My system is infected, but Prevx can't clean it. Here are the symptoms.

It's regularly popping up a "Malware Blocked" alert telling me that it automatically blocked a High Risk Cloaked Malware infection. The file is always:
C:\windows\temp\abcd.tmp\svchost.exe
where "abcd" is some random 4 letters.

I'll run a scan with Prevx. A couple of times, it's actually found something. I shut down everything and disco from the net, let it finish, reboot and rescan (this time clean). But invariably, the Malware alert pops up again.

Several times, while scanning, it's hung. Generally at 63%. Right now, it appears to be hung at 98% while Analyzing Scan Results.

I'm not sure what to do at this point.

It's in the windows folder so has to be removed between reboots. Download a freebie like file assassin or unlocker and use it to remove that folder\file. You may have to enable show all files\folders in folder options first.

-{ Quote: "My system is infected, but Prevx can't clean it. Here are the symptoms.

It's regularly popping up a "Malware Blocked" alert telling me that it automatically blocked a High Risk Cloaked Malware infection. The file is always:
C:\windows\temp\abcd.tmp\svchost.exe
where "abcd" is some random 4 letters.

I'll run a scan with Prevx. A couple of times, it's actually found something. I shut down everything and disco from the net, let it finish, reboot and rescan (this time clean). But invariably, the Malware alert pops up again.

Several times, while scanning, it's hung. Generally at 63%. Right now, it appears to be hung at 98% while Analyzing Scan Results.

I'm not sure what to do at this point." }-

This AV is Cloud based you have to be connected to the web why it scans and cleans. This way it can get the info needed to remove the infection. That is also why it is hanging at 63 and 98% It can't connect to its database to figure out how to remove it.

-{ Quote: "This AV is Cloud based you have to be connected to the web why it scans and cleans. This way it can get the info needed to remove the infection. That is also why it is hanging at 63 and 98% It can't connect to its database to figure out how to remove it." }-
When it hangs, it actually IS connected. The only time I'm not connected is when Prevx tells me specifically to disconnect before continuing.

-{ Quote: "It's in the windows folder so has to be removed between reboots. Download a freebie like file assassin or unlocker and use it to remove that folder\file. You may have to enable show all files\folders in folder options first." }-
...use it to remove *which* file/folder?

-{ Quote: "When it hangs, it actually IS connected. The only time I'm not connected is when Prevx tells me specifically to disconnect before continuing." }-

Might want to try Safemode with Networking enabled. hit F8 before Windows starts to bring up the boot menu. If all else fails maybe Joe (PrevxHelp) knows whats going on.

Thanks, Fajo.

FWIW, it seems that most of the time that Prevx blocks one of these files and turns red, once I do a scan, it finds nothing and goes green again.

I've got another machine that I use as a file server. I can connect this drive to it, but it doesn't have Prevx installed. Is there anything I could do using that setup?

-{ Quote: "Thanks, Fajo.

FWIW, it seems that most of the time that Prevx blocks one of these files and turns red, once I do a scan, it finds nothing and goes green again.

I've got another machine that I use as a file server. I can connect this drive to it, but it doesn't have Prevx installed. Is there anything I could do using that setup?" }-

It could be something that Prevx is only seeing the traces of. I really would not connect anything else to the computer your best option is to wait for Joe (PrevxHelp) to log on here. As he could probly take a look at the scan logs and find out whats going on for you. If it happens again Save the scan log and send it to report@prevxresearch.com and pst the subject that you sent it as here. It will make it easy for Joe to take a look and get back to you on it.

To save scan log go to

Tools > Save Scan log (Do this when it pops up infected.) Send that off to prevx. Make sure you put something in the title referencing to it.

-{ Quote: " I really would not connect anything else to the computer your best option is to wait for Joe (PrevxHelp) to log on here." }-

Yes, good advice.

While your waiting, you could upload that file here - http://www.virustotal.com/ to see if it's a false positive or not.

-{ Quote: "Yes, good advice.

While your waiting, you could upload that file here - http://www.virustotal.com/ to see if it's a false positive or not." }-
Upload which file?

FWIW, I've noticed that this is happening every five minutes exactly.

-{ Quote: "Yes, good advice.

While your waiting, you could upload that file here - http://www.virustotal.com/ to see if it's a false positive or not." }-
That is definitely no FP! :lurking:

look at the filename.

