Posted 18 January 2010 - 05:54 PM
NOTE: posted this previously in the "Am I infected..." forum, but rec'd no feedback. Perhaps this it's more suitable here.
Win XP Home, svc pack 2
I've been infected with the (Google) search redirect virus twice in the past three weeks. I've tried any number of fixes listed in these pages, all to no avail. Most require downloading and running multiple programs - in some cases as many as 10 - and posting logs from all manner of system readers. As you know, this is very time consuming and, when it doesn't work, very frustrating indeed. (I've never had this much trouble cleaning a virus before.)
I'm not savvy enough to think that I've invented some new fix, but the only thing that has worked for me is to disinfect remotely. In addition to the havoc wreaked by the virus, it appears to have the ability to hide and protect itself from detection while the system is in operation, and it prevents operation in Safe Mode. Here's what I did, with the aid of a(n inexpensive) USB external drive adapter:
Shut down my computer and disconnected the power line; opened it up and unplugged the IDE connector and power line from the hard drive; connected the drive adapter to the hard drive; connected the adapter to my laptop and scanned for viruses with, in my case, Microsoft Security Essentials. This worked perfectly both times. What I found was something called "Alureon.F" which, as far as I can tell, resided in my atapi.sys file. After disinfecting the file my system works fine, showing no symptoms of infection.
Anyway, here are my questions:
First - Is this in fact a valid fix? What I mean is, the scan disinfects the atapi.sys file but no registry changes are made. Am I Ok in this regard?
Second - Would simply replacing the infected atapi.sys file with a "clean" version work as a fix on an operating machine?
Thanks for your feedback.