Author Topic: ZwDeleteAtom[99] Need a good soul to help  (Read 6595 times)

0 Members and 1 Guest are viewing this topic.

May 23, 2016, 07:00:57 PM

michal36

  • Newbie

  • Offline
  • *

  • 2
  • Reputation:
    0
    • View Profile
ZwDeleteAtom[99] Need a good soul to help
« on: May 23, 2016, 07:00:57 PM »

Hello
My name is Michal and I’m a data administrator, London UK.
I have a problem with the scan results using RogueKiller, it shows this hook and directs me to the website that says only " check on the internet whether your machine is infected or not".
Problem is that at work I deal with a lot of sensitive data and I need to know for sure.
My request is can someone please help me identify if this is a virus or just as suggested it is one of the actual genuine software's doings?
Based on this thread ( http://www.bleepingcomputer.com/forums/t/601924/rootkit-ssdtinl-zwdeleteatom/ )I could assume that it is only a false positive but I can’t be sure as to whether my case is exactly the same. I would supply the logs requested there but I don’t want to use those tools without someone telling me to do so.
There is so little on the internet about this issue that I have no way to find out for myself even by comparison. I understand that I could simply format everything but it is the data licks that I’m worrying about, and also, maybe its possible to remove the virus?
This is what I know:
Malwarebytes AntiRootkit didn’t find anything
Microsoft Security Essentials found nothing
Also I would like to ask if someone could advise me as to what software specialises in stopping the rootkits from being installed or even better is there a software that would let me know each time an IRP Hook is trying to be established?
Please get back to me and thanks to anyone who would show the interest in assisting me with this issue.
Kind Regards
   

Reply #1May 23, 2016, 07:19:08 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: ZwDeleteAtom[99] Need a good soul to help
« Reply #1 on: May 23, 2016, 07:19:08 PM »
Hi Michal,

Welcome to Adlice.com Forum.
This IRP hook is indeed a false positive. We will whitelist it as soon as possible.
Quote from: Michal
Also I would like to ask if someone could advise me as to what software specialises in stopping the rootkits from being installed or even better is there a software that would let me know each time an IRP Hook is trying to be established?
What you describe is a Host Intrusion Prevention System (HIPS) software.
For more information, I advice you to read the following article : What is Host Intrusion Prevention System (HIPS) and how does it work?

By the way, your version of RogueKiller is outdated. Latest version is 12.3.0.
Note : This thread has been moved to the "RogueKiller" section for clarity.

Regards.

Reply #2May 24, 2016, 01:24:56 AM

michal36

  • Newbie

  • Offline
  • *

  • 2
  • Reputation:
    0
    • View Profile
Re: ZwDeleteAtom[99] Need a good soul to help
« Reply #2 on: May 24, 2016, 01:24:56 AM »
Thank you very much indeed, I think what you are spending your time on is truly magnificent.
For people like me there is no one else when a problem arises.
Best Regards and Thank You Again :)

Reply #3May 24, 2016, 01:45:59 AM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: ZwDeleteAtom[99] Need a good soul to help
« Reply #3 on: May 24, 2016, 01:45:59 AM »
Hi michal,

You are very welcome.
Thanks for the kind words. :)

Regards.