I think it is a Backdoor!


enchant disconnect you PC from internet!

Change ALL internet passwords using a clean PC! That is very important!

Wait for Joe's advices and do not use the infected PC until you are in contact with the PrevX support.

Ok, I've booted up off of another drive.

Before doing so, I pulled my ethernet cable, and over five minutes went by and no prevx malware warning came up, so it definitely seems internet related.

-{ Quote: "Ok, I've booted up off of another drive.

Before doing so, I pulled my ethernet cable, and over five minutes went by and no prevx malware warning came up, so it definitely seems internet related." }-

Keep in mind if you did this why no internet connection was available Prevx cant check against its database.

Are you saying that this is why Prevx wasn't reporting errors?

-{ Quote: "Are you saying that this is why Prevx wasn't reporting errors?" }-

If no internet connection is present why Prevx is scanning. It can't check it against its database sense it's purely on there servers.

Also are you using Full scan ? instead of quick scan.

-{ Quote: "Also are you using Full scan ? instead of quick scan." }-
Please pardon my ignorance, but I don't know. When Prevx is up, there's a big blue button at the bottom
"Scan My PC Now >>"
I don't see an option for quick or full.

However...

Since I'm a bundle of nerves at this point and can't wait for Joe, I needed to do something. I booted up my healthy drive with the infected one mounted. The I loaded the free version of Prevx on it and did a scan. On the infected drive, it DID find an infected file "C:\windows\system32\drivers\atapi.sys". I deleted this file and copied a fresh one from my good drive, then booted up on it.

It's been over 15 minutes and no problems. But I know this probably means little. Perhaps when the external internet hacker sees that it can't get in, it automatically puts itself on hold for an hour or something. But I'm hopeful.

-{ Quote: "Please pardon my ignorance, but I don't know. When Prevx is up, there's a big blue button at the bottom
"Scan My PC Now >>"
I don't see an option for quick or full.

However...

Since I'm a bundle of nerves at this point and can't wait for Joe, I needed to do something. I booted up my healthy drive with the infected one mounted. The I loaded the free version of Prevx on it and did a scan. On the infected drive, it DID find an infected file "C:\windows\system32\drivers\atapi.sys". I deleted this file and copied a fresh one from my good drive, then booted up on it.

It's been over 15 minutes and no problems. But I know this probably means little. Perhaps when the external internet hacker sees that it can't get in, it automatically puts itself on hold for an hour or something. But I'm hopeful." }-

Well If you have a Paid Licence which I'm assuming you do. You can click Tools> Advance Scan > Full Scan. That will scan everything on the PC both the clean and suspected drive. Also keep internet connected so it can communicate with Prevx servers. As long as you are on the clean drive you should be ok. Just don't do anything on the computer until the full scan completes takes 20-30 min normally.

-{ Quote: "Well If you have a Paid Licence which I'm assuming you do. You can click Tools> Advance Scan > Full Scan." }-
Yes, I do, and thanks. When I click on Tools/Advanced Scan, "Deep Scan" is what's checked. Does that mean that this is what happens by default? Or is that unrelated?

Oh, and by the way...

Thanks, everyone, for all your help. It's a scary thing when your system gets infected, and it's comforting that people are willing to help me through it.

-{ Quote: "Yes, I do, and thanks. When I click on Tools/Advanced Scan, "Deep Scan" is what's checked. Does that mean that this is what happens by default? Or is that unrelated?

Oh, and by the way...

Thanks, everyone, for all your help. It's a scary thing when your system gets infected, and it's comforting that people are willing to help me through it." }-

In all honesty I don't know about that being default. But I do know that's where you select the other options. ;D

And we have all been infected before we know how it is. Most of us are just here to help where we can :)

Let us know what comes of the Full Scan! ;)

-{ Quote: "In all honesty I don't know about that being default. But I do know that's where you select the other options. ;D

And we have all been infected before we know how it is. Most of us are just here to help where we can :)

Let us know what comes of the Full Scan! ;)" }-

Deep scan is default! See attached!

-{ Quote: "Please pardon my ignorance, but I don't know. When Prevx is up, there's a big blue button at the bottom
"Scan My PC Now >>"
" }-

This is default Deep Scan! :thumb:

TH

-{ Quote: "ILet us know what comes of the Full Scan! ;)" }-
Well, at 11% finished, a warning box popped up saying:
Your scan exceeded the maximum number of files allowed by your license. Please click OK to upgrade your license or Cancel to abort the scan.

