Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can't remove TDSS, infected atapi.sys, TDSS removal tools do not work


  • This topic is locked This topic is locked
12 replies to this topic

#1 King555

King555

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:03 AM

Posted 17 April 2010 - 01:01 PM

First of all, I use Windows XP Professional with SP3 and I have all updates installed, which have been released until 1,5 weeks ago.

A few days ago, my antivirus software (Norton Internet Security 2010, latest updates) suddenly showed me several messages concerning malicious files, programs which were started automatically and attacking computers, mainly from asian IPs. After that, I got ad popups when using Google in any browser. I am sure, I did not do anything with my PC in exactly that moment of the virus detection. But I had several programs started.

I used Google and found the TDSSKiller application from Kaspersky, which seemed to be exactly for my situation. I ran the tool, it found a rootkit in atapi.sys and it wanted to do a reboot. After the reboot, I ran the tool again. Same message, rootkit in atapi.sys. Another reboot, same thing.

I booted with BartPE and replaced the atapi.sys with a clean one from my notebook (I replaced 4 files in several folders). After a reboot, I got a bluescreen with the error code for "inccessible boot device". After a lot of research I used a remote registry tool within BartPE and found out, that in the atapi section of "CurrentControlSet" a file called "tmp36.sys" was called. I replaced the entry with atapi.sys and rebooted - no bluescreen this time.

I ran TDSSKiller again, this time only one reboot, but it still did not work. Than I ran "Norman TDSS Cleaner", which also found a rootkit. I tried several reboots with this tool, but it always found the same things and did not remove them.

I booted again with BartPE and again replaced atapi.sys with a clean version, this time also the cdrom.sys and redbook.sys, because I have read, that these files can also be infected. After a reboot I had the same situation. TDSSKiller and the Norman tool find the rootkit, but cannot remove it. Norton Internet Security and the Microsoft Malicious Software Removal Tool do not find anything.

What can I do? I'm working on this problem since Wednesday.

Edited by King555, 17 April 2010 - 01:02 PM.


BC AdBot (Login to Remove)

 


#2 Bodazephyr

Bodazephyr

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:03 PM

Posted 17 April 2010 - 03:27 PM

I have the same problem, I've had a thread started about this problem since the 14th but no reply yet, BUT I have been following someone else's thread that is in the process in removing this malware/virus the thread for that is http://www.bleepingcomputer.com/forums/topic308106-15.html. hopefully soon there will be an easy answer to this terrible rootkit.

#3 King555

King555
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:03 AM

Posted 18 April 2010 - 03:14 AM

Currently I'm running the Dr. Web Live CD, which runs for more than 9 hours now. This is the only possible solution I found. I made a scan with GMER and I have a logfile, so if anyone can help me by viewing that log...

Edit: After 10 hours of scanning, Dr. Web finished. It found several suspicious files, but did not show the names of the files. It renamed 3 files and deleted / cured nothing. But these 3 are not all files, Dr. Web found.

Edited by King555, 18 April 2010 - 05:00 AM.


#4 jonm01

jonm01

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:03 PM

Posted 18 April 2010 - 05:16 AM

this link has a list of anti rootkit tools, has anyone tried them yet on this?

http://news.bbc.co.uk/1/hi/technology/8624560.stm

#5 King555

King555
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:03 AM

Posted 18 April 2010 - 05:21 AM

I didn't try any of these. And I don't think, that the tools listed on that site are able to remove THIS rootkit.

#6 Pajajn

Pajajn

  • Members
  • 368 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:127.0.0.1
  • Local time:10:03 PM

Posted 18 April 2010 - 06:21 AM

Hi, i yesterday night created a exactly the same problem and succeed to find out more about it.
With this information under here, some moderator or experienced person maybe could help us all fix this terribly rootkit/trojan downloader


Also Known As: W32/Renos.gen!C [F-Secure], Trojan.Pidief.A' [Symantec], EXPL_Pidief.B' [Trend Micro].
Type: Rootkit/Trojan Downloader
Systems Affected: Windows XP and Internet Explorer 7

W32/generic.3314168 is a backdoor which uses an exploit in Adobe's popular PDF-viewing software "Adobe Reader" and editing suite "Acrobat",
Using round robin DNS, resolving to five unique IP address that revolve on each lookup, the infected system
attempts to exploit the Microsoft AdoDB / XML HTTP (MS06-014) vulnerability to download and install a Trojan downloader without end-user interaction.

The trojan file called "iexplorer.exe" is downloaded and run. The site displays a simple page that says the server is "Temporarily busy" and suggests that the user shut down any
"firewall" and antivirus software. It also modifies the computer's hosts-file (svchost.exe) with the downloaded fake every 2 minute, in such a way that accessing websites of many antivirus vendors is blocked.
Then changes Internet Explorer's Home page, default search engine, and enables browser extensions.
The trojan also changes the Internet security zone settings to enable ActiveX controls.

When having 1 copy of Internet Explorer running, there schould actually be 2 processes "iexplorer.exe" in taskmanager.

When the trojan is running it presents a window every five minutes.
The security issue it warns of is just a hoax(I think), and are only giving you the option "Ok" then exiting.


