Man…every client I’ve seen for the past 2 weeks who was infected with malware also had this Atapi.sys rootkit. I know I’ve written about this about 2 weeks ago, but I wanted to keep this fresh. If you’re searches are getting redirected and you’ve scanned with just about every thing you can think of then there’s a pretty good chance your atapi.sys has been patched (Microsoft Security Essentials detects a spawned dll from this rootkit…I think it’s called AlureonCT).
One easy way to find out if you have a patched Atapi.sys is to run the latest copy of GMER Anti-RootKit. Upon opening GMER it will run a very fast quick scan. If you see any entries like \DEVICEHARDDISK\Atapi (something like that) or Atapi.sys “suspicious modification” (especially this one) then your probably dealing with a very nasty rootkit.
For clients that run Windows XP I’ve just been using Combofix (Combofix disinfects Atapi.sys). For other operating systems (32-bit) I’ve just been using a bootable anti-malware disc (bartpe) and replacing atapi.sys with one from the Windows disc.
{ 15 comments… read them below or add one }
Really need help. My atapi.sys file is surely infected with a rootkit. I’m attemping to replace it with a clean file, but I am unable to because the file is always in use. Will Combofix delete and replace the atapi.sys? Because I have heard of system crashes when it is deleted. Please advise! (Never used Combofix.)
I keep a copy of atapi.sys now, so if I do see these symptoms I just replace it from my winpe 2.0 disk
Thanks for the heads-up, Matt!
Does GMER support’S WINDOWS 7?
Um… why not ComboFix on other systems (7, Vista)? I think it’s compatible now – it’s updated every few days.
Thermalcake@
really?
i dident knew that..
does combofix has a offical site?
@Thermalcake:
You can’t use combofix on vista or 7 because it becomes unbootable and corrupted.
Read what Matt said himself:
http://remove-malware.com/antimalware/anti-malware-news/using-combofix-on-windows-vista-and-windows-7-i-wouldnt/
@LoveSophos
I’ve used Combofix on several Vista machines, and I haven’t had a mishap yet. I have never tried it on a Windows 7 machine.
Microsoft security essentials is really good at preventing rootkits but not so good with adware they need to work on that… i still use it and had no problems i also use sandbox and hips comodo
Atapi.sys (located in system32\drivers) is one of the first drivers that gets loaded so it should always be in use. This means that infecting it is really hard. Is there a possibility that infection might be caused by a MBR rootkit? Recently mbam was detecting atapi.sys but it turned out to be a FP and they fixed it.
@LoveSophos:
As you can see there is my comment
@Nieander – you’ll have to use a bootable windows environment (BARTPE disc) to replace replace the infected Atapi.sys with a good one.
Hey matt, found out the name of the rootkit for ya. It’s called TDL3, really nasty because I think it has the ability to show fake MD5’s to legitimate programs.
http://forum.avast.com/index.php?topic=51910.0
Also, googling says that Hitman Pro 3.5 build 79 or newer also removes the rootkit.
http://www.wilderssecurity.com/showthread.php?p=1585048
You can also use Hitman Pro 3.5 which will cure the Atapi.sys infection (TDL3 rootkit).