It seems that I have the exact same issue as MarketMachine posted on Feb, 17, 2010 and some other folks who have posted similar rootkit problems on other sites. I started with a google search and found this site. I tried posting to MarketMachine's question to share the following information, but it was a voilation of the rules (for that I apologize, I was not trying to solve his problem, just add the following from research I have done). First of all, only AVG free seems to be picking up this Trojan Horse Rootkit-Agent.EF. Malwarebytes and SuperAntiSpyware are not? Could this be a false positive as atapi.sys is a system file and it still seems to have the 2004 date on it? From my research it seems that Malwarebytes started creating a false positive about this same rootkit back in sept 2009 as shown in their forum. Some people initially directed MalwareBytes to disinfect the trojan in the atapi file and then their computer would no longer boot. I tried telling AVG free to take action, but it only allowed me to ignore saying the file was white listed (whatever they mean by that) and that was a system file that shouldn't be touched. However, I am concerned and have not turned the computer off for a week and have lost my wireless connection. Malwarebytes apologized for the problem and updated their database. I am unable to connect to AVG on the "infected" computer to update my virus databse (it may have been fixed) and so I don't know if this is a false positive or the real thing? AVG provides no support on AVG free and so I don't believe they will help me. How do I find out if this is a false positive or a backdoor that can allow access to my computer?
EDIT: I just tried running gmer.exe from the desktop (renamed as check.exe) and it starts and then says this program must be closed sorry for the inconvenience. (if I can't run this programm how do I check for rootkit?)
Here is MarketMachine's post (this is exactly what has popped up on one of my main laptops running Win XP - BTW all of the reports I have seen are on XP???):
Hi all. I believe my computer is infected with Trojan Horse Rootkit-Agent.EF.
It first appeared in an AVG scan and looked like this :
(Infection) Trojan horse Rootkit-Agent.EF
(Result) Object is white-listed (critical/system file that should not be removed)
It continues to reappear on subsequent AVG scans and Resident Shield alerts.
Scans using Malwarebytes, SUPERAntiSpyware and ThreatFire (I didn't try this one!) are all negative for any infections.
Edited by yodah03, 19 February 2010 - 08:45 PM.