Win32/Olmarik.OF Virus - Can't Delete

[ccomputertek]

Just assume that it's your C: drive and for some reason when you boot into the OS it's remapping it to a different drive letter, that said:

from the root of C which your allready on in recovery console " copy atapi.sys c:\windows\system32\drivers\ " is the command without the quotes.

[azforexman]

Quote:

Originally Posted by ccomputertek

Just assume that it's your C: drive and for some reason when you boot into the OS it's remapping it to a different drive letter, that said:

from the root of C which your allready on in recovery console " copy atapi.sys c:\windows\system32\drivers\ " is the command without the quotes.

I tried that and here is what I get:

c:\windows>copy atapi.sys c:\windows\system32\drivers\

The system cannot find the file specified.

Any other ideas?

Thanks,
Jeff

[ccomputertek]

I don't know what you got going on then, you need to go into windows xp disk management from computer management in the administrative tools and delete that unused partition.

try to switch to the D: drive which is the next drive letter should be your CD drive the xp disc in it and try the expand command following instructions previously posted here all from recovery console.

make sure your in the D:\I386 dir when you do it.

[trencan]

Quote:

Originally Posted by azforexman

I tried that and here is what I get:

c:\windows>copy atapi.sys c:\windows\system32\drivers\

The system cannot find the file specified.

Any other ideas?

Thanks,
Jeff

It failed because if i remember well, last time when logged to XP you extracted atapi.sys file to I:. Now when you are in recovery console it should be in C:. But when you issued "copy" command, you were in C:\windows directory and there is no atapi.sys file. So you should type in recovery console:
copy c:\atapi.sys c:\windows\system32\drivers\

or switch to CD drive as ccomputertek wrote, go to I386 folder and type:
expand -r atapi.sy_ c:\windows\system32\drivers\

[trencan]

This I: volume looks really strange. Its size is 103 MB and filesystem is unknown.

Boot into XP, start cmd.exe and type: "diskpart" then "list disk" and "list volume". Post the output here.

[azforexman]

Quote:

Originally Posted by trencan

This I: volume looks really strange. Its size is 103 MB and filesystem is unknown.

Boot into XP, start cmd.exe and type: "diskpart" then "list disk" and "list volume". Post the output here.

I attached the screenshot. I will try what you recommended from the previous post. I just have to wonder if I have something more going on then just the virus.

Thanks again for all your help.

Jeff

[ccomputertek]

As I said before, windows is switching around your drive letters, but from DOS which is the recovery console, it should always be the C: drive then your CD drive as the next letter D:

[Durad]

You probably installed Windows with card reader attached to the PC, thats why its not C.

When you are installing Windows, always disconnect card reader and when instalation is done just plug it back

[azforexman]

Quote:

Originally Posted by Durad

You probably installed Windows with card reader attached to the PC, thats why its not C.

When you are installing Windows, always disconnect card reader and when instalation is done just plug it back

You are correct. I did have a usb thumb drive attached. Is it possible to reassign the drive letters so they are the default setting? Or is it not worth it?

Jeff

[azforexman]

Success! Here is what worked: copy c:\atapi.sys c:\windows\system32\drivers\ I typed this in the recovery console and it replaced the file. I ran a full scan with no viruses found.

I appreciate the help from this forum.

Best regards,
Jeff - AZForexman

[trencan]

There is no drive letter assigned to that 103 MB partition in your XP.

You can run "diskpart" and type:
select disk 0
detail disk
list partition

What's the output?

[SolidState]

I'd nuke the install period as you seem to be one of those people who don't understand how to delete a partition when you reinstall your OS or understand that having a card reader connected at windows install will cause drive letter assignment issues. It's a real nightmare to change the windows drive letter back to C: from I: because a lot of your applications are installed pointing to I: Dude it's a borked windows install... reinstall but be sure to delete your partitions first.

Solid-State

PS When you do reinstall windows you have to remove your internal card reader from your USB controller or you'll just have the same problem over and over again!

[format_c]

Quote:

Originally Posted by azforexman

Thanks for the response. Do you have any links to instructions on how to do this? I have the OS disk but I'm not sure how to replace just that file.

it's very easy to clean the system, just run Dr.Web CureIt!. why must someone do so stupid things like the file replacement?!

[azforexman]

Quote:

Originally Posted by trencan

There is no drive letter assigned to that 103 MB partition in your XP.

You can run "diskpart" and type:
select disk 0
detail disk
list partition

What's the output?

Ok. I attached the screenshot.

Thanks again,
Jeff

[SolidState]

Quote:

Originally Posted by azforexman

Ok. I attached the screenshot.

Thanks again,
Jeff

If that machine is a prefab then it's the recovery partition. I wouldn't nuke that friend.

Solid-State

[ccomputertek]

Recovery partition would not be 103 MB in size.But he can check whats on the drive.

[SolidState]

Yeah that's rather small. It's some remnant of a partition he manged to create when he reinstalled windows with the borked I: active partition.

Solid-State

PS if windows install fails at some point could it leave this behind but still manage to get a working install?

[ESS3]

Quote:

Originally Posted by Marcos

It's a rootkit so the best would be to boot from a clean media and replace atapi.sys with a clean file from the Windows installation cd or another clean computer with the very same OS.

Marcos
Hi,

I shot a video clip(HD) clean Olmarik(atapi.sys) with the aid of Eset SysRescue: http://www.youtube.com/watch?v=IgOKCC2lAMw

http://smages.com/i/be/85/be85920e8e...4dee38f318.png

[Nomad Soul]

Dr.Web CureIt, that's the answer. The only antivirus that can cure this active rootkit.

[Fajo]

Quote:

Originally Posted by Nomad Soul

Dr.Web CureIt, that's the answer. The only antivirus that can cure this active rootkit.

This should not be in the Eset Support form. He aint looking for recommendations for other AV's just how to fix his current problem.