My father has a Windows 2000 desktop which until recently was working fine. Because no modern on-access antivirus works on Win2k, I didn't have him using any; instead I had just installed a firewall, and Firefox with Noscript, and made sure it had all the updates applied. There was also Hitman Pro installed as an on-demand scanner. I figured this would be enough, given his surfing habits. Apparently it wasn't.
Yesterday a routine scan with Hitman Pro resulted in a complete system crash. Reproducing the crash in Safe Mode (with networking) gave me a nice bluescreen with an error indicating a page fault in atapi.sys
. Hitman Pro had never done this before.
After this I attempted to do a scan from the AVG Antivirus Live CD. However, the command line scanner exited with an error on reaching a certain file (and didn't tell me what the error message was). I'm still not sure why this happened; I suspect a bug in the current version of the live CD, though I do wonder if it's possible for malicious code to execute when scanned by an antivirus...
(I would have used the Kaspersky, DrWeb, or Avira live CDs, BTW, but those all have problems with the computer's video card.)
Anyway, bit of Googling seemed to indicate that TDSS can cause crashes like what I observed. So I figured that doing a scan for TDSS specifically would not hurt, and downloaded and ran Kaspersky's TDSS Killer. It hadn't even started scanning when another crash occured, this time in ntoskrnl.dll
At this point I was getting quite suspicious. So I created a copy of UBCD4Win on another computer, and booted the "infected" computer from that. I then scanned with Avira and SuperAntiSpyware from the live environment.
* Avira didn't find anything.
* SAS found and removed a registry entry associated with "Malware.Trace" - apparently something involving the Explorer desktop shell - but didn't see anything else.
* I also tried TDSS Killer from the live environment, but it didn't run properly.
Exasperated, I rebooted into Safe Mode and tried running aswMBR
, scanning C:\ in its entirety. The MBR came up as clean, and one file on the desktop (some kind of CD labeling software) came up as possibly bad. BUT! on reaching a certain file on the drive (which I wasn't able to get the name of), aswMBR caused a bluescreen! And again, the fault was in atapi.sys
I have to admit I'm pretty stumped right now - three AV/ARK tools crashing like that seems like a fairly obvious sign that something nasty is up, but for the life of me I can't figure out what it is or how to remove it. Can anyone help me out here?
P.S. If anything I said sounds odd, it's probably because I'm a Linux guy and haven't used Windows in a while. I know Windows well enough to get by, but clearly not well enough to fix whatever ails this computer.