[lars]

I have made a movie of what happens.

Hmm.. I've never seen a crash at this stage before. The unhandled exception occurs in SCSIPORT.sys. I can't really see why or how or what causes it. The reason why you never get it back up is that the device driver is missing.

Did you test with the latest versions of TDL3 (those that infect random system drivers)?

[EP_X0FF]

Hello,

I'm not able to reproduce that BSOD, but from movie I can tell that this is probably TDL caused not really NTC bug. Perhaps was infected SCSIPORT.sys and since BSOD occurred while TDL cleaning obviously it was eliminated. Stop screen at reboot it is INACCESSIBLE_BOOT_DEVICE bugcheck from IoInitSystem routine because of ZwOpenFile fail (OBJECT_NAME_NOT_FOUND). I've saw the same behavior few times (within six months) with my own TDL3 cleaner.

[djpnuemo]

ran the updated norman tdss cleaner on my test machine (xp sp3, non-virtual). removed infection without bsod.

re-imaged and ran a second test and confirmed it was removed, but no internet at all. commands to restore internet do not work. this is the one time i didn't check which driver was infected, but i will assume it was tcpip.sys.

[erikloman]

I have made a movie of what happens.

Hmm.. I've never seen a crash at this stage before. The unhandled exception occurs in SCSIPORT.sys. I can't really see why or how or what causes it. The reason why you never get it back up is that the device driver is missing.

Did you test with the latest versions of TDL3 (those that infect random system drivers)?

I tested with a TDL3 from this forum (keygen.ex1) with the sha256:
037B16FD36C985D4AC1123C99743383AF6DE70DCBC4640FFE25D4A7D47A22EB9

I also managed to create a full dump for you using WinDbg attached to the VMware guest over the serial/namedpipe interface (it took almost 3 hours to generate the dump :shock:).

You can download the dump from here: http://87.249.122.198/dump/ntc-scsiport.7z.
Please reply to this post if you have downloaded the dump so that I can delete the download.

I hope you can put the dump to some good use. Erik

[lars]

I also managed to create a full dump for you using WinDbg attached to the VMware guest over the serial/namedpipe interface (it took almost 3 hours to generate the dump :shock:).

You can download the dump from here: http://87.249.122.198/dump/ntc-scsiport.7z.
Please reply to this post if you have downloaded the dump so that I can delete the download.

Thanks, got it.

[Syler]

I tested this a few times in VMware XP SP3 and it worked well until mouclass.sys got infected. It found the infection and I rebooted, but when Windows restarted I had no mouse pointer, mouclass.sys is still present in the drivers folder though.

[djpnuemo]

if you copy and replace mouclass.sys from dllcache or servicepackfiles\i386 into system32\drivers and reboot, you should be ok.

[Syler]

Thanks, but I don't have a problem fixing it, I was just making the author aware of this.

[ConanTheLibrarian]

I'm a little confused that you made it detect the latest, random driver TDL3, but it doesn't clean the original TDL3.273.

I infected my VM with the atapi.sys infecting TDL3.273 and it sees it but fails to disinfect it. Explain why you call it TDSS Cleaner again?

[lars]

I'm a little confused that you made it detect the latest, random driver TDL3, but it doesn't clean the original TDL3.273.

I infected my VM with the atapi.sys infecting TDL3.273 and it sees it but fails to disinfect it. Explain why you call it TDSS Cleaner again?

In my tests it cleans TDL3.273 just fine. Can you upload the sample, or give the MD5 please?