This excellent tool gets better, not only is it the only AV that cures infected Atapi.sys rootkit infection, it now has a new feature called ’ forced breach ’
Before executing the program, hold down the left ctrl key.This then disables all none essential processes,allowing easy removal of rogue programs. Scans are incredibly fast too.
Can be used in conjunction with MBAM, when RKill fails.
I saw this when it was posted in the updates thread. It looks to be quite a useful tool.
Video here: http://www.youtube.com/watch?v=m6eRWTv2STk
-Scott-
Hi micky77,
Yes and the atapi.sys rootkit infection is at the heart of the BSOD problems with the retracted Windows patch, all these machines were infested with undetected TDL3 rootkit, av scanners miss it because the rootkit hands them a clean driver. 74,8 procent of victims had a fully updated av solution, still got infected.
Not a single av product is now able to detect when the rootkit is fully active, then it is full stealth . Most av has been fooled that way. The maker of Hitman Pro says that the dropper is hard to flag, because it changes all the time so av has to change their definitions accordingly. Next to detection removal is a big problem. There is no av now that can do that. There is not much documentation on the rootkit, because it goes under the av-radar mainly.
There is a removal tool.
PrevX has a removal tool for it, but keeps the lid on, because malcreants would change the code after finding out about the removal technique used, so they could postpone a TDL3 upgrade. Next to atapi.sys the infection has been found in more than 30 other .sys files. According to Loman ComboFix can eliminate the infection (think of eliminators here like oldman and essexboy), but ComboFix only works with the atapi.sys driver. “No Intel for you, but Nvidia, AMD of some other hard disk driver, then ComboFix won’t work, your luck is out.”
DL3 looks for the lowest level device driver, folks! It walks the driver object chain looking for the lowest level device driver that handles disk I/O.
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
alerts from WOT users (because cannot be used in the hands of the ignorants, and should be used under supervision of a qualified malware eliminator:
http://www.mywot.com/en/scorecard/combofix.org
How to know you’re infected?
Well the rootkit changes your DNS results, redirecting users to strange and dangerous places. Also the rootkit regularly installs a fake av scanner. In that case users can use Hitman Pro , that scans for free and will eliminate during a 30 day period. “While we read the hard disk much deeper and combine the results of various scanners, TDL3 infections are detected by Hitman Pro indeed. The scanners one by one cannot detect TDL3 because of the stealth method the rootkit uses. But Hitman Pro can handle it easi;y until now.” http://www.surfright.nl/en/hitmanpro
Because we are very interested in the exploit, and wanted to know hat binairies were changed with the patch, we could have established on http://support.microsoft.com/kb/977165 that only kernel files were handled (experienced users would not have thought of a disk driver here in relation to this vulnerability, but rather ntvdm.exe included in the list which has not been replaced through MS10-015, (this just for the record),
polonus
This excellent tool gets better, not only is it the only AV that cures infected Atapi.sys rootkit infectionNot quite true Kaspersky has developed a standalone cleaning tool that will remove - replace and clean the registry, this has been available now for several months. GMER will detect the modifications and allow the cleaning track to be followed. The way it does this is first rename the infected file, extract a clean copy from within the system check that the registry reflects the changes, removes the process from memory - then removes all traces of the main tdl3 infector file. If the infector is not removed the problem will return
Hi essexboy,
Thank you very, very much for the informed additions. Good thread developing here. Keep up the good work, some interesting read also here: http://www.wilderssecurity.com/showthread.php?p=1579283
and then this article: http://www.drweb.com/static/BackDoor.Tdss.565_(aka%20TDL3)_en.pdf
Damian
Kernel Detective can intercept “Wut Wut?” message and show you the ThreadId that caused this message to be displayed. Thread can be successfully suspended by Process Explorer. After a reboot of course you need to scan your system with good av. We are quite sure there exists a simple way to determine ThreadId even without antirootkits…
P.S.
Warning try not to do this if you do mind running the risk that if an error occurs during the process you are left with unbootable OS!
So carefull and use at your own risk…
Disinfection: Do this to clean TDL3+ driver infection on-the-fly :
1- copy atapi.sys to xatapi.sys in the same \system32\drivers folder .
2- change the filename in “ImagePath” of Atapi service key to “xatapi.sys” in the boot controlset (or even in all controlsets) :
“HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\atapi”
3- reboot
4- replace atapi.sys with xatapi.sys and restore original Atapi service->ImagePath values .
5- reboot .
Infection is gone
simpler and faster way :
1- Copy atapi.sys to xatapi.sys
2- Delete atapi.sys
3- Rename xatapi.sys to atapi.sys
4- Reboot
Infection is gone ! Use last version of RkU to detect latest build of TDL3+ , it can dynamically detect the hidden device->driver
pol
Or use TDSSkiller it does the same without you needing to go into the registry
Essexboy is this the standalone tool you mentioned in your last post
Correct - it does all that Pol says but in about 30 seconds with a reboot. So no deletion of the wrong registry key ;D
Link : http://support.kaspersky.com/downloads/utils/tdsskiller.zip
Edit : It also removes the associated rootkit
The info page about it, also shows how GMER can detect the change, but I presume that OTL/S can see this as well, through the md5?
http://support.kaspersky.com/viruses/solutions?qid=208280684
Yes you will find the the infected file will either fail the MD5 checksum, have no company name or be a recent replacement (date check). Nor will it always be atapi.sys
Hi essexboy,
The TDL3 Rookit has been patched against the MS patch real quick by the malcreants, demonstrating that they are very smart malcreant-professionals. The MS patch by the way have costed them many, many rootkits and so they couldn’t do anything else as to update their malicious software: http://www.youtube.com/v/Jbw2d2JqLNs
Removing the malware is a very good achievement, well done, SurfRight, Hitman Pro 3.5
Also the next video by Mark Loman is well worth watching:
“How to start Hitman Pro in Force Breach mode”
http://www.youtube.com/watch?v=m6eRWTv2STk
polonus