[Boooooo]

Hi guys, sorry for my bad English and sorry if I can't post any log file because the infected notebook is not mine and so not present (at the moment).

I nearly completely cleaned this notebook but I can't get rid of a TDL3 rootkit; several antivirus now (even professional one such as NOD32 Smart Security, Hitman Pro, Spybot, DrWeb, Prevx 3.0 ) consider the notebook cleaned but is not for other tools such as some TDSS Remover, like TDSSKiller from Kaspersky that says me exactly this (I quote):

TDSS rootkit removing tool, Kaspersky Lab, 2010
version 2.2.8.1 Mar 22 2010 10:43:04

Scanning Services ...

Scanning Kernel memory ...
Driver "atapi" infected by TDSS rootkit!
File "C:\WINDOWS\system32\drivers\atapi.sys" infected by TDSS rootkit ... will b
e cured on next reboot

Completed

Results:
Memory objects infected / cured / cured on reboot: 1 / 0 / 0
Registry objects infected / cured / cured on reboot: 0 / 0 / 0
File objects infected / cured / cured on reboot: 1 / 0 / 1

To finalize removal of infection and avoid loosing of data program will
reboot your PC now.
Close all programs and choose Y to restart or N to continue

But can't remove the infection neither after reboot.

I even tried to replace atapi.sys from Windows XP CD, with the windows repair console, but infection is still present :( any hint?
Thanks


edit, OS Windows XP Service Pack 2

[EP_X0FF]

You need to know exactly infected driver to replace it with original.
If you read this thread you should know what can help

[Boooooo]

is not atapi.sys??
So you are saying to use Rootkit Unhooker to better understand which is the infected driver, I will try soon but then I didn't understood how to replace :|

[EP_X0FF]

Yes it is not atapi.sys
Current TDL3 infects random driver, discussed here at last few pages.

[Boooooo]

ty, and after detected the real infected random driver, how can I replace? For atapi.sys I did this (from recovery console), with no effects:

cd system32\drivers
ren atapi.sys atapi.old
expand D:\i386\atapi.sy_

Can I will do the same for the real infected driver? (I suppose no :| )

edit: that random driver will be always different on reboot?

[nullptr]

that random driver will be always different on reboot?

At present no, it'll be the same driver.
You should be able to replace it from the RC. Just copy the driver from the system32\drivers directory before you boot into the RC -
the rootkit presents you with a clean image to copy from within windows.

[Boooooo]

sorry do not understand, i am dumb :
RC stands for recovery console, true??

"Just copy the driver from the system32\drivers" why "from"? I figured to take the driver from windows CD and put to system32\drivers folder

[nullptr]

RC stands for recovery console, true??

Yes

"Just copy the driver from the system32\drivers" why "from"? I figured to take the driver from windows CD and put to system32\drivers folder

You can do it either way, just if it happens to be a 3rd party driver, you can easily copy the one in the drivers directory whilst booted into windows.

[gjf]

Lemme clarify the situation 'cos yesterday I was confused too. Now I believe everything is clear for me.

During normal work of infected system when the user tries to copy infected driver TDL3 will give original, uninfected one just to show everything is OK. So copying the whole directory of drivers during active infection will give us all uninfected copies.

When the infection is not active (other OS is booted, LiveCD, RC or anything else) you will see the infected driver is differ just because TDL3 is not active and does not cheat you. So, comparing drivers copied during infected system activity and during non-active system by MD5 or byte-to-byte will reveal infected driver.

Then we have some problems. Yes, in theory rootkit must return original non-infected driver during copy. In practice it is not true allways due to bugs of TDL3 itself. I was informed about the cases when PE sector was presented from infected file and resource section sector - from original one. So exchange in such conditions will result in BSOD.

So I believe the best way is to find out the infected driver and change it to original one from the distribution kit. That's why I insist on appropriate ERD Commander. But of course it will give nothing if other non-Windows drivere will be infected.

[NeonFx]

Forgive me mods if this is out of line:

Boooooo, you should create a new topic at a different forum that provides malware removal assistance such as GeeksToGo.com, TechSupportForum.com, WhatTheTech.com or any of the others out there. This thread is more about the study of this particular infection.

Even if you are successful in removing this infection on your own, you should know that this infection does behave like a downloader and can bring other infections along with it. To have someone look at the system and make sure there isn't anything else on it you'll need to ask for that type of assistance elsewhere.