Rootkit Infection - Atapi.sys

  Legslip 12:47 26 Apr 12

My pals PC is suffering as a result of this infection. AVG detects but will not rectify.

Is one way of sorting it to connect my pals HD to my PC so that I can see all the files including Windows (XP) and deleting the file from the SYS32/Drivers folder? I can then copy the good file (same version) to his HD.

Will this sort it?

  xania 12:58 26 Apr 12

Why don't you simply copy your ATAPI.SYS on to a memory stick and then use it to overwrite his hard drive. Far safer than attaching an infrected HHD to a clean PC.

  birdface 12:59 26 Apr 12

Looks like HitmanPro can remove it give that a try.

  Legslip 13:33 26 Apr 12

Hi Xania. If you boot through Windows XP on the infected machine and try to delete the file, it automatically duplicates itself (infected). That's why I thought about looking at the drive through another machine.

Thanks Buteman. Will have a look at Hitman!

  xania 13:44 26 Apr 12

What about booting into Safe mode?

Certainly I would avoid attaching and infected drive to another PC

  Legslip 13:46 26 Apr 12

Xania. Would have thought Windows would react the same (create a duplicate) but its worth a try. Will report back when done.

  T0SH 14:04 26 Apr 12

atapi.sys is a protected microsoft windows system file (which can be located in anything up to 12 different places in the file system) so you will not be able delete or replace it from within the windows operating system, if you are certain that this is not a false positive rootkit detection by AVG, you could replace it with a known good copy from another PC by booting to a linux live or barts PE CD and overwriting the existing file with the known good copy

Cheers HC

  Legslip 14:33 26 Apr 12

Thanks Tosh. It is a positive threat. It affects the search engines and tries to drive any search toward sites that are not wanted.

  xania 14:52 26 Apr 12

Found some other information that might be of use:

You might find even more if you type into your favourite search engine.

  Ashrich 23:23 26 Apr 12

TDSS Killer will do the trick .


  Legslip 16:03 28 Apr 12

Ashrich. Looks like TDSS is an infection in itself. I Googled it!

This thread is now locked and can not be replied to.

Intel Coffee Lake 8th-gen Core processors release date rumours

1995-2015: How technology has changed the world in 20 years

Framestore’s haunting post-WWII title sequence for new BBC series SS-GB

Best iPhone games 2017 | Best iPad games 2017: 162 fantastic iOS games that you need to play right…