Can't remove TDSS, infected atapi.sys, TDSS removal tools do not work

First of all, I use Windows XP Professional with SP3 and I have all updates installed, which have been released until 1,5 weeks ago.

A few days ago, my antivirus software (Norton Internet Security 2010, latest updates) suddenly showed me several messages concerning malicious files, programs which were started automatically and attacking computers, mainly from asian IPs. After that, I got ad popups when using Google in any browser. I am sure, I did not do anything with my PC in exactly that moment of the virus detection. But I had several programs started.

I used Google and found the TDSSKiller application from Kaspersky, which seemed to be exactly for my situation. I ran the tool, it found a rootkit in atapi.sys and it wanted to do a reboot. After the reboot, I ran the tool again. Same message, rootkit in atapi.sys. Another reboot, same thing.

I booted with BartPE and replaced the atapi.sys with a clean one from my notebook (I replaced 4 files in several folders). After a reboot, I got a bluescreen with the error code for "inccessible boot device". After a lot of research I used a remote registry tool within BartPE and found out, that in the atapi section of "CurrentControlSet" a file called "tmp36.sys" was called. I replaced the entry with atapi.sys and rebooted - no bluescreen this time.

I ran TDSSKiller again, this time only one reboot, but it still did not work. Than I ran "Norman TDSS Cleaner", which also found a rootkit. I tried several reboots with this tool, but it always found the same things and did not remove them.

I booted again with BartPE and again replaced atapi.sys with a clean version, this time also the cdrom.sys and redbook.sys, because I have read, that these files can also be infected. After a reboot I had the same situation. TDSSKiller and the Norman tool find the rootkit, but cannot remove it. Norton Internet Security and the Microsoft Malicious Software Removal Tool do not find anything.

What can I do? I'm working on this problem since Wednesday.

Edited by King555, 17 April 2010 - 01:02 PM.

I have the same problem, I've had a thread started about this problem since the 14th but no reply yet, BUT I have been following someone else's thread that is in the process in removing this malware/virus the thread for that is http://www.bleepingcomputer.com/forums/topic308106-15.html. hopefully soon there will be an easy answer to this terrible rootkit.

Currently I'm running the Dr. Web Live CD, which runs for more than 9 hours now. This is the only possible solution I found. I made a scan with GMER and I have a logfile, so if anyone can help me by viewing that log...

Edit: After 10 hours of scanning, Dr. Web finished. It found several suspicious files, but did not show the names of the files. It renamed 3 files and deleted / cured nothing. But these 3 are not all files, Dr. Web found.

Edited by King555, 18 April 2010 - 05:00 AM.

this link has a list of anti rootkit tools, has anyone tried them yet on this?

http://news.bbc.co.uk/1/hi/technology/8624560.stm

I didn't try any of these. And I don't think, that the tools listed on that site are able to remove THIS rootkit.

Hi, i yesterday night created a exactly the same problem and succeed to find out more about it.
With this information under here, some moderator or experienced person maybe could help us all fix this terribly rootkit/trojan downloader


Also Known As: W32/Renos.gen!C [F-Secure], Trojan.Pidief.A' [Symantec], EXPL_Pidief.B' [Trend Micro].
Type: Rootkit/Trojan Downloader
Systems Affected: Windows XP and Internet Explorer 7

W32/generic.3314168 is a backdoor which uses an exploit in Adobe's popular PDF-viewing software "Adobe Reader" and editing suite "Acrobat",
Using round robin DNS, resolving to five unique IP address that revolve on each lookup, the infected system
attempts to exploit the Microsoft AdoDB / XML HTTP (MS06-014) vulnerability to download and install a Trojan downloader without end-user interaction.

The trojan file called "iexplorer.exe" is downloaded and run. The site displays a simple page that says the server is "Temporarily busy" and suggests that the user shut down any
"firewall" and antivirus software. It also modifies the computer's hosts-file (svchost.exe) with the downloaded fake every 2 minute, in such a way that accessing websites of many antivirus vendors is blocked.
Then changes Internet Explorer's Home page, default search engine, and enables browser extensions.
The trojan also changes the Internet security zone settings to enable ActiveX controls.

When having 1 copy of Internet Explorer running, there schould actually be 2 processes "iexplorer.exe" in taskmanager.

When the trojan is running it presents a window every five minutes.
The security issue it warns of is just a hoax(I think), and are only giving you the option "Ok" then exiting.


