What a nice cryptic name for a blog post! If you found this via a search, then I’m sorry for you. This was a really, REALLY frustrating problem.
Symptoms Prior: Browser would randomly bring up an ad filled website which is obviously a virus of some kind.
I treated the system with scans by Spybot, Microsoft Security Essentials (which was installed) and AdAware. They said everything was fine. I felt better. Maybe it was just some script in Firefox? I did find that my firewall was disabled, which was odd. I turned it back on and shortly after, I had:
New Symptoms: a BSOD (Blue Screen of Death) relating to ATAPORT.SYS. It cycled like this for a bit and I attempted to go into safe mode. Safe mode hangs up everytime at CRCDISK.SYS.
After a few articles – everyone is convinced the hard drive is bad. I took the drive out and put it on a USB/SATA adapter on another machine and ran chkdsk. The hard drive appears fine – survived all five levels of CHKDSK.
I found this article: http://forums.techarena.in/operating-systems/1127074.htm
and followed it. Removing the files isn’t easy since Vista protects them, so you have to use advanced security to “TAKE OWNERSHIP” of each file and then you give yourself permissions and then you can delete them. Took a while, but I had high hopes. (note if you are doing this from XP, you have to turn on ADVANCED Security. I’d never heard of this option until running through this procedure).
[How to disable simple security in XP:
- Click Start, and then click My Computer.
- On the Tools menu, click Folder Options.
- Click the Viewtab.
- In the Advanced Settings section, click to clear the Use simple file sharing (Recommended)check box.
- Click OK.
Plugged the drive back into the laptop – no difference. Exact same lock up at CRCDISK and in non-safe mode, gets almost booted up and I get a BSOD with ATAPORT.
After more articles, I found that it isn’t CRCDISK.SYS causing the problem, it’s whatever driver is loaded AFTER CRCDISK.SYS. I tried a boot logged bootup and found that TUNNEL.SYS comes after CRCDISK.SYS. I actually don’t know if the log I found was the one I just created because it always locked up right there and the log I found was from a complete bootup. In any case, I researched TUNNEL.SYS and found it it sometimes infected with a virus. I used the USB adapter again to locate TUNNEL.SYS and replaced it with another one on the drive. Yes, probably dangerous – but did it really matter at this point since I was facing a complete reinstall (and trying to avoid that). I booted in SAFE mode and TA DA - no difference.
I booted the Vista CD again and was able to get to the command prompt and ran the SFC /SCANNOW (I’ve never used this). It took a while and said it repaired some files. I checked the log and it turns out, it corrected TUNNEL.SYS. Now, did it just put the same one back? I don’t know, but I rebooted into safe mode and it made it. Unbelievable.
I had downloaded another scanner that looks for TDSS called TDSSKILLER which I had also come across in the 50+ articles I read. I followed the instructions and I had the TDSS virus. UGH! But it all made sense. It cleared it and now the system booted up normally – not in safe mode.
I ran Spybot again and it found a few random files which it fixed.
So TDSS is the culprit – it was not a bad drive (which I read so much about) and it wasn’t the SATA interface (which I read so much about). Just another old virus.
What I learned:
- Download all the latest Virus scanners (including root kit scanners) before you need them – put them on a USB
- Make sure you have some method of reading your drives on another machine. I usually have no problem with IDE, but I had to buy this SATA cable which was only $29 at BestBuy (you can get them online cheaper). (honestly – I’ve had machines that wouldn’t boot and running a CHKDSK on my drives on another machine works 90% of the time.)
- Don’t stop reading after one article (including this one). It’s certainly possible that your problem, while it looks JUST LIKE this one, might be different.
- Learn how to take ownership of files and change security.
- People who create viruses might be smart – but they actually suck. The fact that SpyBot years ago used to search for about 45k issues and now it looks for 750k issues – I mean really – is this the future we were looking towards?