Win32/Olmarik.OF Virus - Can't Delete

Discussion in 'ESET NOD32 Antivirus' started by azforexman, Nov 3, 2009.

Thread Status:
Not open for further replies.
  1. azforexman

    azforexman Registered Member

    Joined:
    Nov 3, 2009
    Posts:
    16
    I'm sorry if I posted this in the wrong forum. Eset NOD32 V4 keeps coming up with a virus detection. The problem is that it won't let me delete it. I have copied two of the log files from when the alert pops up.

    11/3/2009 10:57:05 AM Real-time file system protection file I:\WINDOWS\system32\drivers\atapi.sys Win32/Olmarik.OF virus error while deleting - operation unavailable for this object type NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: I:\WINDOWS\System32\svchost.exe.

    11/3/2009 12:02:57 PM Startup scanner file I:\WINDOWS\system32\DRIVERS\atapi.sys Win32/Olmarik.OF virus unable to clean


    Any help or suggestions would be greatly appreciated.

    Thanks,
    Jeff - AZForexman :)
     
  2. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    It's a rootkit so the best would be to boot from a clean media and replace atapi.sys with a clean file from the Windows installation cd or another clean computer with the very same OS.
     
  3. azforexman

    azforexman Registered Member

    Joined:
    Nov 3, 2009
    Posts:
    16
    Thanks for the response. Do you have any links to instructions on how to do this? I have the OS disk but I'm not sure how to replace just that file.

    Thanks,
    Jeff
     
  4. ccomputertek

    ccomputertek Registered Member

    Joined:
    Jul 27, 2009
    Posts:
    371
    What is the OS ?
    If XP then:

    from the command prompt, type the drive letter of your XP media, then cd I386, then:

    expand -r atapi.sy_ c:\windows\system32\drivers\
     
  5. azforexman

    azforexman Registered Member

    Joined:
    Nov 3, 2009
    Posts:
    16
    I'm using Windows XP Home Edition on this computer.

    I want to make sure I understand the steps before I start changing things. I've had such bad luck with Windows products that I am very cautious.

    From the command prompt I will:

    - type the letter of the drive that has my windows XP OS disk in it.

    - then type: cd I386

    - then type: expand -r atapi.sy_ c:\windows\system32\drivers\

    Is that it? Does that copy the file over?

    I appreciate the responses.

    Best Regards,
    Jeff
     
  6. ccomputertek

    ccomputertek Registered Member

    Joined:
    Jul 27, 2009
    Posts:
    371
    From the command prompt:

    - type the letter of the drive that has the windows XP OS disk in it. and press enter.that would be D: if your cd drive is D for example. must type D colon and enter or whatever the drive letter is.

    - then type: cd I386 and enter

    - then type: expand -r atapi.sy_ c:\windows\system32\drivers\ and hit enter.
     
  7. azforexman

    azforexman Registered Member

    Joined:
    Nov 3, 2009
    Posts:
    16
    Ok...I gave it a shot and it didn't seem to work. I have attached a screenshot of what happened. Any ideas?

    Thanks,
    Jeff
     

    Attached Files:

  8. ccomputertek

    ccomputertek Registered Member

    Joined:
    Jul 27, 2009
    Posts:
    371
    try from safe mode, if that doesn't work, try from safe mode with the back slash removed after drivers\

    sometimes these commands are picky..

    also if you do this without safe mode, windows file protection may be interfering.
     
  9. azforexman

    azforexman Registered Member

    Joined:
    Nov 3, 2009
    Posts:
    16
    still no luck. Any other ideas? Would I be better off installing a clean copy of XP? Can I use the same copy of XP that I originally installed on this computer if I do a clean install? I have the system builder edition.

    Thanks for the help.

