Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Tdss infection of atapi.sys file


  • Please log in to reply
2 replies to this topic

#1 Bodazephyr

Bodazephyr

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:37 AM

Posted 14 April 2010 - 04:16 PM

I consider myself a savvy computer user, I pride myself on defeating malware instead of a reinstall so to begin with I wont reinstall this. I've come across a PC that has a new kind of tdss infection. I've read a few topics on this certain infection that targets the windows/systems32/drivers/atapi.sys file with a new version of tdss rootkit. So far on all the topics I've read of them none have been sucessfully removed yet. So without further delay I'll start with what I have done to get rid of this infection. First off kaspersky recognizes this as "rootkit.win32.tdss.d" kaspersky of course cant get rid of it so I download tdsskiller, it finds the rootkit says it is going to be deleted on restart but is still there on next run. So I then tried to manually replace the atapi.sys file (using bart pe and also mini xp trying 3 different times to be sure I was really replacing the file) from the directory with a clean file on a windows home ed disk. That also does not work as upon boot the atapi.sys file is still infected or should I say the new file is newly infected? Ive also used a combination of other spyware removal programs like combofix and others. So let me know with what to post to get this started.

Edited by Budapest, 14 April 2010 - 04:50 PM.
Moved from Virus, Trojan, Spyware, and Malware Removal Logs ~BP


BC AdBot (Login to Remove)

 


#2 Bodazephyr

Bodazephyr
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:37 AM

Posted 16 April 2010 - 01:40 PM

I thought maybe I should post some logs of what ive done so far to help get the ball rolling.


10:03:15:671 3688 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04
10:03:15:671 3688 ================================================================================
10:03:15:671 3688 SystemInfo:

