I seem to have a TDSS Rootkit infecting my Atapi.sys file.
I tried the TDSSKiller from kaspersky, and it detects the rootkit, and says that it will remove it on next reboot, but on the next reboot, it detects again, and directs to next reboot, on and on.
In safe mode, as well as safe mde with command prompt, it does not detect any TDSS rootkit at all.
TDSS rootkit removing tool, Kaspersky Lab, 2010
version 126.96.36.199 Mar 22 2010 10:43:04
Scanning Services ...
Scanning Kernel memory ...
Driver "atapi" infected by TDSS rootkit!
File "C:\Windows\system32\drivers\atapi.sys" infected by TDSS rootkit ... will be cured on next reboot
Memory objects infected / cured / cured on reboot: 1 / 0 / 0
Registry objects infected / cured / cured on reboot: 0 / 0 / 0
File objects infected / cured / cured on reboot: 1 / 0 / 1
To finalize removal of infection and avoid loosing of data program will
reboot your PC now.
Close all programs and choose Y to restart or N to continue
I have a Toshiba Satellite laptop dualbooting Vista and Ubuntu Linux (9.10 Karmic)
I came across this rootkit because Google Chrome would not load anything at all, and believing it to be a Chrome issue, I checked out online. I found a couple of posts saying they had similar issues and were caused by the TDSS rootkit, which was removed by TDSSKiller and they were fine, etc, so I tried out the TDSSKiller, and it did detect the rootkit, but cant remove it.
Initially, I used to have AVG 8.5 and Spybot.
Then a couple of weeks ago, I installed Adobe Lightroom using a Keygen.
I had done the same on my Work PC and it did not give me any issues - it did pop up an FLV Player thingy, but I removed that from the startup and there have been no issues since (the workplace runs Kaspersky, and i suppose has s good firewall too). Believing it to be safe, I installed it on my laptop. However, apart from the FLV Player. AVG started to detect trojans, but would not be able to delete/heal/move to vault.
Then I updated to AVG 9.0, installed Avira, as well as Malware bytes. Avira killed two trojans while MBAM killed another. AVG stopped giving me alerts every 5 minutes, and I believed I was fine, and vowed not to bother with icky keygens. I also uninstalled the software. MBAM later detected malware within both installation files, so deleted those too (yeah, should have done that earlier).
So, things were fine, except that Chrome would not load stuff, but since i primarily used FF, and mostly in Ubuntu, I didnt bother too much. Until today, when I realized the rootkit was there.
Currently I have AVG 9.0. Avira, SpyBot SD and MBAM. (Overkill, do you think ? I was going to remove Avira and keep the rest before this turned up)My system is not exhibiting any of the more severe symptoms I read in the forums - redirected search results, blocked AV updates, etc. I usually spend about 40% of my time in Windows, with 60% in Ubuntu, going online through both.
Please tell me how to proceed, what logs or other data you need, etc. I'm going to boot back into Ubuntu until your reply, to be safe.
Edit : MBAM just found and killed a Backdoor.IRCBot (it was scanning while i typed this out)