Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Another Trojan Horse Rootkit-Agent.EF ?

  • Please log in to reply
1 reply to this topic

#1 Joah_from_Alberta


  • Members
  • 1 posts
  • Local time:09:22 PM

Posted 21 February 2010 - 02:40 PM

I am also getting this after I allowed my friend to use my computer last week. A time stamp indicated that he was visiting porn sites at 3am. The next morning, AVG free is giving me an alert that file C:WINDOWS\system32\driver\atapi.sys is infected with Trojan horse Rootkit-Agent.EF Result Object is white-listed (critical/system file that should not be removed)

I believe atapi.sys is a port controller used for IDE. Perhaps now the virus instructs the driver to open the port for malicious uses (i'm not sure).

The point is, this driver is crucial for XP to operate as it is hard wired into the OS.

To remove the virus, you can't just rewrite the file as windows will not allow it. You need to do this in DOS (outside of windows gui). Also, apparently there are several different versions of this file each pertaining to their own OS variant (service packs etc).

The fact that AVG is not supporting their product regardless of if it's free or not is unacceptable. Their product is published free as a means to boost their product sales through promotion of their name on the internet. The very fact that they are doing this creates a liability that holds them accountable.

My guess is that this virus is critical because removal of it requires extreme measures of replacement of a "critical/system file" in Windows. This implicates AVG and Microsoft.

My concern is that if this is the case, why did AVG free allow this critical system file to be infected in the first? We are trusting these individuals with anti-virus software that should protect our computers, and if their products (promotional regardless) is incapable of doing what it says it should: then the publishers need to make this clear to us and work with us at the same level of trust that we have given them.

If they are unwilling to support their product, then we need to go to a different support level. I am unaware of who I could speak with about this serious problem. I live in Alberta, Canada. If I have a concern at a federal level, I can speak to my MP (Member of Parliament). Is there an organization that is responsible for security/business on the internet? These are the people that we need to make aware of this problem. These are the people that will help us.

If someone can help me with who I can speak to about this problem, then I will write a letter of concern to them.

Split from here: http://www.bleepingcomputer.com/forums/t/296945/another-trojan-horse-rootkit-agentef/ ~ OB

Edited by Orange Blossom, 21 February 2010 - 03:38 PM.

BC AdBot (Login to Remove)


#2 boopme


    To Insanity and Beyond

  • Global Moderator
  • 73,573 posts
  • Gender:Male
  • Location:NJ USA
  • Local time:11:22 PM

Posted 21 February 2010 - 05:10 PM

Some rootkits willl attach to the atapi file.. let's get another look.

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.
-- If you encounter any problems, try running GMER in safe mode.
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users