I'm sorry if I posted this in the wrong forum. Eset NOD32 V4 keeps coming up with a virus detection. The problem is that it won't let me delete it. I have copied two of the log files from when the alert pops up.

11/3/2009 10:57:05 AM Real-time file system protection file I:\WINDOWS\system32\drivers\atapi.sys Win32/Olmarik.OF virus error while deleting - operation unavailable for this object type NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: I:\WINDOWS\System32\svchost.exe.

11/3/2009 12:02:57 PM Startup scanner file I:\WINDOWS\system32\DRIVERS\atapi.sys Win32/Olmarik.OF virus unable to clean


Any help or suggestions would be greatly appreciated.

Thanks,
Jeff - AZForexman :)

It's a rootkit so the best would be to boot from a clean media and replace atapi.sys with a clean file from the Windows installation cd or another clean computer with the very same OS.

Thanks for the response. Do you have any links to instructions on how to do this? I have the OS disk but I'm not sure how to replace just that file.

Thanks,
Jeff

-{ Quote: "Thanks for the response. Do you have any links to instructions on how to do this? I have the OS disk but I'm not sure how to replace just that file.

Thanks,
Jeff" }-

What is the OS ?
If XP then:

from the command prompt, type the drive letter of your XP media, then cd I386, then:

expand -r atapi.sy_ c:\windows\system32\drivers\

I'm using Windows XP Home Edition on this computer.

I want to make sure I understand the steps before I start changing things. I've had such bad luck with Windows products that I am very cautious.

From the command prompt I will:

- type the letter of the drive that has my windows XP OS disk in it.

- then type: cd I386

- then type: expand -r atapi.sy_ c:\windows\system32\drivers\

Is that it? Does that copy the file over?

I appreciate the responses.

Best Regards,
Jeff

From the command prompt:

- type the letter of the drive that has the windows XP OS disk in it. and press enter.that would be D: if your cd drive is D for example. must type D colon and enter or whatever the drive letter is.

- then type: cd I386 and enter

- then type: expand -r atapi.sy_ c:\windows\system32\drivers\ and hit enter.

Ok...I gave it a shot and it didn't seem to work. I have attached a screenshot of what happened. Any ideas?

Thanks,
Jeff

try from safe mode, if that doesn't work, try from safe mode with the back slash removed after drivers\

sometimes these commands are picky..

also if you do this without safe mode, windows file protection may be interfering.

still no luck. Any other ideas? Would I be better off installing a clean copy of XP? Can I use the same copy of XP that I originally installed on this computer if I do a clean install? I have the system builder edition.

Thanks for the help.

Jeff

Ok, it doesn't want to let you write to the system folder that way.From safe mode:

expand -r atapi.sy_ c: or c:\ and press enter this will put the new copy of the file at the root of the C drive, then:

then cut and paste the atapy.sys file into the windows\system32\drivers\ folder.

maybe even though your in the I386 folder in the command prompt, it still wants the full path, I don't know, don't have my XP disk here to see what going on.

try from I386 folder:
Expand -r G:\I386\Atapi.sy_ c:

What's drive letter of your system partition (where Windows is installed)? Is it I:\? I assume so, since when you started cmd.exe, you were in directory I:\Documents and Settings\Main.

If so, try again:
expand -r atapi.sy_ I:\windows\system32\drivers\

-{ Quote: "What's drive letter of your system partition (where Windows is installed)? Is it I:\? I assume so, since when you started cmd.exe, you were in directory I:\Documents and Settings\Main.

If so, try again:
expand -r atapi.sy_ I:\windows\system32\drivers\" }-

Ahhhhhhhh good eye trencan, I did not realize that, see what happens when you don't pay attention :ouch:

So I had it right the first time, just the wrong drive letter.

Ok...I was getting excited but it didn't work. I have attached another screen shot of the error. Any ideas?

I think I am at the point where I just want to put a clean version of XP on the computer. I just want to make sure that I can use the XP disc that was used originally on this computer. It is a OEM System Builder Pack and I can't remember if it can be reloaded on the same computer. I bought it from NewEgg and it was cheaper then the retail edition. Does anyone know if this will cause me any issues when it tries to authenticate the OS?

Again, I appreciate all the help.

