Atapi.sys Rootkit is EVERYWHERE!

Man…every client I’ve seen for the past 2 weeks who was infected with malware also had this Atapi.sys rootkit.  I know I’ve written about this about 2 weeks ago, but I wanted to keep this fresh.  If you’re searches are getting redirected and you’ve scanned with just about every thing you can think of then there’s a pretty good chance your atapi.sys has been patched (Microsoft Security Essentials detects a spawned dll from this rootkit…I think it’s called AlureonCT).

One easy way to find out if you have a patched Atapi.sys is to run the latest copy of GMER Anti-RootKit.  Upon opening GMER it will run a very fast quick scan.  If you see any entries like \DEVICEHARDDISK\Atapi (something like that) or Atapi.sys “suspicious modification” (especially this one) then your probably dealing with a very nasty rootkit.

For clients that run Windows XP I’ve just been using Combofix (Combofix disinfects Atapi.sys).  For other operating systems (32-bit) I’ve just been using a bootable anti-malware disc (bartpe) and replacing atapi.sys with one from the Windows disc.

, , ,

24 Responses to Atapi.sys Rootkit is EVERYWHERE!

  1. Nieander December 8, 2009 at 4:42 am #

    Really need help. My atapi.sys file is surely infected with a rootkit. I'm attemping to replace it with a clean file, but I am unable to because the file is always in use. Will Combofix delete and replace the atapi.sys? Because I have heard of system crashes when it is deleted. Please advise! (Never used Combofix.)

  2. Jimmy James December 8, 2009 at 7:45 am #

    I keep a copy of atapi.sys now, so if I do see these symptoms I just replace it from my winpe 2.0 disk

  3. Kai December 8, 2009 at 11:29 am #

    Thanks for the heads-up, Matt!

  4. ARAVIM December 8, 2009 at 2:39 pm #

    Does GMER support'S WINDOWS 7?

  5. Thermalcake December 8, 2009 at 3:22 pm #

    Um… why not ComboFix on other systems (7, Vista)? I think it's compatible now – it's updated every few days.

  6. ARAVIM December 8, 2009 at 7:07 pm #



    i dident knew that..

    does combofix has a offical site?

  7. LoveSophos December 8, 2009 at 9:59 pm #


    You can't use combofix on vista or 7 because it becomes unbootable and corrupted.

    Read what Matt said himself:

  8. AV-Guy December 8, 2009 at 10:07 pm #


    I've used Combofix on several Vista machines, and I haven't had a mishap yet. I have never tried it on a Windows 7 machine.

  9. ryan December 8, 2009 at 10:12 pm #

    Microsoft security essentials is really good at preventing rootkits but not so good with adware they need to work on that… i still use it and had no problems i also use sandbox and hips comodo

  10. bogdan December 9, 2009 at 10:52 am #

    Atapi.sys (located in system32drivers) is one of the first drivers that gets loaded so it should always be in use. This means that infecting it is really hard. Is there a possibility that infection might be caused by a MBR rootkit? Recently mbam was detecting atapi.sys but it turned out to be a FP and they fixed it.

  11. Thermalcake December 9, 2009 at 11:41 am #


    As you can see there is my comment 😉

  12. malwarekilla December 9, 2009 at 10:57 pm #

    @Nieander – you'll have to use a bootable windows environment (BARTPE disc) to replace replace the infected Atapi.sys with a good one.

  13. Brandon December 10, 2009 at 1:02 am #

    Hey matt, found out the name of the rootkit for ya. It's called TDL3, really nasty because I think it has the ability to show fake MD5's to legitimate programs.

  14. Brandon December 10, 2009 at 1:11 am #

    Also, googling says that Hitman Pro 3.5 build 79 or newer also removes the rootkit.

  15. Erik Loman December 10, 2009 at 11:40 am #

    You can also use Hitman Pro 3.5 which will cure the Atapi.sys infection (TDL3 rootkit).

  16. marijne March 22, 2010 at 7:14 pm #

    To all not so experienced users affected by Alureon.
    After a painful search and testing several apps: AVG, Malwarebytes’ Anti-Malware, Comodo Antivir, Malicious Software Removal Tool didn’t find this Trojan; XDelBox didn’t work.
    Pareto would find a worm Parite.A instead, didn’t try to remove it with Pareto because there was no trial version and I have already tried other aps that would find sth but not be able to remove it, so I din’t want to risk spending money for nothing. I downloaded this Parite removal soft:…ad-105613.html this remover would not work either;
    Microsoft Security Essentials and Microsoft Live Scan were able to find Alureon, but they failed and couldn’t remove it.
    Comodo Firewall prompted me about the trojan actions, this is how I learned about it in the first place.
    Finally I found this site!!! and learned about Hitman Pro 3.5 and that is the solution! Hitman Pro finally got rid of this trojan and removed it. I believe more complicated solutiins also work, but since I know not too much about registry and complicated computer stuff, this is ideal for me. I just thought I would share to save others, bit unexperienced users.
    Thanks for sharing your knowledge, everyone.

  17. Tonyf May 14, 2010 at 8:52 pm #

    Hitman Pro worked great, thanks marijne!! But its only a 30 day trial 🙁

  18. L.C. July 17, 2010 at 4:55 am #

    Hitman Pro no longer works on the newer version of TDL that is out now. GMER is reading the MD5’s wrong from the drivers and just spitting out atapi.sys but actually other drivers are infected. On top of all that the new version of GMER causes memory leaks that will cause your PC to BSOD and reboot.

  19. Erik July 17, 2010 at 7:47 pm #

    Hitman Pro *DOES* work against the latest variants, confirmed by

  20. Allclick August 13, 2010 at 9:34 pm #

    I have this problem. I just downloaded hitman 3.5 and it detects and removes it but it keeps appearing on reboot! I need more help removing TDL3.

  21. Project January 31, 2011 at 10:28 pm #

    I also tried Hitman pro 3.5 and it didn’t work. I’ll give it another try though.

  22. guest March 26, 2012 at 3:57 pm #

    Yep I really need help on this one too…Windows 7 64 bit.

  23. Kimpaes April 16, 2012 at 3:25 pm #

    So how do you get rid of it?


  1. Win32/Alureon.gen - Microsoft Security - March 22, 2010

    […] the trojan actions, this is how I learned about it in the first place. Finally I found this site:…is-everywhere/ and learned about Hitman Pro 3.5 and that is the solution! Hitman Pro finally got rid of this […]

Leave a Reply