My system is also infected by the TDSS rootkit.

I tried both the Kaspersky and Norman removers. Both detected the rootkit and promised to remove it upon reboot, but after a reboot, it was still there.

Perhaps it's a new more resistant variant.

In my case it infects atapi.sys, but restoring this file using the "System Recovery Console" from know clean source doesn't help, since as far as I understand how the rootkit works, it just reinfects the same file over and over.

You mean F8 for "Safe Mode". Tried that already. Didn't work. As for the mainboard, it's on a Dell laptop.

I still think it's a new mutant, so sort of double virus. I tried to wipe the MBR with fixmbr in the "Recovery console", but no luck.

Please explain everything you have done to attempt removal.

Hi,

well I spend countless hours and ran the following:
Microsoft Security Essential Scan
F-Secure online scan
Malwarebytes scan
ComboFix

All that came to nothing.

Finally I ran both the Norman and the Kaspersky TDSS removal utilities. Both recorded the infection, both promised to clean it upon reboot, and both failed.

I'm not the only one with this problem, the tools fail for other people, too, see here:
http://forum.kaspersky.com/lofiversion/index.php/t165666.html

Ok. That is a potentially dangerous way of going about removal.

Please download Stealth MBR Rootkit Detector by GMER from GMER.net, and save to your Desktop.

• Double-click mbr.exe to start the program.
  
• When done scanning, it will save a log on the Desktop called mbr.log.
  
• Please post the contents of that log in your next reply.

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

==========

As I said, I ran ComboFix before and that also ran MBR.exe. Back then, the log said this:

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86CEBAC8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf7676f28
\Driver\ACPI -> ACPI.sys @ 0xf74c9cb8
\Driver\atapi -> atapi.sys @ 0xf745b852
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: Broadcom 440x 10/100 Integrated Controller -> SendCompleteHandler -> NDIS.sys @ 0xf734fbb0
PacketIndicateHandler -> NDIS.sys @ 0xf735ca21
SendHandler -> NDIS.sys @ 0xf733a87b
user & kernel MBR OK

**************************************************************************

But since this the run back then and the current one, I used FIXBOOT and FIXMBR in the MS Recovery Console to rewrite the MBR in the hope to get rid of the infection. Sadly with no success.

Perhaps this helps:

Those entries in RootkitUnhooker are safe.

Get this scan for me and let's see what is hiding, if anything.

Please download OTS by OldTimer and save it to your Desktop.

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.

• Close ALL OTHER PROGRAMS.
  
• Double-click on OTS to start the program (if you are running on Vista then right-click the program and
  choose Run as Administrator).
  
• At the top, tick on Scan All Users section and Include MD5.
  
• At File Age set it to 90 Days
  
• In the Processes, Modules, Services, Drivers, and Registry
  section, please set on Safe List.
  
• In the Files Created Within and Files Modified Within section, set it to File Age
  
• At the bottom, tick on all Safe List and Use Company Name WhiteList option
  
• Under Additional Scans, tick on the "Extras" button and then click the checkboxes in front of the following items to select them:
  Reg - Disabled MS Config Items
  Reg - Drivers32
  Reg - Ext
  Reg - IE
  Explorer Bar
  Reg - NetSvcs
  Reg - Safeboot Minimal
  Reg - Safeboot Network
  File - Lop Check
  File - Purity Scan
• Do NOT change any other settings.
  
• Then, in the Custom Scans box, place this in:
  
  %systemroot%\*. /mp /s
  %systemroot%\system32\*.dll /lockedfiles
  %systemroot%\system32\*.exe /lockedfiles
  %systemroot%\Tasks\*.job /lockedfiles
  %systemroot%\system32\drivers\*.sys /lockedfiles
  %systemroot%\System32\config\*.sav
  %systemroot%\System32\*.sys
  %systemroot%\System32\drivers\*.dll
  %systemroot%\System32\drivers\*.ini
  %systemroot%\System32\drivers\*.exe
  %SYSTEMDRIVE%\*.*
  %PROGRAMFILES%\*.
  %appdata%\*.*
  
  
• Now click the Run Scan button on the toolbar.
  
• Let it run unhindered until it finishes.
  
• When the scan is complete Notepad will open with the report file loaded in it.
  
• Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

You will probably have to use two or more posts to get all the information in.

I can't submit the report, I get this error:

The posted message is too big.

Please split it up in to multiple replies here.

I tried to split it up in the middle. That was still too big. So I sent it to you via e-mail.

Please don't do that.

Go ahead and upload it on Rapidshare.com as a Notepad ots.txt file.

Then, post the download link here.

Thanks.

rapidshare.com rapidshare.comOTS.Txt.html
MD5: C7DFC601FAEE302A7376C027103E5848

Please download the newest version of Java from Java.com.

Before installing: it is important to remove older versions of Java since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs (Programs and Features in Vista/7).
Search in the list for all previous installed versions of Java. (J2SE Runtime Environment). Please uninstall/remove each of them.

Once old versions are gone, please install the newest version.

======================

Please download the newest version of Adobe Acrobat Reader from Adobe.com

Before installing: it is important to remove older versions of Acrobat Reader since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs (Programs and Features in Vista/7).
Search in the list for all previous installed versions of Adobe Acrobat Reader. Uninstall/Remove each of them.

Once old versions are gone, please install the newest version.

=================================

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says "Paste fix here" and then click the Run Fix button.

[Kill All Processes]
[Unregister Dlls]
[Registry - Safe List]
< HOSTS File > ([2010/04/05 22:24:43 | 000,000,698 | ---- | M | MD5 = CC097BEA9A742D97F5A8C6EF3F7B14CF] - 19 lines) -> C:\WINDOWS\system32\drivers\etc\hosts
YN -> Reset Hosts ->
< Standard Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
YY -> "C:\Program Files\Cain\Cain.exe" -> C:\Program Files\Cain\Cain.exe [C:\Program Files\Cain\Cain.exe:*:Enabled:Cain - Password Recovery Utility]
[Files/Folders - Modified Within 90 Days]
NY -> hosts~ -> C:\WINDOWS\System32\drivers\etc\hosts~
NY -> PSSDNSVC.EXE-virus -> C:\WINDOWS\PSSDNSVC.EXE-virus
[Purity]
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
[Reboot]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here.

=========================

Please go to this webpage: http://www.confickerworkinggroup.org/infection_test/cfeyechart.html

This is a Conficker test. Please let me know if you see all the images at the table at the top of the page. If you do not, please tell me which ones are missing. (I.E. Top Row Second Column, or Bottom Row First Column, etc.).

Hi, below the log file.

The Conficker Test site showed all picture before and after I ran the fix.

Let's see whether the symptoms are still there:
- Windows update still not accessible
- Hibernate still not working
- Will check for unwanted browser popups later, oops there just was one.
- Gmer still reporting "suspicious activity in atapi.sys"
- Kaspersky's TDSS tool still reporting TDSS infection of atapi.sys.
However, now it hangs instead of running through.

======================

All Processes Killed
[Registry - Safe List]
HOSTS file reset successfully!
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Cain\Cain.exe deleted successfully.
C:\Program Files\Cain\Cain.exe moved successfully.
[Files/Folders - Modified Within 90 Days]
C:\WINDOWS\System32\drivers\etc\hosts~ moved successfully.
C:\WINDOWS\PSSDNSVC.EXE-virus moved successfully.
[Purity]
Purity scan complete.
[Empty Temp Folders]


User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: jorgk
->Temp folder emptied: 24476565 bytes
->Temporary Internet Files folder emptied: 1369301 bytes
->Java cache emptied: 36915808 bytes
->FireFox cache emptied: 113822017 bytes
->Flash cache emptied: 19448 bytes

User: LocalService
->Temp folder emptied: 2046060 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: NetworkService
->Temp folder emptied: 2073842 bytes
->Temporary Internet Files folder emptied: 2289382 bytes
->Java cache emptied: 9080 bytes
->Flash cache emptied: 2382 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2195181 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 2273202 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 179.00 mb


[EMPTYFLASH]

User: Administrator

User: All Users

User: Default User

User: jorgk
->Flash cache emptied: 0 bytes

User: LocalService

User: NetworkService
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb

Error starting restore point: System Restore is disabled.
Error closing restore point: System Restore is disabled.
< End of fix log >
OTS by OldTimer - Version 3.1.28.1 fix logfile created on 04112010_190314

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...