Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

How to remove TDL3 aka infected atapi.sys file


  • Please log in to reply
3 replies to this topic

#1 Bodazephyr

Bodazephyr

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:20 PM

Posted 17 April 2010 - 08:33 PM

The TDL3 rootkit seems to be able to update and reinstall itself and also locks up a file called atapi.sys. I dont know alot about it but ive noticed on here a string of people with the same problem. So I thought I could offer some help on how I got rid of this nasty rootkit.

You will need to install kaspersky antivirus and make a kaspersky rescue disk. go to kaspersky.com for a 30 day trial copy if you dont already have it. You can also look at http://support.kaspersky.com/faq/?qid=208280093 if you need to know how to make a rescue disk.

Pop the rescue disk in your PC and boot up to it, run a scan and it is able to disinfect the file. tdsskiller labeled this file as atapi.sys but when I ran the kaspersky rescue disk it labeled the infected file as ini910u.sys so I dont know if it is able to disguise its real name but thats what i'm guessing. Once done with that restart your PC. You may also have to delete the remnants of the malware since it is able to also update and reinstall itself when you are connected to the internet. So what I did was run malwarebytes to remove these files. After that run tdsskiller to verify that the malware is indeed gone.

I was not able to post this in the proper forum section as I'm not able to make posts in the "how to remove" section so please move this there if you feel its a more appropriate place for this.

Anyways hope this helps as I know this was a real pain for me. cheers!

Edited by Bodazephyr, 17 April 2010 - 08:35 PM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:20 PM

Posted 17 April 2010 - 09:34 PM

Thanks for your input. We have a Tutorial for this infection here.. How to remove the TDSS, TDL3, or Alureon rootkit using TDSSKiller
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Bodazephyr

Bodazephyr
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:20 PM

Posted 19 April 2010 - 01:59 PM

Good to know but unfortunately this new version doesnt get removed by tdsskiller. I dont know if its a new hybrid or something maybe TDL4?

Edited by Bodazephyr, 19 April 2010 - 02:40 PM.


#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:20 PM

Posted 19 April 2010 - 03:20 PM

We need a deeper look at a new variant. Please go here....
Preparation Guide ,do steps 6 - 9.

Create a DDS log and post it in the new topic explained in step 9,which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
If Gmer won't run,skip it and move on.
Let me know if that went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users