Log in

whatever · 1 tdss removal failed on Wed Apr 07, 2010 6:11 am

whatever

New Member

Hi there,
I am getting constantly website redirections to spam-sites in Firefox latest version on XP SP3. Several AV-Programm and various Anti-Malware software did not found anything.
I just checked tdsskiller and it says that iAstor.sys is infected with tdss rootkit, but is not able to remove it. I think about starting a linux live-cd and try to replace iAStor.sys with a clean version. Would that help? Do you have any other suggestions?
Thanks.
whatever

whatever · 2 Re: tdss removal failed on Wed Apr 07, 2010 7:32 am

whatever

New Member

OK, I think I managed to get over it. Since iaStor.sys was manipulated by TDSS, I disable AHCI, so that this file is nor more in use. Upon reboot, Avira dicovered some infection in c:\system volume restore . These were removed. Kaspersky TDSS remover and Norman TDSS Remover show no more infection.
I reinstalled AHCI drivers with latest Intel iaStor.sys, rebootet and Avira again removed some suspicious files. Still, Kaspersky TDSS remover and Norman TDSS Remover show no more infection.
After reboot, Avira and TDSS removing tools show no more infection.
Website forwarding has stopped.
Think I can be happy now? I will stay here for a couple of days to check for return.
whatever

whatever · 3 Re: tdss removal failed on Fri Apr 09, 2010 5:23 am

whatever

New Member

yes, when I tried to replace iaStor.sys with tdss running, it instantly reinfected the driver.
sounds bad.
which mainboard (ICH Version) do you have? maybe switching to AHCI-mode instead of normal IDE mode might help.
also, try to run windows in safe mode (hit f5 while booting). and run removal tools again.

whatever · 4 Re: tdss removal failed on Fri Apr 09, 2010 11:06 am

whatever

New Member

atapi.sys seems to be essential for running windows, its also active on AHCI-systems.
I found a list of anti-rootkit tools, you might find one helping you.
http://www.antirootkit.com/software/index.htm
good luck!

DragonMaster Jay · 5 Re: tdss removal failed on Fri Apr 09, 2010 1:33 pm

DragonMaster Jay

Site Owner

Please explain again everything you have done to attempt removal.

jorgk3 · 6 Re: tdss removal failed on Fri Apr 09, 2010 1:44 pm

jorgk3

Member
Member

Hi,

well I spend countless hours and ran the following:
Microsoft Security Essential Scan
F-Secure online scan
Malwarebytes scan
ComboFix

All that came to nothing.

Finally I ran both the Norman and the Kaspersky TDSS removal utilities. Both recorded the infection, both promised to clean it upon reboot, and both failed.

I'm not the only one with this problem, the tools fail for other people, too, see here:
http://forum.kaspersky.com/lofiversion/index.php/t165666.html