Jump to content

ati1vdxx.sys


Recommended Posts

here's my log

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ati1vdxx (Rootkit.Agent) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\ati1vdxx (Rootkit.Agent) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\ati1vdxx (Rootkit.Agent) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ati1vdxx (Rootkit.Agent) -> Delete on reboot.

Files Infected:

C:\WINDOWS\system32\drivers\ati1vdxx.sys (Rootkit.Agent) -> Delete on reboot.

This will not delete during reboot. Even if I manually try and delete it in the registry file, it gives me an error

Also, I can't seem to get rid of the error message svchost.exe application error-The instruction at "0x00401000" referenced memory at "0x00401000". The memory could not be "written". Click Ok to terminate program Click ok to CANCEL to debug the program.

Another one is the RUNDLL error message-Error loading sxmg4.dll The specified module could not be found. I'm guessing in this case, malwarebytes deleted the registry but tries to boot it up at start up and is unable to locate it in the registry file. How do you stop it from booting up?

Any help is most appreciated!

Link to post
Share on other sites

  • Staff

No reason to sugarcoat this one , you have a very serious infection , one that will even survive a format and reinstall .

There is another rootkit and a master boot record rootkit as well on top of modified svchost that is hidden from API , instead API sees the unmodified version witch allows the patched file to bypass SFC .

The fix is very hard and can be close to impossible if you do not have an install disk to get a clean svchost from (this also wont work if you installed a service pack because your old svchost might not work with the updated files) .

To fix this while starting from scratch first you need to run fixmbr (to kill the MBR rooter) from recovery console and then do a fresh format and reinstall . A format alone will not touch the MBR or this infection .

To actually fix this there are two ways . The easy but very long way involves these steps :

1. install windows into a second windows folder

2. kill rooters in drivers and user temp

3. replace svchost

4. boot into recovery console and run fix MBR

5. boot into now fixed install and remove the temp ininstall

The quick but much harder way involves using anti rooter tools to get the file names of all the rooters , kill them , force replace svchost , reboot into recovery console to run fixmbr and then reboot .

I have been playing with this infection for a week now and even with great tools and 7 years of experience it has been a big problem to remove in a single pass without either a boot disk or alt OS install but it can be done .

Let us know which way you want to go with this .

Link to post
Share on other sites

  • Root Admin

You can FDISK the drive and that will remove the partition and the MBR and create it new from scratch.

That is the easiest and fastest way to get back to a trusted clean system in my opinion.

Just save your current data and download all needed drivers and burn to CD first and then proceed with a reinstall of Windows.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.