    Jeff
     
  10. ccomputertek

    ccomputertek Registered Member

    Joined:
    Jul 27, 2009
    Posts:
    371
    Ok, it doesn't want to let you write to the system folder that way.From safe mode:

    expand -r atapi.sy_ c: or c:\ and press enter this will put the new copy of the file at the root of the C drive, then:

    then cut and paste the atapy.sys file into the windows\system32\drivers\ folder.

    maybe even though your in the I386 folder in the command prompt, it still wants the full path, I don't know, don't have my XP disk here to see what going on.

    try from I386 folder:
    Expand -r G:\I386\Atapi.sy_ c:
     
    Last edited: Nov 3, 2009
  11. trencan

    trencan Eset Staff

    Joined:
    Nov 21, 2008
    Posts:
    120
    What's drive letter of your system partition (where Windows is installed)? Is it I:\? I assume so, since when you started cmd.exe, you were in directory I:\Documents and Settings\Main.

    If so, try again:
    expand -r atapi.sy_ I:\windows\system32\drivers\
     
  12. ccomputertek

    ccomputertek Registered Member

    Joined:
    Jul 27, 2009
    Posts:
    371
    Ahhhhhhhh good eye trencan, I did not realize that, see what happens when you don't pay attention :ouch:

    So I had it right the first time, just the wrong drive letter.
     
  13. azforexman

    azforexman Registered Member

    Joined:
    Nov 3, 2009
    Posts:
    16
    Ok...I was getting excited but it didn't work. I have attached another screen shot of the error. Any ideas?

    I think I am at the point where I just want to put a clean version of XP on the computer. I just want to make sure that I can use the XP disc that was used originally on this computer. It is a OEM System Builder Pack and I can't remember if it can be reloaded on the same computer. I bought it from NewEgg and it was cheaper then the retail edition. Does anyone know if this will cause me any issues when it tries to authenticate the OS?

    Again, I appreciate all the help.

    Best Regards,

    Jeff
     

    Attached Files:

  14. ccomputertek

    ccomputertek Registered Member

    Joined:
    Jul 27, 2009
    Posts:
    371
    Just try sending to the root of the I: drive..

    expand -r atapi.sy_ I:\
     
  15. othersteve

    othersteve Registered Member

    Joined:
    Oct 24, 2009
    Posts:
    30
    If we can get it to expand, you may be able to use a utility like The Avenger to force overwrite the file without removing the drive.

    Jeff, don't give up yet just because of a rootkit. There are definite ways to correct the issue without having to reformat. But to answer your question, you will need to use an OEM CD Key with an OEM copy of Windows XP. If you have your original disc and CD Key, you can always reload with that.
     
    Last edited: Nov 5, 2009
  16. trencan

    trencan Eset Staff

    Joined:
    Nov 21, 2008
    Posts:
    120
    It looks like some process has opened atapi.sys and doesn't allow write access to others. Best would be to boot from installation XP CD to Recovery console and use the same command from there. But before use, check what's the drive letter of your windows installation directory after boot into Recovery console.
     
  17. azforexman

    azforexman Registered Member

    Joined:
    Nov 3, 2009
    Posts:
    16
    I think I am making some progress. I was able to expand it to the I: drive. I have attached 2 screen shots of the progress. I'm not sure what to do at this point.

    I'm assuming I need to copy and paste it somewhere based on a previous post, but I'm not sure where to paste it. Would it be in I:\windows\system32\drivers\?

    I did try to start the computer with the XP disc in recovery console but it was only giving me an option for the c: drive. I think when I loaded this fresh copy of XP this computer I didn't completely delete the C: drive and it created a new drive which is I:. The I: drive has the os on it and all my data. So I'm not sure if using the recovery console is an option.

    Again, thanks everyone for the help.

    Best Regards,

    Jeff
     

    Attached Files:

  18. azforexman

    azforexman Registered Member

    Joined:
    Nov 3, 2009
    Posts:
    16
    I decided to get brave and I tried to copy and paste the atapi.sys file into I:\windows\system32\drivers\ It said that it couldn't paste it because the file was being used by another program or person. I also tried this in safe mode with the same result.

    Can I force the file to copy? Or can I try and stop whatever process is using this file? I have Process Explorer if this would help.