One site from which users got infected from are "www.pdfsource.com"
Files created/replaced during process:

C:\Windows\Temp\"xxx".tmp/svchost.exe
iexplorer.exe (the fake process, which are trojan that downloading infected svchost.exe temp file every 4 minute)
IEMod.dll
IEGrabber.dll
IEFaker.dll
CertGrabber.dll
PSGrabber.dll

Replacing "windows\system32\drivers\ftdisk.sys"
with infected file "windows\system32\drivers\fTdisk.sys"

Sometimes also infecting "atapi.sys" file located in
"windows\system32\"
And adding the infected ".sys" file into
"windows\system32\dllcache\"

I didn't use Adobe Acrobat or Adobe Reader at the time, the virus was detected. And according to several scanning tools I ran, the name of the virus is something with TDSS in it. So I don't think, we are talking about the same virus here. And I don't use Internet Explorer (only Firefox, latest version). I have IE 8 installed, but I don't use it as a browser, only some programs like ICQ use it's engine (I think).

Edited by King555, 18 April 2010 - 06:48 AM.

Actually i think it's the same variant! :/
The computer first got

Trojan.Gen.3314168

Then it keeps telling:
Trojan.Downloader
W32\Renos.gen!C

And finally
Rootkit.Patched.TDSS.Gen

system32\drivers\ftdisk.sys

Anyone that could help us all?

I was able to remove the virus!

I do not know exactly, what killed the virus, here is what I did:

- Ran a virus scan with the Dr. Web Live CD
- Booted the system with BartPE (Windows Live CD) and replaced atapi.sys, mouclass.sys and ftdisk.sys with clean versions
- Ran ComboFix under Windows

I scanned the system with the latest version of Norton 360, Kaspersky TDSSKiller, Norman TDSS Cleaner, Spybot Search&Destroy, GMER and Combofix again and no threats were found.

Thanks for the hint with "ftdisk.sys", I think, this was the final solution to me.

Edited by King555, 19 April 2010 - 12:01 PM.

Hmm when you did replace your mouclass.sys how did you do?
Cause i can't find any copy of that system file in my Windows XP cd-rom

Every time ive tried replace my ftdisk.sys i came up with a Blue screen

It is important, that you replace all infected files at once. Because if you boot up the system and any infected file ist still active, all other files are infected again immediately.

I found the mouclass.sys on my XP-Notebook. But maybe you do not need this file. Do you have this file on your harddisk (an infected version)?

Maybe you need to edit your registry and set the entry for the ftdisk.sys to the correct value. See my first post:

After a lot of research I used a remote registry tool within BartPE and found out, that in the atapi section of "CurrentControlSet" a file called "tmp36.sys" was called. I replaced the entry with atapi.sys and rebooted - no bluescreen this time.

Edited by King555, 21 April 2010 - 11:45 AM.

Hello all. I had the same virus, (on my WinXP, IE Explorer)and was able to remove it succesfully yesterday. It was redirecting all my Google search page links to advertising sites, and also, my Google Chrome browser would stall and never finish loading. As with some of you, I ran TDSSKiller and it did indeed find the infected file, atapi.sys -- but when it tried to delete it on rebbot, it failed every time, because of the way the infection works. So then I ran Combofix, and that did the trick! It removed the infected file, atapi.sys, and also removed a second infected file, ftdisk.sys. When Combofix finished, all was well, and my system is clean now. I ran TDSSKiller for confirmation, and it says I'm clean as well. So no more Google redirect blues for me, and Google Chrome loads fine again as well. The key it seems is to let Combofix replace both atapi.sys and ftdisk for you, rather than trying to do that yourself. It was quick and easy with Combofix -- less than 30 minutes, and it did a great job! Hope this helps.

It is looking to me as though everyone has seemed to have solved the issues they were having. This is a nice thing to let us know of this. If you would like to find out for sure you have removed the TDSS or tdl3 infection feel free to follow the Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help beginning with step 6 and post the requested logfiles in a NEW TOPIC OF YOUR OWN here in the Virus, Trojan, Spyware, and Malware Removal Logs

I would like to add in an aside here that we do not recommend any user to run ComboFix unsupervised. Especially if one is not a qualified team member, nor do we do so outside of the Malware removal logs forum. ComboFix is a very powerful tool and can cause serious issues if not used correctly. Please refer to this topic here in regards to ComboFix use.
http://www.bleepingcomputer.com/forums/t/273628/combofix-usage-questions-help-look-here/

This topic will now be closed. If there is need to still resolved any issues here please begin a new topic and include a link to this topic.