Best Regards,

Jeff

Just try sending to the root of the I: drive..

expand -r atapi.sy_ I:\

If we can get it to expand, you may be able to use a utility like The Avenger to force overwrite the file without removing the drive.

Jeff, don't give up yet just because of a rootkit. There are definite ways to correct the issue without having to reformat. But to answer your question, you will need to use an OEM CD Key with an OEM copy of Windows XP. If you have your original disc and CD Key, you can always reload with that.

It looks like some process has opened atapi.sys and doesn't allow write access to others. Best would be to boot from installation XP CD to Recovery console and use the same command from there. But before use, check what's the drive letter of your windows installation directory after boot into Recovery console.

I think I am making some progress. I was able to expand it to the I: drive. I have attached 2 screen shots of the progress. I'm not sure what to do at this point.

I'm assuming I need to copy and paste it somewhere based on a previous post, but I'm not sure where to paste it. Would it be in I:\windows\system32\drivers\?

I did try to start the computer with the XP disc in recovery console but it was only giving me an option for the c: drive. I think when I loaded this fresh copy of XP this computer I didn't completely delete the C: drive and it created a new drive which is I:. The I: drive has the os on it and all my data. So I'm not sure if using the recovery console is an option.

Again, thanks everyone for the help.

Best Regards,

Jeff

I decided to get brave and I tried to copy and paste the atapi.sys file into I:\windows\system32\drivers\ It said that it couldn't paste it because the file was being used by another program or person. I also tried this in safe mode with the same result.

Can I force the file to copy? Or can I try and stop whatever process is using this file? I have Process Explorer if this would help.

Thanks,
Jeff - AZForexman

What was I thinking, of course it wouldn't copy over, atapi.sys is allways being used by your hard disk controller.Mabe the recovery console maps your drive to C and when you boot into windows it maps it to I.Try recovery console and type help to get list of commands and see if the C drive is correct as your operating system drive using the " dir " command or something, as far as recovery console is conserned anyway.Then from the root of C which your allready on " copy atapi.sys c:\windows\system32\drivers\ "

When you boot in recovery console, do you see the same content of drive C: as you seen in normal mode of drive I:? If so, then you can copy atapi.sys to c:\windows\system32\drivers in recovery console.

And what do you see in Process Explorer, which process is using atapi.sys? Use "Find"->"Find Handle or Dll" and type atapi.sys. In normal case this file should not be opened, I tried to delete it in virtual machine and it succedded.

I booted in recovery console and it opened the c: drive. I did the dir command and a list of files opened. It definitely is not all of the files that I have on the I: drive. I tried changing it to the I: drive and doing the dir command again but it gave me an error.

When I do a search on Process Explorer for atapi.sys it shows 0 matching items. Any other ideas?

Thanks,
Jeff

I attached 2 screen shots showing the quarantine log and the threat detection log. It shows that the file was quarantined but it also detects it on every start up scan. I noticed that some of the detected threats have the drivers lower case and others are upper case. Could this be causing a problem?

When you do the dir command, you don't see your windows dir showing up at the recovery console on the C: drive ?

When you start Recovery Console, there is a option to which OS installation you want to log onto, something like: 1. c:\windows
What do you see there? It should list all available OS installations on your HDD.

If there is only C:, log onto it. Now type "diskpart". Which volume letters do you see? Is there something else except c:? If so, quit diskpart, then switch to each volume listed and via "dir" command try to find one which is related to your system volume I:

Once you find drive letter for your system volume, use it in "expand" command.

OK...I started the computer with the Recovery Console and the only option is C: So I used that option and then the command diskpart.

This is what came up...

I: Partition 1 [unknown] 103 MB (103 MB Free)
C: Partition 2 [NTFS] 76205 MB (52835 MB Free)

That is interesting. Here is what the dir of the C: drive shows.

