Persistant TDL4@MBR, multiple problems? All options exhausted?

I am running XP home with SP3

aswMBR.exe detects TDL4@MBR. I press “Fix” and reboot immediately, but its still present when run again. Same thing when run in safe mode, it keeps coming back.

TDSSkiller gets stuck at 80% and windows reports “TDSSkiller.exe has encountered a problem”. Doesn’t work when renamed to 123.com or 123.exe or whatever else.

Spybot keeps showing gift.load, which keeps appearing as a different registry every time spybot detects it.

Hitman Pro is not recognizing the TDL4. I even tried Hitman Pro new build released today just for this specific variant. See here: http://hitmanpro.wordpress.com/2011/05/02/tdl4-bootkit-reinstates-64-bit-infection-capability/

When I try to boot with XP cd to wipe everything clean and reformat as a last resort, blue screen error says
"A problem has been detected and windows has been shut down to prevent damage to you computer.

If this Is the first time you’ve seen this stop error screen, restart your computer. If this is your first time you’ve seen this stop error screen, restart your computer. If this screen appears again, follow these steps:

Disable or uninstall any anti-virus, disk defragmentation or backup utilities. Check your hard drive configurations, and check for any updated drivers. Run CHKDSK /F to check for hard drive corruption, and then restart your computer."

According to Microsoft, this may be due to the HaxDoor virus.

Please help. Let me know which logs to post. Thank you!

essexboy is notified, you find him here tomorrow

OMG, my baby is gonna be dead by tomorrow =(
Hehe thank you. I shall wait patiently. ;(

Hi first thing to do is to run a bootscan - twice. This has proved effective in several cases. If that fails to kill the TDL then do the following

Download a fresh copy of ASWMbr

Download aswMBR.exe ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it

Click the “Scan” button to start scan

http://public.avast.com/~gmerek/aswMBR1.png

On completion of the scan click save log, save it to your desktop and post in your next reply

http://public.avast.com/~gmerek/aswMBR2.png

THEN

Download OTS to your Desktop and double-click on it to run it

[*]Make sure you close all other programs and don’t use the PC while the scan runs.
[*]Select All Users
[*]Under additional scans select the following
Reg - Disabled MS Config Items
Reg - Drivers32
Reg - NetSvcs
Reg - SafeBoot Minimal
Reg - Shell Spawning
Evnt - EventViewer Logs (Last 10 Errors)
File - Lop Check

[*]Under the Custom Scan box paste this in

netsvcs
%SYSTEMDRIVE%*.exe
/md5start
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
%systemroot%*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
CREATERESTOREPOINT

[*]Now click the Run Scan button on the toolbar. Make sure not to use the PC while the program is running or it will freeze.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Please attach the log in your next post.

Hello,
I ran combofix, after which asmMBR still detected rootkit. However, this time, I was able to run TDSSkiller (which use to get stuck at 80% before). TDSSkiller removed the TDL4.

I am posting the old (before TDSSkiller) and the new asmMBR (after TDSSkiller) log, and attaching OTS.

Old log:
aswMBR version 0.9.5.256 Copyright(c) 2011 AVAST Software
Run date: 2011-05-03 19:33:56

19:33:56.484 OS Version: Windows 5.1.2600 Service Pack 3
19:33:56.484 Number of processors: 2 586 0x1C02
19:33:56.484 ComputerName: GATEWAY UserName: Anaam
19:33:57.265 Initialize success
19:33:59.015 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IAAStorageDevice-0
19:33:59.031 Disk 0 Vendor: ST916031 0001 Size: 152627MB BusType: 3
19:33:59.046 Disk 0 MBR read successfully
19:33:59.062 Disk 0 MBR scan
19:33:59.078 Disk 0 TDL4@MBR code has been found
19:33:59.078 Disk 0 MBR hidden
19:33:59.093 Disk 0 MBR [TDL4] ROOTKIT
19:33:59.109 Disk 0 trace - called modules:
19:33:59.125
19:33:59.125 Scan finished successfully
19:34:06.546 Disk 0 MBR has been saved successfully to “C:\Documents and Settings\Anaam\Desktop\MBR.dat”
19:34:06.546 The log file has been saved successfully to “C:\Documents and Settings\Anaam\Desktop\aswMBR.txt”

New log:
aswMBR version 0.9.5.256 Copyright(c) 2011 AVAST Software
Run date: 2011-05-03 21:27:50

