Comments on: Nasty New Rootkit Patches Atapi.sys http://remove-malware.com/malware/malware-warnings/nasty-new-rootkit-patches-atapi-sys/ Wed, 17 Mar 2010 05:57:47 +0000 http://wordpress.org/?v=2.9.2 hourly 1 By: BuddyS http://remove-malware.com/malware/malware-warnings/nasty-new-rootkit-patches-atapi-sys/comment-page-1/#comment-5679 BuddyS Thu, 18 Feb 2010 07:39:36 +0000 http://remove-malware.com/?p=1930#comment-5679 MalwareBytes (free) includes FileAssassin, which can delete the file directly from within Windows. Then you can replace the file with a fresh, clean copy. (I'm going to try using a copy from the sp3.cab on the same drive.) MalwareBytes (free) includes FileAssassin, which can delete the file directly from within Windows. Then you can replace the file with a fresh, clean copy. (I’m going to try using a copy from the sp3.cab on the same drive.)

]]> By: Captiosus http://remove-malware.com/malware/malware-warnings/nasty-new-rootkit-patches-atapi-sys/comment-page-1/#comment-5559 Captiosus Fri, 29 Jan 2010 19:36:35 +0000 http://remove-malware.com/?p=1930#comment-5559 the one i got came in a "package" with a whole slew of other viruses. After killing them off, the one in the atapi.sys file stayed behind. How i got rid of the SOB: 1. burn a linux live CD (get Puppy linux if you are impatient, only about 400MB) 2. memorize the location of atapi.sys, you will need to know this 3. get a working copy of windows on another machine or hard drive, navigate to the same directory ON THAT SYSTEM where the clean atapi.sys file is located, and copy to a flash drive 4. reboot the infected computer with the liveCD in it, it should load the disk. 5. open 2 windows in linux, 1 to the directory where the infected file is, and another to the flash drive. 6. copy the clean file OFF THE FLASH DRIVE to the directory where the infected file is, and overwrite it. Alternatively, delete the infected file first before copying. 7. reboot, and make sure the liveCD is out before it starts loading. thats what i did, and it worked like a charm. the one i got came in a “package” with a whole slew of other viruses. After killing them off, the one in the atapi.sys file stayed behind.

How i got rid of the SOB:
1. burn a linux live CD (get Puppy linux if you are impatient, only about 400MB)
2. memorize the location of atapi.sys, you will need to know this
3. get a working copy of windows on another machine or hard drive, navigate to the same directory ON THAT SYSTEM where the clean atapi.sys file is located, and copy to a flash drive
4. reboot the infected computer with the liveCD in it, it should load the disk.
5. open 2 windows in linux, 1 to the directory where the infected file is, and another to the flash drive.
6. copy the clean file OFF THE FLASH DRIVE to the directory where the infected file is, and overwrite it. Alternatively, delete the infected file first before copying.
7. reboot, and make sure the liveCD is out before it starts loading.

thats what i did, and it worked like a charm.

]]> By: TwoCats http://remove-malware.com/malware/malware-warnings/nasty-new-rootkit-patches-atapi-sys/comment-page-1/#comment-5389 TwoCats Fri, 15 Jan 2010 02:46:17 +0000 http://remove-malware.com/?p=1930#comment-5389 Mine created a fake svchost.exe in win\temp every 5 minutes on the dot. There was extensive communication with a couple IP addresses registered to RIPE Network Coordination Centre. Some of the malware my (now ex-)AV software managed to catch were keyloggers. If it weren't for the stupid redirects I'm not so sure I would have even noticed this one. My 'security' software sure didn't. Mine created a fake svchost.exe in win\temp every 5 minutes on the dot. There was extensive communication with a couple IP addresses registered to RIPE Network Coordination Centre. Some of the malware my (now ex-)AV software managed to catch were keyloggers.
If it weren’t for the stupid redirects I’m not so sure I would have even noticed this one. My ’security’ software sure didn’t.

]]> By: Martin http://remove-malware.com/malware/malware-warnings/nasty-new-rootkit-patches-atapi-sys/comment-page-1/#comment-5383 Martin Thu, 14 Jan 2010 19:36:17 +0000 http://remove-malware.com/?p=1930#comment-5383 Does anyone have extensive information on what this rootkit actually does? Does it only redirect searches or does it have other malicious uses as well? Does anyone have extensive information on what this rootkit actually does? Does it only redirect searches or does it have other malicious uses as well?

]]> By: TwoCats http://remove-malware.com/malware/malware-warnings/nasty-new-rootkit-patches-atapi-sys/comment-page-1/#comment-5367 TwoCats Wed, 13 Jan 2010 02:42:12 +0000 http://remove-malware.com/?p=1930#comment-5367 There are 2 instances of atapi.sys in Windows -> in system\drivers AND system32\dllcache. Both will be infected by this rootkit. If you don't overwrite both it'll keep coming back after every boot. There are 2 instances of atapi.sys in Windows -> in system\drivers AND system32\dllcache. Both will be infected by this rootkit. If you don’t overwrite both it’ll keep coming back after every boot.