One site from which users got infected from are "www.pdfsource.com"
Files created/replaced during process:

C:\Windows\Temp\"xxx".tmp/svchost.exe
iexplorer.exe (the fake process, which are trojan that downloading infected svchost.exe temp file every 4 minute)
IEMod.dll
IEGrabber.dll
IEFaker.dll
CertGrabber.dll
PSGrabber.dll

Replacing "windows\system32\drivers\ftdisk.sys"
with infected file "windows\system32\drivers\fTdisk.sys"

Sometimes also infecting "atapi.sys" file located in
"windows\system32\"
And adding the infected ".sys" file into
"windows\system32\dllcache\"

#7 King555

King555
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:03 AM

Posted 18 April 2010 - 06:47 AM

I didn't use Adobe Acrobat or Adobe Reader at the time, the virus was detected. And according to several scanning tools I ran, the name of the virus is something with TDSS in it. So I don't think, we are talking about the same virus here. And I don't use Internet Explorer (only Firefox, latest version). I have IE 8 installed, but I don't use it as a browser, only some programs like ICQ use it's engine (I think).

Edited by King555, 18 April 2010 - 06:48 AM.


#8 Pajajn

Pajajn

  • Members
  • 368 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:127.0.0.1
  • Local time:10:03 PM

Posted 18 April 2010 - 06:53 AM

Actually i think it's the same variant! :/
The computer first got

Trojan.Gen.3314168

Then it keeps telling:
Trojan.Downloader
W32\Renos.gen!C


And finally
Rootkit.Patched.TDSS.Gen

system32\drivers\ftdisk.sys

Anyone that could help us all?

#9 King555

King555
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:03 AM

Posted 19 April 2010 - 11:59 AM

I was able to remove the virus!

I do not know exactly, what killed the virus, here is what I did:

- Ran a virus scan with the Dr. Web Live CD
- Booted the system with BartPE (Windows Live CD) and replaced atapi.sys, mouclass.sys and ftdisk.sys with clean versions
- Ran ComboFix under Windows

I scanned the system with the latest version of Norton 360, Kaspersky TDSSKiller, Norman TDSS Cleaner, Spybot Search&Destroy, GMER and Combofix again and no threats were found.

Thanks for the hint with "ftdisk.sys", I think, this was the final solution to me.

Edited by King555, 19 April 2010 - 12:01 PM.


#10 Pajajn

Pajajn

  • Members
  • 368 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:127.0.0.1
  • Local time:10:03 PM

Posted 21 April 2010 - 09:35 AM

Hmm when you did replace your mouclass.sys how did you do?
Cause i can't find any copy of that system file in my Windows XP cd-rom :thumbsup:

Every time ive tried replace my ftdisk.sys i came up with a Blue screen :flowers:

#11 King555

King555
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:03 AM

Posted 21 April 2010 - 11:44 AM

It is important, that you replace all infected files at once. Because if you boot up the system and any infected file ist still active, all other files are infected again immediately.

I found the mouclass.sys on my XP-Notebook. But maybe you do not need this file. Do you have this file on your harddisk (an infected version)?

Maybe you need to edit your registry and set the entry for the ftdisk.sys to the correct value. See my first post:

After a lot of research I used a remote registry tool within BartPE and found out, that in the atapi section of "CurrentControlSet" a file called "tmp36.sys" was called. I replaced the entry with atapi.sys and rebooted - no bluescreen this time.


Edited by King555, 21 April 2010 - 11:45 AM.


#12 Sthita

Sthita

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:03 PM

Posted 12 May 2010 - 12:47 PM

Hello all. I had the same virus, (on my WinXP, IE Explorer)and was able to remove it succesfully yesterday. It was redirecting all my Google search page links to advertising sites, and also, my Google Chrome browser would stall and never finish loading. As with some of you, I ran TDSSKiller and it did indeed find the infected file, atapi.sys -- but when it tried to delete it on rebbot, it failed every time, because of the way the infection works. So then I ran Combofix, and that did the trick! It removed the infected file, atapi.sys, and also removed a second infected file, ftdisk.sys. When Combofix finished, all was well, and my system is clean now. I ran TDSSKiller for confirmation, and it says I'm clean as well. So no more Google redirect blues for me, and Google Chrome loads fine again as well. The key it seems is to let Combofix replace both atapi.sys and ftdisk for you, rather than trying to do that yourself. It was quick and easy with Combofix -- less than 30 minutes, and it did a great job! Hope this helps.

#13 Pandy

Pandy

    Bleepin'


  • Members
  • 9,559 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:03 PM

Posted 12 May 2010 - 01:37 PM

It is looking to me as though everyone has seemed to have solved the issues they were having. This is a nice thing to let us know of this. If you would like to find out for sure you have removed the TDSS or tdl3 infection feel free to follow the Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help beginning with step 6 and post the requested logfiles in a NEW TOPIC OF YOUR OWN here in the Virus, Trojan, Spyware, and Malware Removal Logs

I would like to add in an aside here that we do not recommend any user to run ComboFix unsupervised. Especially if one is not a qualified team member, nor do we do so outside of the Malware removal logs forum. ComboFix is a very powerful tool and can cause serious issues if not used correctly. Please refer to this topic here in regards to ComboFix use.
http://www.bleepingcomputer.com/forums/t/273628/combofix-usage-questions-help-look-here/

This topic will now be closed. If there is need to still resolved any issues here please begin a new topic and include a link to this topic.

Do not anticipate trouble, or worry about what may never happen. Keep in the sunlight.

Hide not your talents. They for use were made. What's a sundial in the shade?

~ Benjamin Franklin

I am a Bleeping Computer fan! Are you?

Facebook

Follow us on Twitter





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users