21:27:50.234 OS Version: Windows 5.1.2600 Service Pack 3
21:27:50.234 Number of processors: 2 586 0x1C02
21:27:50.234 ComputerName: GATEWAY UserName: Anaam
21:27:55.000 Initialize success
21:27:57.640 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IAAStorageDevice-0
21:27:57.656 Disk 0 Vendor: ST916031 0001 Size: 152627MB BusType: 3
21:27:57.687 Disk 0 MBR read successfully
21:27:57.687 Disk 0 MBR scan
21:27:57.703 Disk 0 unknown MBR code
21:27:57.718 Disk 0 scanning sectors +312578048
21:27:57.750 Disk 0 scanning C:\WINDOWS\system32\drivers
21:28:03.859 Service scanning
21:28:05.265 Disk 0 trace - called modules:
21:28:05.281 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll iaStor.sys
21:28:05.296 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x86f908c8]
21:28:05.312 3 CLASSPNP.SYS[f78bdfd7] → nt!IofCallDriver → \Device\0000006b[0x86fd93e0]
21:28:05.328 5 ACPI.sys[f7312620] → nt!IofCallDriver → \Device\Ide\IAAStorageDevice-0[0x86fa3030]
21:28:05.359 Scan finished successfully
21:28:16.859 Disk 0 MBR has been saved successfully to “C:\Documents and Settings\Anaam\Desktop\MBR.dat”
21:28:16.921 The log file has been saved successfully to “C:\Documents and Settings\Anaam\Desktop\aswMBR2.txt”

A few bits and bobs to go -

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.

[Unregister Dlls]
[Files/Folders - Modified Within 30 Days]
NY ->  q8d0koh7sty104n886j5381r151ce1n85cl3o47 -> C:\Documents and Settings\Anaam\Local Settings\Application Data\q8d0koh7sty104n886j5381r151ce1n85cl3o47
NY ->  q8d0koh7sty104n886j5381r151ce1n85cl3o47 -> C:\Documents and Settings\All Users\Application Data\q8d0koh7sty104n886j5381r151ce1n85cl3o47
[Files - No Company Name]
NY ->  Axavapoyowukat.dat -> C:\WINDOWS\Axavapoyowukat.dat
NY ->  Rjirag.bin -> C:\WINDOWS\Rjirag.bin
NY ->  q8d0koh7sty104n886j5381r151ce1n85cl3o47 -> C:\Documents and Settings\Anaam\Local Settings\Application Data\q8d0koh7sty104n886j5381r151ce1n85cl3o47
NY ->  q8d0koh7sty104n886j5381r151ce1n85cl3o47 -> C:\Documents and Settings\All Users\Application Data\q8d0koh7sty104n886j5381r151ce1n85cl3o47
NY ->  7oLQoNBb8.dat -> C:\Documents and Settings\All Users\Application Data\7oLQoNBb8.dat
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
  

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.

Ok, hope you don’t hate, but as soon as my gateway recovery management became useable again after TDSSkiller removed the virus at MBR, i restored my computer because I was worried about being connected to the internet on an infected system

So here is the new log (didn’t run the custom fix). Let me know if it is clean now? I don’t know if restoring would get rid of everything.

I have no problem with that at all ;D

Did you just restore back a few days or do a system re-install ?

I restored to manufacture factory defaults it yesterday night, right after TDSSkiller removed the virus. Before, I couldn’t do the restore, gateway recovery management would tell me “harddrive wasn’t configured to factory settings”.
I couldn’t even format everything and do a system reinstall because I would get an error when I booted up with xp cd, it would tell me “A problem has been detected and windows has been shut down to prevent damage to you computer”.

So I jumped at the chance or restoring it when I could since I already had my data backed up. :slight_smile:

Question: I’ve been using a usb on my infected system. Scans showed it was clean, can I plug it back. I just want to be safe, I don’t know if the usb could be infected or anything like that.

Thanks a bunchies for your help! :smiley: I appreciate it. Lots of <3 from my netbook to you!

Use Panda Vaccine on all your USB drives - they will no longer autorun, but I feel that is a minor inconvenience
http://www.pandasecurity.com/homeusers/downloads/usbvaccine/?wbc_purpose=Basicdefaultdefaultdefault.htmdefaultdefaultdefault.htmdefault.htmdefaultdefaultdefault/