Directory of C:\
9/08/09 7:20p d------- 0 02c65197efbfb7ccaf74c3
04/14/08 12:10a -a------ 96512 atapi.sys
09/03/09 8:03a ---hs--- 210 boot.ini
11/03/09 6:07p d------- 0 Documents and Settings
10/17/09 2:04p d------- 0 GForceTraders
10/20/09 11:01a -a-h---- 459 IPH.PH
04/14/08 5:00a -arhs---- 47564 NTDETECT.COM
04/14/08 5:00a -arhs---- 250048 ntldr
11/05/09 3:21p d-------- 0 Program Files
9/03/09 8:06p d--hs---- 0 RECYCLER
11/10/09 3:05p d--hs--- 0 System Volume Information
11/05/09 2:02p d-------- 0 Windows

When I switch over to the I: drive using the dir command it gives this error. An error occurred during directory enumeration.

Any suggestions?

Thanks,
Jeff

Just assume that it's your C: drive and for some reason when you boot into the OS it's remapping it to a different drive letter, that said:

from the root of C which your allready on in recovery console " copy atapi.sys c:\windows\system32\drivers\ " is the command without the quotes.

-{ Quote: "Just assume that it's your C: drive and for some reason when you boot into the OS it's remapping it to a different drive letter, that said:

from the root of C which your allready on in recovery console " copy atapi.sys c:\windows\system32\drivers\ " is the command without the quotes." }-

I tried that and here is what I get:

c:\windows>copy atapi.sys c:\windows\system32\drivers\

The system cannot find the file specified.

Any other ideas?

Thanks,
Jeff

I don't know what you got going on then, you need to go into windows xp disk management from computer management in the administrative tools and delete that unused partition.

try to switch to the D: drive which is the next drive letter should be your CD drive the xp disc in it and try the expand command following instructions previously posted here all from recovery console.

make sure your in the D:\I386 dir when you do it.

-{ Quote: "I tried that and here is what I get:

c:\windows>copy atapi.sys c:\windows\system32\drivers\

The system cannot find the file specified.

Any other ideas?

Thanks,
Jeff" }-

It failed because if i remember well, last time when logged to XP you extracted atapi.sys file to I:. Now when you are in recovery console it should be in C:. But when you issued "copy" command, you were in C:\windows directory and there is no atapi.sys file. So you should type in recovery console:
copy c:\atapi.sys c:\windows\system32\drivers\

or switch to CD drive as ccomputertek wrote, go to I386 folder and type:
expand -r atapi.sy_ c:\windows\system32\drivers\

This I: volume looks really strange. Its size is 103 MB and filesystem is unknown.

Boot into XP, start cmd.exe and type: "diskpart" then "list disk" and "list volume". Post the output here.

-{ Quote: "This I: volume looks really strange. Its size is 103 MB and filesystem is unknown.

Boot into XP, start cmd.exe and type: "diskpart" then "list disk" and "list volume". Post the output here." }-

I attached the screenshot. I will try what you recommended from the previous post. I just have to wonder if I have something more going on then just the virus.

Thanks again for all your help.

Jeff

As I said before, windows is switching around your drive letters, but from DOS which is the recovery console, it should always be the C: drive then your CD drive as the next letter D:

You probably installed Windows with card reader attached to the PC, thats why its not C.

When you are installing Windows, always disconnect card reader and when instalation is done just plug it back ;)

-{ Quote: "You probably installed Windows with card reader attached to the PC, thats why its not C.

When you are installing Windows, always disconnect card reader and when instalation is done just plug it back ;)" }-

You are correct. I did have a usb thumb drive attached. Is it possible to reassign the drive letters so they are the default setting? Or is it not worth it?

Jeff

Success! Here is what worked: copy c:\atapi.sys c:\windows\system32\drivers\ I typed this in the recovery console and it replaced the file. I ran a full scan with no viruses found.

I appreciate the help from this forum.

Best regards,
Jeff - AZForexman

There is no drive letter assigned to that 103 MB partition in your XP.

You can run "diskpart" and type:
select disk 0
detail disk
list partition

What's the output?

I'd nuke the install period as you seem to be one of those people who don't understand how to delete a partition when you reinstall your OS or understand that having a card reader connected at windows install will cause drive letter assignment issues. It's a real nightmare to change the windows drive letter back to C: from I: because a lot of your applications are installed pointing to I: Dude it's a borked windows install... reinstall but be sure to delete your partitions first.

Solid-State

PS When you do reinstall windows you have to remove your internal card reader from your USB controller or you'll just have the same problem over and over again!

