I’m just finishing cleaning up a Windows XP Laptop that had a nasty rootkit on it so I thought I’d share the info on how I fixed it. The Laptop was infected with a Rogue AV called Personal Security. That was easy enough to identify and remove using Malwarebytes and an Avast Boot Scan.
So I thought I was good until I couldn’t use Internet Explorer to access Microsoft Update page and noticed that all search results would redirect to random pages. Now I knew I had a more serious problem. I figured the Host file was corrupted, which it was, so I deleted that.
I still couldn’t access Update Page though so started searching for solutions and here’s what I came up with:
This Post on a Windows Forum discussing Internet Explorer.
With a Link to this post on SurfRight: TDL3 rootkit still large issue for anti virus programs
Hitman Pro Identified the Rootkit (atapi.sys) and failed to remove it on first reboot so I tried it again and for whatever reason it removed it on the second scan and reboot.
I also found this post on the bleepingcomputer.com forum which discusses an alternative method for fixing this browser redirect issue.
If you haven’t encountered this Rootkit yet I hope you don’t and this info helps you if you do.
The Laptop will be returned to owner with WinPatrol 2010 installed to help protect the Host file from future corruption.
