Rootkit-Agent.EF detected - how remove safely?

  The Belarussian Mafia 20:13 10 Feb 2010
Locked

A routine AVG antivirus scan has picked up the following:


"File:

c:\\Windows\System32\drivers\atapi.sys

Infection:

Trojan horse Rootkit-Agent.EF

Result:

Object is white-listed (critical/system file that should not be removed)"

NB: Owing to the last part of the message I am reluctant to push 'Remove'!


Note: Just now (about 10 mins after the scan finished,) AVG produced a warning message in a separate window:

"Accessed file is infected

File name (as above)

Threat name (as above)

[ ] (i.e. a 'tick box' option) Remove threat as a power user"


The latter is tempting - but sounds risky if this is indeed a critical system file.

Any help/advice greatly appreciated. Many thanks!

  VoG II 20:17 10 Feb 2010

Possibly a false positive click here

  The Belarussian Mafia 21:21 10 Feb 2010

Thanks for that! Perhaps it's not as serious as I feared.

I installed & ran that free checker. It said it found 880 problems. Then it offered to fix them if I bought the programme (otherwise it would fix just 15 of them!)

I let it fix 15, then decided to run my own checker, System Mechanic 6, which generally finds a lot of errors & fixes them.

It found & cleaned 289 junk files & 40 'privacy violations'. Next it found & fixed 2 'invalid dynamic link libraries' and 2 licensed software keys with problems. Finally it found something it normally doesn't: 'Invalid folder & filename references' (155). It fixed 152 & said it couldn't fix the other 3.

So there you have it. I'm still not sure whether to delete the file that was originally highlighted.

Finally I've started the AVG scan again to see if the trojan is still being flagged.

  MAT ALAN 21:46 10 Feb 2010

click here

might help...

  The Belarussian Mafia 23:08 10 Feb 2010

Thanks Mat. (Sorry I've been away from the computer for a while.)

I ran the test. It took 45 mins & found 142 'hidden objects' relating to programs, zone alarm & service packs, etc. (It's not possible to copy/paste the list.) No breakdown or further identification was provided in the results.

The question remains should I delete the suspect file or leave it & assume it's a false positive?!

This thread is now locked and can not be replied to.

Elsewhere on IDG sites

Fujitsu Lifebook P727 laptop review

Microsoft Paint set to die after 32 years

Mac power user tips and hidden tricks

Comment désactiver la saisie intuitive et paramétrer votre clavier ?