Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Rootkit.Win32.TDSS.d (infected atapi.sys driver)

  • Please log in to reply
1 reply to this topic

#1 Malexos


  • Members
  • 1 posts
  • Local time:09:45 AM

Posted 07 April 2010 - 04:46 PM

I was infected last night. Kaspersky was desperately trying to delete some kind of program that started to run. (I Could see the program by pressing alt+tab, but I couldn't actually get to it.) Then Kaspersky started saying it was deleting trojans. This went on for about ten minutes before I could actually use the computer again.

I thought I was fixed, but then I was redirected while doing a google search. I've had a virus that did that before, so I ran a full system scan with KAV 2010, and within seconds an alert popped up, warning me that I was infected with Rootkit.Win32.TDSS.d, and that Kaspersky would have to do a "special procedure" and then reboot. I let Kaspersky do it's thing, but oddly, a window at the bottom right corner told me that I told kaspersky to leave it untreated (I suppose that was the Rootkit's doing).

Kaspersky rebooted my computer. I don't know if this is pertinent to the problem, but for some reason, I could not use my mouse or keyboard, and it took quite a few reboots to get them to work again. When the peripherals finally decided to work, I logged in and did another Kaspersky scan. In seconds, the same alert popped up from before. I attributed this to my forgetting to disable System Restore. So I did that, then let Kaspersky do it's "special procedure" again. The computer rebooted, and the peripherals worked this time, but the Rootkit was still there.

I looked on one of the threads on Kaspersky, and it said to use TDSSKiller (A program by Kaspersky Labs). I used it last night, and it told me there were about 18 things wrong. TDSSKiller rebooted the computer, and I ran Kaspersky's scan again. The rootkit still remained.

I got frustrated at that point and went to bed. Today, I actually have a screenshot from running TDSSKiller again this morning. This time it says there's only one thing wrong... (See attached)

Some other things you should know:

1. This morning I tried to disinfect my computer by running a Kaspersky scan in Safe Mode, but the mouse and keyboard ceased to function. This only happens in Safe Boot.

2. After figuring out that my atapi.sys file has been infected, I scanned it with both Kaspersky and MalwareBytes. They both said nothing's wrong with it.

3. After being on the internet for a few minutes, Kaspersky alerts me that it denied C://WINDOWS/system32/SVCHOST.exe access to a trojan at [lenina .com / 102.exe]. This happens every few minutes.

4. I'm running the GMER program right now but it's taking a long time. I'll post it whenever it's done, but the virus makes Internet Explorer crash for no reason sometimes so I want to get this post up as soon as possible.

Attached Files

Edited by Orange Blossom, 07 April 2010 - 05:07 PM.
Move to AII as no logs posted. ~ OB

BC AdBot (Login to Remove)


#2 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • Gender:Female
  • Local time:04:45 PM

Posted 08 April 2010 - 05:34 AM


With the information you have provided I believe you will need help from the malware removal team. I would like you to start a new thread HERE and include a link to this thread. Please make sure that you read the information about getting started before you start your thread.

It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient. Help is on the way!

Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro

If I haven't replied in 48 hours, please feel free to send me a PM.

Posted Image

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users