Microsoft today pulled its MS10-015 patch for the 17-year old bug after reports of BSODs caused by the patch.
It turns out that the TDL3 rootkit infection is related to the Blue Screen of Death (BSOD). See here.
PCs that are infected with the rootkit and run the patch (served by Windows Update) become unbootable!
The number of affected PCs tells us something about how widely spread the TDL3 rootkit is.
Statistics from our Scan Cloud:
Since November 30, Hitman Pro removed TDL3 infections from over 16000 computers.
Interesting detail: 74.8% of those PCs were running an up-to-date AV.
That tells us how good this rootkit is in staying undetected or how difficult it is to remove this infection. TDL3 infects the hard disk driver (usually atapi.sys) and once loaded it serves the OS the uninfected driver, fooling most AVs as they see nothing wrong with the driver.
Some AV vendors have a private removal tool but they won’t release it to the public since they are afraid that the TDL3 authors are counteracting their tool. Since TDL3 was first found in October 2009, TDL3 has changed several times, each time improving its armor.
Currently only public Hitman Pro 3.5 is able to remove all current TDL3 variants (up to TDL3.241). But it is only a matter of time before the TDL3 authors change their armor.
Combofix can also be used if your hard disk driver is atapi.sys. If you have a different driver, like iastor.sys from Intel or one of the list from below then you can’t use Combofix.
At the bottom of this message you will find the list of drivers where Hitman Pro found and removed TDL3:
Sadly, the computers that no longer boot after MS10-015 patch can now only be helped with a boot CD.
This situation again stresses that you need a second opinion scanner as your AV might have missed something. In case of TDL3 a chance of 74.8%.
The detection and removal is all done by Hitman Pro while the identification of the threats is done in the cloud by 7 AVs from our 5 partners: Prevx, G Data, Eset, Avira and a-squared.
Note that while these partners have signatures for the constant changing TDL3 rootkit, they are all currently unable to find the rootkit while its stealth is active. So far Hitman Pro has no problems in detecting it. But TDL3 authors are constant improving their armor …
Finally, a sign of TDL3 infection is when you’re browsing the web and you are frequently redirected to websites you didn’t expect to go to. TDL3 modifies DNS query results. See also here.
Hitman Pro found and removed TDL3 in the following drivers:
atapi.sys – iaStor.sys – nvstor32.sys – nvata.sys – nvstor.sys – nvgts.sys – nvatabus.sys – iaStorV.sys – ahcix86s.sys – viamraid.sys – lsi_scsi.sys – vmscsi.sys – IdeChnDr.sys – jraid.sys – si3112r.sys – lsi_sas.sys – ahcix86.sys – si3112.sys – viasraid.sys – nvrd32.sys – fasttx2k.sys – nvraid.sys – SiSRaid.sys – adpu160m.sys – nvidesm.sys – UlSata.sys – Si3114r5.sys – vsmraid.sys – iteraid.sys – ftsata2.sys – adpu320.sys – iteatapi.sys – Fasttrak.sys