]]> By: AndrewBrooklyn http://remove-malware.com/malware/malware-warnings/nasty-new-rootkit-patches-atapi-sys/comment-page-1/#comment-5259 AndrewBrooklyn Tue, 05 Jan 2010 04:27:28 +0000 http://remove-malware.com/?p=1930#comment-5259 Wow! Great news -- I'll certainly be looking forward to it! Wow! Great news — I’ll certainly be looking forward to it!

]]> By: malwarekilla http://remove-malware.com/malware/malware-warnings/nasty-new-rootkit-patches-atapi-sys/comment-page-1/#comment-5253 malwarekilla Tue, 05 Jan 2010 02:15:48 +0000 http://remove-malware.com/?p=1930#comment-5253 AndrewBrooklyn - I'm releasing a guide on this issue tomorrow morning (C.S.T)...it'll be called something like "How To Remove and Clean Up the TDSS Malware Pack"...somthin like that. I would post it tonight but I'm actually removing those infections on client PC's as week speak. Stay tuned. AndrewBrooklyn – I’m releasing a guide on this issue tomorrow morning (C.S.T)…it’ll be called something like “How To Remove and Clean Up the TDSS Malware Pack”…somthin like that. I would post it tonight but I’m actually removing those infections on client PC’s as week speak. Stay tuned.

]]> By: AndrewBrooklyn http://remove-malware.com/malware/malware-warnings/nasty-new-rootkit-patches-atapi-sys/comment-page-1/#comment-5250 AndrewBrooklyn Mon, 04 Jan 2010 23:25:20 +0000 http://remove-malware.com/?p=1930#comment-5250 Okay -- ComboFix got rid of the bad ATAPI.SYS, but when I rebooted, I just got the blue screen of death. Found out that atapi.sys was missing from the \windows\system32\drivers directory. I put it back using recovery console. I booted up with no problems. However, atapi.sys keeps deleting itself from the drivers directory, and every time I boot my machine, I have to go into recovery console and copy the file over again. Frustrating to say the least! Any ideas? Okay –

ComboFix got rid of the bad ATAPI.SYS, but when I rebooted, I just got the blue screen of death.

Found out that atapi.sys was missing from the \windows\system32\drivers directory.

I put it back using recovery console. I booted up with no problems.

However, atapi.sys keeps deleting itself from the drivers directory, and every time I boot my machine, I have to go into recovery console and copy the file over again. Frustrating to say the least!

Any ideas?

]]> By: Gordo http://remove-malware.com/malware/malware-warnings/nasty-new-rootkit-patches-atapi-sys/comment-page-1/#comment-5216 Gordo Fri, 01 Jan 2010 04:46:11 +0000 http://remove-malware.com/?p=1930#comment-5216 I got zapped with this trojan which messed up my atapi.sys file. Combofix has been helpful but my IE7 and Firefox search engines are still being redirected and I am being attack every 20 minutes or so from this ip address 212.117.174.176 Malwarebytes has also been helpfull and removed a handfull of viruses and trojans. But the atapi.sys infection is a nasty one to fix. In the mean time I've down loaded a very cool keystroke encrytor called Keyscambler which I highly recommend. I got it from Majorgeeks.com I need a clean machine as I am unemployed and use it for job searching and submitting resumes. Glad to get 2009 over with. Bring on the new decade. Happy New Years! I got zapped with this trojan which messed up my atapi.sys file. Combofix has been helpful but my IE7 and Firefox search engines are still being redirected and I am being attack every 20 minutes or so from this ip address 212.117.174.176

Malwarebytes has also been helpfull and removed a handfull of viruses and trojans. But the atapi.sys infection is a nasty one to fix.

In the mean time I’ve down loaded a very cool keystroke encrytor called Keyscambler which I highly recommend. I got it from Majorgeeks.com

I need a clean machine as I am unemployed and use it for job searching and submitting resumes. Glad to get 2009 over with. Bring on the new decade.

Happy New Years!

]]> By: Dave http://remove-malware.com/malware/malware-warnings/nasty-new-rootkit-patches-atapi-sys/comment-page-1/#comment-5207 Dave Thu, 31 Dec 2009 05:51:36 +0000 http://remove-malware.com/?p=1930#comment-5207 I have the same problem, apprently it is the 'win32:Alureon' virus. I just hope it havent send any of my passwords to its source I have the same problem, apprently it is the ‘win32:Alureon’ virus.
I just hope it havent send any of my passwords to its source

]]>