10:03:15:671 3688 OS Version: 5.1.2600 ServicePack: 2.0
10:03:15:671 3688 Product type: Workstation
10:03:15:671 3688 ComputerName: YOUR-631F5B18CA
10:03:15:671 3688 UserName: Owner
10:03:15:671 3688 Windows directory: C:\WINDOWS
10:03:15:671 3688 Processor architecture: Intel x86
10:03:15:671 3688 Number of processors: 1
10:03:15:671 3688 Page size: 0x1000
10:03:15:671 3688 Boot type: Normal boot
10:03:15:671 3688 ================================================================================
10:03:15:671 3688 UnloadDriverW: NtUnloadDriver error 2
10:03:15:671 3688 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
10:03:16:234 3688 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
10:03:16:234 3688 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
10:03:16:234 3688 wfopen_ex: Trying to KLMD file open
10:03:16:234 3688 wfopen_ex: File opened ok (Flags 2)
10:03:16:265 3688 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
10:03:16:265 3688 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
10:03:16:265 3688 wfopen_ex: Trying to KLMD file open
10:03:16:265 3688 wfopen_ex: File opened ok (Flags 2)
10:03:16:265 3688 Initialize success
10:03:16:265 3688
10:03:16:265 3688 Scanning Services ...
10:03:17:468 3688 Raw services enum returned 345 services
10:03:17:500 3688
10:03:17:500 3688 Scanning Kernel memory ...
10:03:17:500 3688 Devices to scan: 3
10:03:17:500 3688
10:03:17:500 3688 Driver Name: Disk
10:03:17:500 3688 IRP_MJ_CREATE : F76D2C30
10:03:17:500 3688 IRP_MJ_CREATE_NAMED_PIPE : 804F3418
10:03:17:500 3688 IRP_MJ_CLOSE : F76D2C30
10:03:17:500 3688 IRP_MJ_READ : F76CCD9B
10:03:17:500 3688 IRP_MJ_WRITE : F76CCD9B
10:03:17:500 3688 IRP_MJ_QUERY_INFORMATION : 804F3418
10:03:17:500 3688 IRP_MJ_SET_INFORMATION : 804F3418
10:03:17:500 3688 IRP_MJ_QUERY_EA : 804F3418
10:03:17:500 3688 IRP_MJ_SET_EA : 804F3418
10:03:17:500 3688 IRP_MJ_FLUSH_BUFFERS : F76CD366
10:03:17:500 3688 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F3418
10:03:17:500 3688 IRP_MJ_SET_VOLUME_INFORMATION : 804F3418
10:03:17:500 3688 IRP_MJ_DIRECTORY_CONTROL : 804F3418
10:03:17:500 3688 IRP_MJ_FILE_SYSTEM_CONTROL : 804F3418
10:03:17:500 3688 IRP_MJ_DEVICE_CONTROL : F76CD44D
10:03:17:500 3688 IRP_MJ_INTERNAL_DEVICE_CONTROL : F76D0FC3
10:03:17:500 3688 IRP_MJ_SHUTDOWN : F76CD366
10:03:17:500 3688 IRP_MJ_LOCK_CONTROL : 804F3418
10:03:17:500 3688 IRP_MJ_CLEANUP : 804F3418
10:03:17:500 3688 IRP_MJ_CREATE_MAILSLOT : 804F3418
10:03:17:500 3688 IRP_MJ_QUERY_SECURITY : 804F3418
10:03:17:500 3688 IRP_MJ_SET_SECURITY : 804F3418
10:03:17:500 3688 IRP_MJ_POWER : F76CEEF3
10:03:17:500 3688 IRP_MJ_SYSTEM_CONTROL : F76D3A24
10:03:17:500 3688 IRP_MJ_DEVICE_CHANGE : 804F3418
10:03:17:500 3688 IRP_MJ_QUERY_QUOTA : 804F3418
10:03:17:500 3688 IRP_MJ_SET_QUOTA : 804F3418
10:03:17:578 3688 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
10:03:17:578 3688
10:03:17:578 3688 Driver Name: Disk
10:03:17:578 3688 IRP_MJ_CREATE : F76D2C30
10:03:17:578 3688 IRP_MJ_CREATE_NAMED_PIPE : 804F3418
10:03:17:578 3688 IRP_MJ_CLOSE : F76D2C30
10:03:17:578 3688 IRP_MJ_READ : F76CCD9B
10:03:17:578 3688 IRP_MJ_WRITE : F76CCD9B
10:03:17:578 3688 IRP_MJ_QUERY_INFORMATION : 804F3418
10:03:17:578 3688 IRP_MJ_SET_INFORMATION : 804F3418
10:03:17:578 3688 IRP_MJ_QUERY_EA : 804F3418
10:03:17:578 3688 IRP_MJ_SET_EA : 804F3418
10:03:17:578 3688 IRP_MJ_FLUSH_BUFFERS : F76CD366
10:03:17:578 3688 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F3418
10:03:17:578 3688 IRP_MJ_SET_VOLUME_INFORMATION : 804F3418
10:03:17:578 3688 IRP_MJ_DIRECTORY_CONTROL : 804F3418
10:03:17:578 3688 IRP_MJ_FILE_SYSTEM_CONTROL : 804F3418
10:03:17:578 3688 IRP_MJ_DEVICE_CONTROL : F76CD44D
10:03:17:578 3688 IRP_MJ_INTERNAL_DEVICE_CONTROL : F76D0FC3
10:03:17:578 3688 IRP_MJ_SHUTDOWN : F76CD366
