presence of other malware. Further, posting for assistance in someone else's topic is not considered proper forum etiquette.

Could someone please explain how I can use combofix

No one should be using ComboFix unless specifically instructed to do so by a Malware Removal Expert who can interpret the logs. It is a powerful tool intended by its creator to be "used under the guidance and supervision of an expert. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again. Please read the pinned topic ComboFix usage, Questions, Help? - Look here.

If more powerful tools like ComboFix are required, then you will be referred to the Virus, Trojan, Spyware, and Malware Removal Logs forum

Alternatively, you could read the Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help and post your logs in the above forum.

Thanks for your cooperation.
The BC Staff
Microsoft MVP - Consumer Security 2007-2014 MVP.gif

Member of UNITE, Unified Network of Instructors and Trusted Eliminators

#7 eddt

eddt

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:SoCal
  • Local time:06:03 AM

Posted 22 February 2010 - 10:59 AM

fm -

Just wanted to say thanks for your quick little guide provided here for atapi.sys issues! After so much scouring and searching the intertubes and my system for what the problem could be I determined it was a corrupted atapi.sys file. Your steps were my salvation as well, saving me hours of teethgnashing and hairpulling! As mentioned, this was a fix for the more technically inclined of us, certainly not for the faint of heart as it could easily hose your system for good - but your steps were dead on and I had the same results you did - complete deliverance!

Thanks! :thumbsup:

Edited by eddt, 22 February 2010 - 11:01 AM.


#8 Scott-B

Scott-B

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:09:03 AM

Posted 25 February 2010 - 01:39 PM

I just repaired a PC with this same issue-
For those of you that have a hard time with command line, I find that the easiest way to deal with this is a bootable disk like Bart PE or Knoppix. You can copy the file from a known good system onto a USB drive and then paste it to your unbootable system while in a GUI environment.
If you don't have a bootable disk you can pull your drive and use one of the many IDE or SATA to USB converters so that you can connect your drive to a running system via USB. This also affords you the ability to scan for virus while your OS is not running. It's easier for AV to find delete RootKits this way.

In some PC's you can connect with this gadget with out even having to remove the drive.

http://www.geeks.com/details.asp?invtid=2020D&cat=CBL

This USB 2.0 to IDE/SATA drive adapter implements a bridge between a USB port and one SATA, ATA or ATAPI based mass storage device port.

This USB 2.0 to IDE/SATA drive adapter turns any standard IDE or SATA drive into a convenient external drive. Easily transfer files from computer or notebook, back up files, or store large file archives on hard drives with fast USB 2.0 data transfer rates! With One Touch Backup capability, backing up those important files could not be any easier!

The Hi-Speed USB 2.0 interface provides for easy installation with its Plug and Play design. The adapter supports all existing IDE/ATAPI devices such as a CD-ROM, CD-RW, DVD-ROM and 2.5 and 3.5 IDE and SATA hard drives. Order today!

#9 Hrmlss

Hrmlss

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:10:03 AM

Posted 26 February 2010 - 09:21 AM

HELP! I seem to have aquired this lovely little piece of rootkit and currently do not have a copy of my win XP disk.....I do however have another win XP computer, I am needing to know exactly which files to copy over...I have 4 atapi files found.
I got this lovely little thing from My BF when He brought hme my flashdrive with it on it! Go figure!

#10 acsAdmin

acsAdmin

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:10:03 AM

Posted 28 February 2010 - 01:08 AM

Thankyou fm_ for taking the time to post this info!
I used:
AVG + Boot scan
defogger
combofix
None of the above seemed to fix the problem then I used:
Gmer
I took at least 3 hours to scan the whole system, but at the end of the list i found the cancer. atapi.sys
I just googled it and this topic came up. And I was on the road to salvation! :flowers: I followed your guide and everything was back to normal.
*sigh* I must be getting old, I use to hammer through maleware and virus on all my friends computers with ease!
These rootkits are a whole new game, linux is looking better and better! :thumbsup:

Thanks!

#11 Kylesb

Kylesb

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:09:03 AM

Posted 12 March 2010 - 06:32 PM

Greetings.

Just want to add a comment on the atapi.sys virus/rootkit that I've seen on winxp machines. I've seen it more than once now, and a sure indicator you have it is the machine will not boot in safe mode typically, it will show loading mup.sys as the last line on bootup and crash/restart with a stop 0x0000007e error. The real culprit is the atapi.sys virus, although combofix also indicated it rewrote the mbr on one machine I was fixing.

Hope this helps someone searching for an answer as to why a machine will not boot in safe mode.

Regards,
Kyle

Edited by Kylesb, 12 March 2010 - 06:34 PM.


#12 thebullforever

thebullforever

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:10:03 AM

Posted 11 May 2010 - 05:32 AM

I had this damn atapi.sys on my computer for 2 weeks and finally got the bleep thing off of here by using the directions posted here

http://www.geekstogo.com/forum/Rootkit-hel...ys-t270282.html

It was easy, just ran the tdsskiller.exe and it found it and removed it right away. Just rebooted after the scan and voila! gone. So forget about copying and replacing files from a "good" version of windows. I am sure this works as noted above but for users who need a simpler solution this one functioned for me. I want to help out anyone I can with this virus because its a pain and nothing else I scanned with found it or properly removed it. I tried hijack this and it just removed the file and then my computer failed to boot up. Luckily vista seems indestructible from a standpoint of messing up system files, it seems to go in and repair things automatically. For all the flack vista gets I will give it this as a great feature. This computer has crashed (blue screened) over and over again from viruses and other problems but vista is programed to go in and fix these problems automatically to get itself booted up again. Hope this helps...

#13 dbventure

dbventure

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NC
  • Local time:10:03 AM

Posted 13 May 2010 - 10:11 PM

I've got a similar problem on my mother's computer. Her atapi.sys is corrupted (Trojan infected). Her computer was thoroughly filled with malware so what I've done is remove the hard drive, place it in an enclosure, and scan it using Symantec. That cleaned most everything (so far), but has been unable to fix the atapi.sys.

Is it possible to simply delete the infected atapi.sys and replace it with a good one? Please let me know if so and where I could get the appropriate atapi.sys or whatever other information is needed to help.

Thanks.

#14 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 33,300 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:10:03 AM

Posted 13 May 2010 - 11:34 PM

Hello,

If you have issues with Atapi.sys rootkit, please follow the instructions in ==>This Guide<==.

Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<== Please include a description of your computer issues in the topic.

If you can produce at least some of the logs, then please create the new topic. If you cannot produce any of the logs, then create a new topic in the Am I Infected forum here: http://www.bleepingcomputer.com/forums/f/103/am-i-infected-what-do-i-do/ and describe what happens when you try to produce those logs and we will provide you with further instructions.

This topic is now closed.

Orange Blossom :thumbsup:

Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SuperAntiSpyware, SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users