Not sure how I feel about that...

-{ Quote: "Well, at 11% finished, a warning box popped up saying:
Your scan exceeded the maximum number of files allowed by your license. Please click OK to upgrade your license or Cancel to abort the scan.

Not sure how I feel about that..." }-

Sigh, That seems to be happening alot lately. This one we will have to wait for PrevxHelp on. You might want to PM Joe (PrevxHelp) your License key so he can extend the amount of files. Also I'm sure he will have more incite on whats going on with this detection. The File Limit is just there to stop virus makers from abusing Prevx or company's using Prevx illegal.

Oh, so then I should be able to run a normal full scan on my machine?

Yes. Most computers don't need more then the current file limit. In some cases they do. Like you having 2 hard drives it scanning It's going to have more files then normal. This is a easy fix to be able to scan the whole thing Joe (PrevxHelp) just needs to ajust a setting on there end for you. But you will need to PM him your Key so he can expand the amount needed. What you can do for now tho unplug the clean drive and boot of the dirty drive and do a full scan this might fix the file problem for now. As there is less to scan.

-{ Quote: "Keep in mind if you did this why no internet connection was available Prevx cant check against its database." }-

Prevx leeps a local cache of disinfecting files of ALL previously detected malwares, just to prevent any recurring threats WITHOUT connecting to the database that time.

-{ Quote: "Prevx leeps a local cache of disinfecting files of ALL previously detected malwares, just to prevent any recurring threats WITHOUT connecting to the database that time." }-

That cache would not be on the clean hard drive as its a different install in a different OS. At least that's what I was assuming.

Unless I'm missing something and in absence of Joe/PrevX download MBAM to other disc, install and run on infected ( not connected to www) disc see what comes up ??

is this it?

http://www.google.com/search?btnG=Google+Search&q=atapi+sys+malware
http://forum.sysinternals.com/forum_posts.asp?TID=21266
http://www.surfright.nl/en/home/press/hitman-pro-35-removes-tdl3-rootkit
http://remove-malware.com/malware/malware-warnings/nasty-new-rootkit-patches-atapi-sys/
http://remove-malware.com/malware/malware-news/atapi-sys-rootkit-is-everywhere/

MBAM may not work
http://www.malwarebytes.org/forums/index.php?showtopic=32988
Check those other links ??

AFAICR; PrevX have been all over this. PrevX have intimated that they have a new tool in progress. If you are a paid up licensee, there is direct help available at PrevX web site
http://www.wilderssecurity.com/showpost.php?p=1579283&postcount=15
http://info.prevx.com/service.asp

Hello all,
First, let me thank everyone for helping out with regard to support ;D (Fajo in particular! :thumb: )

I've extended your license now, enchant. The limit is due to a scan engine change which will be modified in the next update (due out next week) but for now we're manually updating licenses.

The atapi.sys infection is indeed a headache, as we've described on our blog :) We're currently making a standalone tool to remove it, but for now, scanning from a different operating system will definitely solve it.

After you rescan/re-clean your PC, let me know if you have any other problems!

Thanks again, all! :)

-{ Quote: "I've extended your license now, enchant." }-
Excellent - thanks!

-{ Quote: "After you rescan/re-clean your PC, let me know if you have any other problems!" }-
Some hair is clogging my sink. Got anything for that?

Hey enchant, you did good there: handled the infected disc like a pro :thumb:
That rootkit is creating havoc.
May even run in a VM !! May not.
The sysinternals thread is a good read. Even ntunldr and thug4lif3 impressed. ;)
DiabloRed/EP_X0FF: ( - I know - )
http://www.rootkit.com/blog.php?newsid=970&user=DiabloNova

It's never ending really..:-\ , always another cycle.
Some nice ARKs here and there.
http://www.ntinternals.org/anti_rootkits.php
GMER still holding a top position. Nice tool.

In my naivety I'd left some of those tools 'behind' for a while, now have to review whats available again. :dry:

@Joe: thx for the info.
Extremely impressed with PrevX action against this and other mals.
LOL, might even (have to) update to V3.0 ;D

-{ Quote: "
Some hair is clogging my sink. Got anything for that?" }-

Not yet, unfortunately ;D I'll add it to the Todo List... ;)