10:03:17:578 3688 IRP_MJ_LOCK_CONTROL : 804F3418
10:03:17:578 3688 IRP_MJ_CLEANUP : 804F3418
10:03:17:578 3688 IRP_MJ_CREATE_MAILSLOT : 804F3418
10:03:17:578 3688 IRP_MJ_QUERY_SECURITY : 804F3418
10:03:17:578 3688 IRP_MJ_SET_SECURITY : 804F3418
10:03:17:578 3688 IRP_MJ_POWER : F76CEEF3
10:03:17:578 3688 IRP_MJ_SYSTEM_CONTROL : F76D3A24
10:03:17:578 3688 IRP_MJ_DEVICE_CHANGE : 804F3418
10:03:17:578 3688 IRP_MJ_QUERY_QUOTA : 804F3418
10:03:17:578 3688 IRP_MJ_SET_QUOTA : 804F3418
10:03:17:593 3688 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
10:03:17:593 3688
10:03:17:593 3688 Driver Name: atapi
10:03:17:593 3688 IRP_MJ_CREATE : 846E2AC8
10:03:17:593 3688 IRP_MJ_CREATE_NAMED_PIPE : 846E2AC8
10:03:17:593 3688 IRP_MJ_CLOSE : 846E2AC8
10:03:17:593 3688 IRP_MJ_READ : 846E2AC8
10:03:17:593 3688 IRP_MJ_WRITE : 846E2AC8
10:03:17:593 3688 IRP_MJ_QUERY_INFORMATION : 846E2AC8
10:03:17:593 3688 IRP_MJ_SET_INFORMATION : 846E2AC8
10:03:17:593 3688 IRP_MJ_QUERY_EA : 846E2AC8
10:03:17:593 3688 IRP_MJ_SET_EA : 846E2AC8
10:03:17:593 3688 IRP_MJ_FLUSH_BUFFERS : 846E2AC8
10:03:17:593 3688 IRP_MJ_QUERY_VOLUME_INFORMATION : 846E2AC8
10:03:17:593 3688 IRP_MJ_SET_VOLUME_INFORMATION : 846E2AC8
10:03:17:593 3688 IRP_MJ_DIRECTORY_CONTROL : 846E2AC8
10:03:17:593 3688 IRP_MJ_FILE_SYSTEM_CONTROL : 846E2AC8
10:03:17:593 3688 IRP_MJ_DEVICE_CONTROL : 846E2AC8
10:03:17:593 3688 IRP_MJ_INTERNAL_DEVICE_CONTROL : 846E2AC8
10:03:17:593 3688 IRP_MJ_SHUTDOWN : 846E2AC8
10:03:17:593 3688 IRP_MJ_LOCK_CONTROL : 846E2AC8
10:03:17:593 3688 IRP_MJ_CLEANUP : 846E2AC8
10:03:17:593 3688 IRP_MJ_CREATE_MAILSLOT : 846E2AC8
10:03:17:593 3688 IRP_MJ_QUERY_SECURITY : 846E2AC8
10:03:17:593 3688 IRP_MJ_SET_SECURITY : 846E2AC8
10:03:17:593 3688 IRP_MJ_POWER : 846E2AC8
10:03:17:593 3688 IRP_MJ_SYSTEM_CONTROL : 846E2AC8
10:03:17:593 3688 IRP_MJ_DEVICE_CHANGE : 846E2AC8
10:03:17:593 3688 IRP_MJ_QUERY_QUOTA : 846E2AC8
10:03:17:593 3688 IRP_MJ_SET_QUOTA : 846E2AC8
10:03:17:593 3688 Driver "atapi" infected by TDSS rootkit!
10:03:17:640 3688 C:\WINDOWS\system32\drivers\atapi.sys - Verdict: 1
10:03:17:640 3688 File "C:\WINDOWS\system32\drivers\atapi.sys" infected by TDSS rootkit ... 10:03:17:656 3688 Processing driver file: C:\WINDOWS\system32\drivers\atapi.sys
10:03:17:656 3688 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\system32\DriverStore\FileRepository\*) error 3
10:03:18:390 3688 vfvi6
10:03:18:562 3688 !dsvbh1
10:03:21:484 3688 dsvbh2
10:03:21:484 3688 fdfb2
10:03:21:484 3688 Backup copy found, using it..
10:03:21:531 3688 will be cured on next reboot
10:03:21:531 3688 Reboot required for cure complete..
10:03:21:890 3688 Cure on reboot scheduled successfully
10:03:21:890 3688
10:03:21:890 3688 Completed
10:03:21:890 3688
10:03:21:890 3688 Results:
10:03:21:890 3688 Memory objects infected / cured / cured on reboot: 1 / 0 / 0
10:03:21:890 3688 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
10:03:21:890 3688 File objects infected / cured / cured on reboot: 1 / 0 / 1
10:03:21:921 3688
10:03:21:921 3688 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
10:03:21:921 3688 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
10:03:21:921 3688 UnloadDriverW: NtUnloadDriver error 1
10:03:21:937 3688 KLMD(ARK) unloaded successfully

Edited by Bodazephyr, 16 April 2010 - 01:54 PM.


#3 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,958 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:01:37 AM

Posted 22 April 2010 - 11:31 PM

Hello,

Please follow the instructions in ==>This Guide<==.

Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<==

If you can produce at least some of the logs, then please create the new topic. If you cannot produce any of the logs, then post back here and we will provide you with further instructions.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users