Comments on: Nasty New Rootkit Patches Atapi.sys

By: Dean-o

Dean-o — Mon, 28 Jun 2010 03:24:23 +0000

The one that got me was actually a rootkit that infected Windows\system32\drivers\disk.sys
I couldn’t kill it. It kept coming back. It had amazing powers, like it could hide the primary disk from the Windows Disk Management tool, or disable a USB keyboard during bootup to prevent going into safe mode.
What finally got rid of it? tdsskiller.
What didn’t work for me? Hitman Pro, Hijack This, AVG Free, Spybot Search and Destroy, Malwarebytes, and Symantec.
Good luck to all in fighting this!

By: rich

rich — Tue, 08 Jun 2010 19:55:38 +0000

it is a TDSS rootkit. extremely hard to remove. wont let you use any antivirus. superantispyware and a bootcd are your only hope

By: Billy

Billy — Mon, 10 May 2010 23:01:14 +0000

will a reformat get rid of this SOB???…i cant install combofix and kapersky root killer finds it but it comes back after the reboot

By: BuddyS

BuddyS — Thu, 18 Feb 2010 07:39:36 +0000

MalwareBytes (free) includes FileAssassin, which can delete the file directly from within Windows. Then you can replace the file with a fresh, clean copy. (I’m going to try using a copy from the sp3.cab on the same drive.)

By: Captiosus

Captiosus — Fri, 29 Jan 2010 19:36:35 +0000

the one i got came in a “package” with a whole slew of other viruses. After killing them off, the one in the atapi.sys file stayed behind.

How i got rid of the SOB:
1. burn a linux live CD (get Puppy linux if you are impatient, only about 400MB)
2. memorize the location of atapi.sys, you will need to know this
3. get a working copy of windows on another machine or hard drive, navigate to the same directory ON THAT SYSTEM where the clean atapi.sys file is located, and copy to a flash drive
4. reboot the infected computer with the liveCD in it, it should load the disk.
5. open 2 windows in linux, 1 to the directory where the infected file is, and another to the flash drive.
6. copy the clean file OFF THE FLASH DRIVE to the directory where the infected file is, and overwrite it. Alternatively, delete the infected file first before copying.
7. reboot, and make sure the liveCD is out before it starts loading.

thats what i did, and it worked like a charm.

By: TwoCats

TwoCats — Fri, 15 Jan 2010 02:46:17 +0000

Mine created a fake svchost.exe in win\temp every 5 minutes on the dot. There was extensive communication with a couple IP addresses registered to RIPE Network Coordination Centre. Some of the malware my (now ex-)AV software managed to catch were keyloggers.
If it weren’t for the stupid redirects I’m not so sure I would have even noticed this one. My ‘security’ software sure didn’t.

By: Martin

Martin — Thu, 14 Jan 2010 19:36:17 +0000

Does anyone have extensive information on what this rootkit actually does? Does it only redirect searches or does it have other malicious uses as well?

By: TwoCats

TwoCats — Wed, 13 Jan 2010 02:42:12 +0000

There are 2 instances of atapi.sys in Windows -> in system\drivers AND system32\dllcache. Both will be infected by this rootkit. If you don’t overwrite both it’ll keep coming back after every boot.

By: AndrewBrooklyn

AndrewBrooklyn — Tue, 05 Jan 2010 04:27:28 +0000

Wow! Great news — I’ll certainly be looking forward to it!

By: malwarekilla

malwarekilla — Tue, 05 Jan 2010 02:15:48 +0000

AndrewBrooklyn – I’m releasing a guide on this issue tomorrow morning (C.S.T)…it’ll be called something like “How To Remove and Clean Up the TDSS Malware Pack”…somthin like that. I would post it tonight but I’m actually removing those infections on client PC’s as week speak. Stay tuned.