Hello All,
First time poster. I’ve had bugs in the past but never one like this. Rootkit.win32.tdss.tdl4 continues to come back again and again after removing it with tdsskiller. Apparently there is still a hidden virus in the computer that is causing it to return. It also is causing an error with Win32 Generic processes. Scanned computer with Avast and Malwarebytes and detected nothing however. The virus wont allow a system restore or my computer to be started in safemode. Please help if you can.
Thanks,
YIP24
You need our expert malware remover for this one…
Follow this guide from our expert malware remover Essexboy
http://forum.avast.com/index.php?topic=53253.0
(post the logs here in this topic and not in the guide)
To avoid using multiple post with copy and paste you have to attach the log`s
Lower left corner: Additional Options > Attach ( OTL.Txt. / Extras.Txt. / Malwarebytes scan log. )
Essexboy will be notified when you have posted the logs…
He is usually in here 8:00pm to 11:59pm UK time
Pondus,
I ran Malwarebytes and OTL like instructed, however, OTL did not produce an Extras Log. I’m not sure why and was unable to determine the reason through research online. Hopefully, you wont need it or perhaps I need to change a setting. Also, I have been fighting this virus all night using windows recovery console and Hitman. I’m not sure but I think I might be in the clear. I would still like Essex to take a look to make sure though. Ive attached the OTL and Malwarebytes log. Its 3 AM and i’m going to bed lol.
Thanks,
YIP24
Essexboy is notified 
get some sleep and check back later 
Well, I was wrong. The virus or the hidden/backdoor virus that is causing the rootkit to reload is still on my computer. Hopefully Essexboy has a solution because I sure don’t.
Download ComboFix from here and save it to your Desktop.
If you are unsure how ComboFix works please read this guide carefully.
note: ComboFix must be downloaded to your Desktop.
Temporarily disable your AntiVirus program.
If you are unsure how to do this please read this Instruction.
Run ComboFix.
ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.
If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
When the tool is finished, it will produce a log report for you. (typical location: C:[b]ComboFix.txt[/b] )
Post log reports ( ComboFix.txt) back to topic.
Argus,
I followed the instructions and ran combofix. I have attached the combofix log below.
Thanks,
YIP24
Open notepad and copy/paste the text present inside the code box below:
File::
c:\windows\DUMP5f85.tmp
Save this as CFScript to destop
http://img141.imageshack.us/img141/1218/cfscript1.gif
Close all browser windows and refering to the picture above.
Drag CFScript.txt into Combofix.exe. ComboFix will re-run.
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run. When finished, it will produce a log for you.
Copy/paste the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )
You have still problems
Argus,
The log was over 10000 characters so i was unable to copy/paste it in the post. I have attached the notepad file instead, or if you would like I could copy/paste it over 2 posts.
Thanks,
YIP24
You have still problems?
Sorry my English is bad 
Argus,
I haven’t seen any of the symptoms of the virus since we ran combofix. It appears it may have gotten rid of the virus. I’m not 100% sure though just because I thoughy yesterday to have gotten rid of it only to have it reappear an hour later. I will let you know if it comes back or if it is gone for good. I’ll keep my fingers crossed. Anyways, thank you for all of your help. I appreciate it very much. ;D
Wait a while. If everything is ok do this:
It is necessary to uninstall Combofix
Start >> Run
Copy
Combofix /Uninstall
Enter.
Hello dudes or dudettes.
So I’ve had the same problem, caught the RootKit Win32 TDSS tdl4 from somewhere. I found this thread and ran ComboFix from my desktop, everything seems to be working fine for now, I’ve attached the log file ComboFix generated.
Argus, can you please tell me if there are other steps I should follow now or should I just pray the rootkit won’t appear again?
Thanks a bunch for the help, it’s a hell of a cure.
Please do this:
Delete the ComboFix icon from your desktop
and then download a new version of ComboFix http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Run it and paste Combofix.txt log back to forum.
note: Do not use USB flash drive until we finished the cleaning.
Ok, done and done…
I have to say, seeing that it still found rootkit made me sad as a bald baby panda.
Anywho, I’ve attached the log file, now what ?
Open notepad and copy/paste the text present inside the code box below:
RegLock::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
Save this as CFScript.
http://img213.imageshack.us/img213/1218/cfscript1.gif
Close all browser windows and refering to the picture above.
Drag CFScript.txt into Combofix.exe. ComboFix will re-run.
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run. When finished, it will produce a log for you.
Copy/paste the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )
Download and install this program http://amf.mycity.rs/programs/mc/mcshield/
http://img402.imageshack.us/img402/1096/myfile350536.jpg
Save Theme Settings
Connect the USB flash
Please wait for the program scans the flash
Copy/paste the contents of the log in your next reply.
Ok, I’ve done the ComboFix part, attached the log…
To be honest, the system seems to be working fine since the first run, it hopefully is fine.
Now, regarding the second part, the flash drive scan… I haven’t really used a flash drive since I got the virus, except for my iPod but windows won’t recognize it as a flash drive. I’ll install MCShield, no problem but will it help in any way if I haven’t used another flash drive?
CF log is ok
It is necessary to uninstall Combofix
Start >> Run
Combofix /Uninsltall
Enter
MCShield will prevent infection by computer via USB flash drive, mobile phone or any memory card.
Leave the default settings
Awesome! I’ll keep MCShield installed.
Dude, you’ve been of real help, I feel like I should make it rain.
Thanks a mill !
