Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


TDSS Rootkit infection. TDSSKiller fails

  • This topic is locked This topic is locked
2 replies to this topic

#1 arachnic


  • Members
  • 3 posts
  • Local time:01:02 PM

Posted 04 May 2010 - 03:57 AM

Hi !

I seem to have a TDSS Rootkit infecting my Atapi.sys file.
I tried the TDSSKiller from kaspersky, and it detects the rootkit, and says that it will remove it on next reboot, but on the next reboot, it detects again, and directs to next reboot, on and on.

In safe mode, as well as safe mde with command prompt, it does not detect any TDSS rootkit at all.

TDSS rootkit removing tool, Kaspersky Lab, 2010
version Mar 22 2010 10:43:04

Scanning Services ...

Scanning Kernel memory ...
Driver "atapi" infected by TDSS rootkit!
File "C:\Windows\system32\drivers\atapi.sys" infected by TDSS rootkit ... will be cured on next reboot


Memory objects infected / cured / cured on reboot: 1 / 0 / 0
Registry objects infected / cured / cured on reboot: 0 / 0 / 0
File objects infected / cured / cured on reboot: 1 / 0 / 1

To finalize removal of infection and avoid loosing of data program will
reboot your PC now.
Close all programs and choose Y to restart or N to continue

I have a Toshiba Satellite laptop dualbooting Vista and Ubuntu Linux (9.10 Karmic)

I came across this rootkit because Google Chrome would not load anything at all, and believing it to be a Chrome issue, I checked out online. I found a couple of posts saying they had similar issues and were caused by the TDSS rootkit, which was removed by TDSSKiller and they were fine, etc, so I tried out the TDSSKiller, and it did detect the rootkit, but cant remove it.

Initially, I used to have AVG 8.5 and Spybot.
Then a couple of weeks ago, I installed Adobe Lightroom using a Keygen.
I had done the same on my Work PC and it did not give me any issues - it did pop up an FLV Player thingy, but I removed that from the startup and there have been no issues since (the workplace runs Kaspersky, and i suppose has s good firewall too). Believing it to be safe, I installed it on my laptop. However, apart from the FLV Player. AVG started to detect trojans, but would not be able to delete/heal/move to vault.

Then I updated to AVG 9.0, installed Avira, as well as Malware bytes. Avira killed two trojans while MBAM killed another. AVG stopped giving me alerts every 5 minutes, and I believed I was fine, and vowed not to bother with icky keygens. I also uninstalled the software. MBAM later detected malware within both installation files, so deleted those too (yeah, should have done that earlier).

So, things were fine, except that Chrome would not load stuff, but since i primarily used FF, and mostly in Ubuntu, I didnt bother too much. Until today, when I realized the rootkit was there.

Currently I have AVG 9.0. Avira, SpyBot SD and MBAM. (Overkill, do you think ? I was going to remove Avira and keep the rest before this turned up)

My system is not exhibiting any of the more severe symptoms I read in the forums - redirected search results, blocked AV updates, etc. I usually spend about 40% of my time in Windows, with 60% in Ubuntu, going online through both.
Please tell me how to proceed, what logs or other data you need, etc. I'm going to boot back into Ubuntu until your reply, to be safe.


Edit : MBAM just found and killed a Backdoor.IRCBot (it was scanning while i typed this out)

BC AdBot (Login to Remove)


#2 boopme


    To Insanity and Beyond

  • Global Moderator
  • 73,573 posts
  • Gender:Male
  • Location:NJ USA
  • Local time:02:32 AM

Posted 08 May 2010 - 09:59 AM

Hello sorry for the delay...
First some info ablout a Backdoor/rootkit..

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

To clean we will need for you to post a new topic as this requires specific tools.
We need a deeper look. Please go here....
Preparation Guide ,do steps 6 - 9.

Create a DDS log and post it in the new topic explained in step 9,which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
If Gmer won't run,skip it and move on.
Let me know if that went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Orange Blossom

Orange Blossom

    OBleepin Investigator

  • Moderator
  • 37,112 posts
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:02:32 AM

Posted 11 May 2010 - 06:12 PM


Now that you have posted a log here: http://www.bleepingcomputer.com/forums/t/316125/tdss-rootkit-infection-tdss-killer-failed/ you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a MRT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the MRT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the MRT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the MRT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MRT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Internet Security, NoScript Firefox ext.


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users