    Thanks,
    Jeff - AZForexman
     
  19. ccomputertek

    ccomputertek Registered Member

    Joined:
    Jul 27, 2009
    Posts:
    371
    What was I thinking, of course it wouldn't copy over, atapi.sys is allways being used by your hard disk controller.Mabe the recovery console maps your drive to C and when you boot into windows it maps it to I.Try recovery console and type help to get list of commands and see if the C drive is correct as your operating system drive using the " dir " command or something, as far as recovery console is conserned anyway.Then from the root of C which your allready on " copy atapi.sys c:\windows\system32\drivers\ "
     
  20. trencan

    trencan Eset Staff

    Joined:
    Nov 21, 2008
    Posts:
    120
    When you boot in recovery console, do you see the same content of drive C: as you seen in normal mode of drive I:? If so, then you can copy atapi.sys to c:\windows\system32\drivers in recovery console.

    And what do you see in Process Explorer, which process is using atapi.sys? Use "Find"->"Find Handle or Dll" and type atapi.sys. In normal case this file should not be opened, I tried to delete it in virtual machine and it succedded.
     
  21. azforexman

    azforexman Registered Member

    Joined:
    Nov 3, 2009
    Posts:
    16
    I booted in recovery console and it opened the c: drive. I did the dir command and a list of files opened. It definitely is not all of the files that I have on the I: drive. I tried changing it to the I: drive and doing the dir command again but it gave me an error.

    When I do a search on Process Explorer for atapi.sys it shows 0 matching items. Any other ideas?

    Thanks,
    Jeff
     
  22. azforexman

    azforexman Registered Member

    Joined:
    Nov 3, 2009
    Posts:
    16
    I attached 2 screen shots showing the quarantine log and the threat detection log. It shows that the file was quarantined but it also detects it on every start up scan. I noticed that some of the detected threats have the drivers lower case and others are upper case. Could this be causing a problem?
     

    Attached Files:

  23. ccomputertek

    ccomputertek Registered Member

    Joined:
    Jul 27, 2009
    Posts:
    371
    When you do the dir command, you don't see your windows dir showing up at the recovery console on the C: drive ?
     
  24. trencan

    trencan Eset Staff

    Joined:
    Nov 21, 2008
    Posts:
    120
    When you start Recovery Console, there is a option to which OS installation you want to log onto, something like: 1. c:\windows
    What do you see there? It should list all available OS installations on your HDD.

    If there is only C:, log onto it. Now type "diskpart". Which volume letters do you see? Is there something else except c:? If so, quit diskpart, then switch to each volume listed and via "dir" command try to find one which is related to your system volume I:

    Once you find drive letter for your system volume, use it in "expand" command.
     
  25. azforexman

    azforexman Registered Member

    Joined:
    Nov 3, 2009
    Posts:
    16
    OK...I started the computer with the Recovery Console and the only option is C: So I used that option and then the command diskpart.

    This is what came up...

    I: Partition 1 [unknown] 103 MB (103 MB Free)
    C: Partition 2 [NTFS] 76205 MB (52835 MB Free)

    That is interesting. Here is what the dir of the C: drive shows.

    Directory of C:\
    9/08/09 7:20p d------- 0 02c65197efbfb7ccaf74c3
    04/14/08 12:10a -a------ 96512 atapi.sys
    09/03/09 8:03a ---hs--- 210 boot.ini
    11/03/09 6:07p d------- 0 Documents and Settings
    10/17/09 2:04p d------- 0 GForceTraders
    10/20/09 11:01a -a-h---- 459 IPH.PH
    04/14/08 5:00a -arhs---- 47564 NTDETECT.COM
    04/14/08 5:00a -arhs---- 250048 ntldr
    11/05/09 3:21p d-------- 0 Program Files
    9/03/09 8:06p d--hs---- 0 RECYCLER
    11/10/09 3:05p d--hs--- 0 System Volume Information
    11/05/09 2:02p d-------- 0 Windows

    When I switch over to the I: drive using the dir command it gives this error. An error occurred during directory enumeration.

    Any suggestions?

    Thanks,
    Jeff
     
Thread Status:
Not open for further replies.