-{ Quote: "Thanks for the response. Do you have any links to instructions on how to do this? I have the OS disk but I'm not sure how to replace just that file.
" }-

it's very easy to clean the system, just run Dr.Web CureIt! (http://www.freedrweb.com/download+cureit/). why must someone do so stupid things like the file replacement?!

-{ Quote: "There is no drive letter assigned to that 103 MB partition in your XP.

You can run "diskpart" and type:
select disk 0
detail disk
list partition

What's the output?" }-

Ok. I attached the screenshot.

Thanks again,
Jeff

-{ Quote: "Ok. I attached the screenshot.

Thanks again,
Jeff" }-


If that machine is a prefab then it's the recovery partition. I wouldn't nuke that friend.

Solid-State

Recovery partition would not be 103 MB in size.But he can check whats on the drive.

Yeah that's rather small. It's some remnant of a partition he manged to create when he reinstalled windows with the borked I: active partition.

Solid-State

PS if windows install fails at some point could it leave this behind but still manage to get a working install?

-{ Quote: "It's a rootkit so the best would be to boot from a clean media and replace atapi.sys with a clean file from the Windows installation cd or another clean computer with the very same OS." }-
Marcos
Hi,

I shot a video clip(HD) clean Olmarik(atapi.sys) with the aid of Eset SysRescue: http://www.youtube.com/watch?v=IgOKCC2lAMw

http://smages.com/i/be/85/be85920e8e137c44ea0f7b4dee38f318.png

:)

Dr.Web CureIt, that's the answer. The only antivirus that can cure this active rootkit.

-{ Quote: "Dr.Web CureIt, that's the answer. The only antivirus that can cure this active rootkit." }-

This should not be in the Eset Support form. He aint looking for recommendations for other AV's just how to fix his current problem.

Hi Folks,

I had 2 instances of this virus on PC's I was fixing today and here's what I did to get rid of them. Firstly I used PSKill (Part of the PSTools Suite from SysInternals) to kill the virus in memory. Then Scanned the Registry for the name of the Process I just killed. I can't remember what it was on the first PC but it was called Jaoeii.exe on the second instance.

Go through the registry using the find menu option and locate all references to the virus and delete them from the registry.

Once that is done, restart the PC and make sure that the when the pc reboots the virus doesn't appear in Task Manager. At this point I thought to myself that the virus was gone but I then started recieving NOD32 warnings about Atapi.sys being infected so I got my Windows XP SP3 CD and popped it in the drive and ran the System File Checker. Go to Start -> Run and type the following bold text sfc /scannow. This will tell windows to compare all system files to the files on the XP Disc and if any are changed replace them with the original from the CD.

This seems to have fixed the issue for me. Give it a go and see how you guys get on.

Cheers,
Laoistom

Eset has a tool for Olamark here --> http://kb.eset.com/esetkb/index?page=content&id=SOLN2372

Or you could use malware bytes followed by Combofix, which is what worked for me and was recomended by ESET support. (Don't know if the ESET cleaner was out at that time)

-Joe

-{ Quote: "Eset has a tool for Olamark here --> http://kb.eset.com/esetkb/index?page=content&id=SOLN2372

Or you could use malware bytes followed by Combofix, which is what worked for me and was recomended by ESET support. (Don't know if the ESET cleaner was out at that time)

-Joe" }-

A friend's machine was hit with Olimarik today. Although the Olimarik ESET tool detected the virus and said it was removed, upon rebooting, it was back, in other words, in this case anyway, it didn't work at all. A guy in this thread mentioned Dr Web's CureIt, and was berated for mentioning it in the NOD forum. This is fair comment normally, but in this case at least, I am very glad it was mentioned, because this app (the free version) found a rootkit that was the root cause (not pun intended :) of my friend's Olimark.

As it happens, I am a NOD fanboi, but nothing is perfect, and you have to give credit where it is due. Whilst the NOD Olmarik fix may have fixed some people's Olmarik, it was unable to fix mine, despite it saying that it did.

I got the damn thing on my pc and i downloaded the tool from eset but it didnt work i found this on the net tells u how to delete it manually i personally cant get my head around it u can try it see if it works

http://www.411-spyware.com/remove-olmarik-trojan#deletefiles