Fix Possible Rootkit Infection; Atapi.sys? Tutorial

Home > Possible Rootkit > Possible Rootkit Infection; Atapi.sys?

Possible Rootkit Infection; Atapi.sys?

By not patching in February, to avoid a BSOD, we are now exposing our PCs to other threats! seems OK Daniel It causes a BSOD Matthew Atapi.sys 5.1.2600.1135 Dude Had a series of BSOD (Blue Screen of Death) starring atapi.sys on a PC The symptoms encountered were Google results getting redirected to random spam web sites in Firefox (I tried to reporduce it in IE, but it didn't seem to affect that browser, but Two popular tools are Microsoft Windows Defender Offline and Kaspersky TDSSKiller. check over here

You didn’t have the threat landscape that exists today. Finding out is not so easy. Retrieved 19 August 2015. ^ Allureon/win32, Microsoft, March 2007 ^ "Google warns of massive malware outbreak". BAD: KB977165 - uninstall or do not install VIRUS: Still none found. great post to read

Good luck!This subject is now closed. First to note: Zeus is not self-propagating. Then a Malwarebytes box appeared saying something else was trying to do something, so I clicked on Quarantine.

Wait for a couple of minutes. 9. It first appeared in 2008 as TDL-1 being detected by Kaspersky Lab in April 2008. As I'm running off of a different installation of Windows simply running regedit won't help to fix the registry which had the keys removed. Privacy policy About Wikipedia Disclaimers Contact Wikipedia Developers Cookie statement Mobile view Jump to content Malwarebytes 3.0 Existing user?

Known file sizes on Windows 10/8/7/XP are 96,512bytes (56% of all occurrences), 95,360bytes, 21,584bytes or 19,944bytes. I'm grateful to you for responding. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connecting again. read this article From a random RapidShare link?

Unfortunately, my computer could no longer boot up. Here's what I did:1) I made an Ultimate Boot CD for Windows. I told Malwarebytes to remove the checked items. I will not provide the steps to do this, but you are welcome to look into these options.

Then it infects low-level system drivers such as those responsible for PATA operations (atapi.sys) to implement its rootkit. Atapi.sys is located in the C:\Windows\System32\drivers folder. That's why I thought about looking at the drive through another machine. Double click on RSIT.exe to run RSIT.

WinSockFix from Take responsibility for protecting your system because you are its first and best defense.Tools Downloaded To Clean Your ComputerI may have asked you to install some tools. The install function searches for the ‘winlogon.exe' process, allocates some memory within it, and decrypts itself into the process. Thankfully, I haven't deleted anything yet, but if I did, this would be very helpful.

Barnes Toggle navigation Home About Contact I fight for the users. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged Once I replaced the missing atapi.sys file the remaining systems booted up normally. All rights reserved.

Jump to content Sign In Create Account Search Advanced Search section: This topic Forums Members Help Files Calendar View New Content Forum Rules Forums

Several functions may not work. The atapi.sys file is a trustworthy file from Microsoft. A rootkit by definition is supposed to attain ‘root'.

For an article on antivirus programs and a listing of some available ones see the link below: Computer Safety On line - Anti-Virus Visit Microsoft's Windows Update Site Frequently: It is

Include the address of this thread in your request. Ask any questions that you have regarding the fix(es), the infection(s), the performance of your computer, etc.Thanks. Part of the instructions were to temporarily disable any system protection. Permalink Submitted by tago (not verified) on Sat, 02/13/2010 - 15:34 Bootable Live-CDs: Avira Rescue CD: Dr.

That fixed my customer's BSOD immediately, and I think I have another one scheduled to come in . . . I know that when Vista first came out, people kept talking about what a pain UAC was, and how to turn it off so they didn't have to keep entering passwords. It downloads different versions of trojans and itself comes in different flavors. This is a false positive. * I posted SHA1SUM results in a few other places.

And you may remember he openly advocates (nags about) using a Linux live CD for critical operations. No, these rootkits install themselves so easily because there is no resistance from the system. While you may have what appears to be normal access to the internet and email, other functions may not be working properly. Share this post Link to post Share on other sites rchusid    New Member Members 7 posts ID: 16   Posted November 11, 2009 I have the same problem.

That said, you are targeting the worst case here, which may not be fair. UPDATE 2: I have placed these instructions on my wiki. So, I will edit the instructions a bit, for novices. 1. The file I used was rather old btw.

Like Malwarebytes, this tool has been specially created to deal with this kind of threat. Regardless, considering the nature of threats these days, it is imperative to implement one of the biggest defenses against malware, the use of a non-admin account. Pavlov rings his bell and the dogs salivate because it's time for dinner. This tutorial will teach you the various ways on how to do this.

That makes me think that some commonly used Antivirus or AntiSpyware programs must remove the infected files altogether. CD is more foolproof. Yet, many Windows users run as Admin and don't realize the danger this entails. One of the first things I tried was running SFC form an ERD boot disk.

Turn on any router or hub that your computer may be plugged into. 8. Is there a simple utility I can download which will allow me to fix the registry in a different installation of windows? Yes, he uses Windows too because he wants to report on the general security situation. Damon We will see!

Do you have additional information?