Same problem: Persistant TDL4@MBR, multiple problems? All options exhausted?

Hi There

I had a serious O/s failure after downloading what I thought was an update. Computer immediately crashed and it was obvious that it could not find the boot sequence file. I am running an Acer aspire 5332 with Windows 7. Automatic repair failed numerous times, was unable to boot in any of the safe mode options but did manage to Alt and F10 to reinstall boot files and drivers from (supposidly) hidden shadow copy. I did not do a full clean install to begin with as I had multiple files that needed backing up first. Once I got back on I backed up my documents etc to a key drive, but I thought that I had fixed the problem and spent the entire day reinstalling my staple applications and configuring the system to my specifications. I certainly did not expect to logon the next day only to find that the bootfile sequence file was again missing and for the computer to be back to the bad state it was the day before.

I ensured everything was backed researched your page and found the post above. I downloaded the 3 peices of software and ran the aswMBR.exe - I saved the log and clicked on fix… only for the computer to go black and try to start booting. It again could not boot.

Luckily I saved your page and the software to a key before pressing fix. I did a full clean install using the advance repair option (Ctrl and F10) hoping that this would wipe format the drive and install a fresh clean copy of my O/s. I logged on and allowed the downloads to update and then ran aswMBR.exe, here is the log:

aswMBR version 0.9.6.399 Copyright(c) 2011 AVAST Software
Run date: 2011-06-17 01:33:59

01:33:59.869 OS Version: Windows x64 6.1.7600
01:33:59.869 Number of processors: 2 586 0x170A
01:33:59.869 ComputerName: TINKLEPUMP-PC UserName: TinklePump
01:34:00.758 Initialize success
01:34:05.734 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IAAStorageDevice-1
01:34:05.734 Disk 0 Vendor: TOSHIBA_ FG02 Size: 305245MB BusType: 3
01:34:05.734 Device \Driver\iaStor → MajorFunction fffffa8004b4f6c0
01:34:07.747 Disk 0 MBR read successfully
01:34:07.747 Disk 0 MBR scan
01:34:07.747 Disk 0 TDL4@MBR code has been found
01:34:07.747 Disk 0 Windows 7 default MBR code found via API
01:34:07.747 Disk 0 MBR hidden
01:34:07.747 Disk 0 MBR [TDL4] ROOTKIT
01:34:07.762 Disk 0 trace - called modules:
01:34:07.762 ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0xfffffa8004b4f6c0]<<
01:34:07.762 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0xfffffa8004b3c2a0]
01:34:07.778 3 CLASSPNP.SYS[fffff880015bb43f] → nt!IofCallDriver → \Device\Ide\IAAStorageDevice-1[0xfffffa8004754050]
01:34:07.778 \Driver\iaStor[0xfffffa8004b46e70] → IRP_MJ_CREATE → 0xfffffa8004b4f6c0
01:34:08.293 Scan finished successfully
01:34:17.154 Disk 0 MBR has been saved successfully to “C:\Users\TinklePump\Desktop\MBR.dat”
01:34:17.419 The log file has been saved successfully to “C:\Users\TinklePump\Desktop\aswMBR.txt”

I am now frightened to press Fix incase it reboots me to the previous state where I was unable to logon and I have to spend another hour reinstalling the O/s. I am also frighted to reboot as I expect the virus will kick in again and prevent me from getting back on.

I would appreciate any help/advice you can give me.

Thank you so much for taking the time to read this. If you require any further information, please do not hesitate to contact me.

P.s I have an active version of Mcfee (trial that comes with reinstall). Will not download Avast as it seems pointless spending time setting up the applications every time this happens, just for the virus to replicate and remove the boot sequence.

Ok so I downloaded TDSSKiller.exe and ran it, it found the virus and came back with the option to cure which I did. It asked to reboot and I was sceptical, but I did and then I downloaded a fresh copy of aswMBR.exe and ran it again. Here is the log:

aswMBR version 0.9.6.399 Copyright(c) 2011 AVAST Software
Run date: 2011-06-17 02:27:19

02:27:19.076 OS Version: Windows x64 6.1.7600
02:27:19.076 Number of processors: 2 586 0x170A
02:27:19.091 ComputerName: TINKLEPUMP-PC UserName: TinklePump
02:27:19.949 Initialize success
02:27:23.007 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IAAStorageDevice-1
02:27:23.023 Disk 0 Vendor: TOSHIBA_ FG02 Size: 305245MB BusType: 3
02:27:23.038 Disk 0 MBR read successfully
02:27:23.038 Disk 0 MBR scan
02:27:23.038 Disk 0 Windows 7 default MBR code
02:27:23.054 Service scanning
02:27:25.175 Disk 0 trace - called modules:
02:27:25.207 ntoskrnl.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
02:27:25.207 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0xfffffa8004b1b410]
02:27:25.207 3 CLASSPNP.SYS[fffff8800103b43f] → nt!IofCallDriver → \Device\Ide\IAAStorageDevice-1[0xfffffa80046ee050]
02:27:25.222 Scan finished successfully
02:27:55.829 Disk 0 MBR has been saved successfully to “C:\Users\TinklePump\Desktop\MBR.dat”
02:27:55.829 The log file has been saved successfully to “C:\Users\TinklePump\Desktop\aswMBR2.txt”

I then ran OTS.exe and I have attached the .txt file below for you.

I am unsure whether the fix you gave to the previous post is the right thing to do for my system, so I will await your reply. Meanwhile I will disinfect the USB keys.

System is certainly acting more stable, feel like a bit of an idiot as I am in the IT industry(lol) and this is my first ever virus encounter… ::slight_smile:

Thank you so much for the information that you have already supplied on this site… although not pertaining to me, you provided: easy, concise, friendly replies that have certainly helped to put a worried girl in a much more hopeful state of mind!

The FIX shouldn’t have returned it to its previous state it effectively clears the infected MBR and sets it to a clean default. So you could effectively run the same risk in using TDSSKiller when you reboot, but honestly you have little choice.

Some times the TDSSKiller can’t get rid of TDL4 MBR Rootkit, but the second aswMBR appears to be clean.

I’m not familiar with the OTS log so I can’t help with that. This TDL4 MBR Rootkit is normally associated with trying to connect with malicious sites (usually using svchost.exe), avast’s Network Shield is very effective at preventing that happening and stopping it download more malware. Unfortunately as you say you haven’t got avast.

A good firewall should also be able to prevent unauthorised outbound connections. Generally the only connection svchost would be making is for windows update.

Unfortunately going back to factory settings can leave you vulnerable in that you will be short on security updates and have an out of date trial version of mcafee, etc.

You would honestly be better off using drive imaging software, that makes an exact image of your system (I do a weekly image backup) and had to use it very recently (completely lost my mouse driver and software) and it took 15 minutes to get back to my last weeks image.

That way you could have avast on there and should you need to restore an image for whatever reason, the maximum you would lose is 6 days of program installations, updates, emails, data files, etc. But with a backup strategy you can avoid lose there also.

Windows 7 does have its own backup function and shadow volume, etc. but I’m not very familiar with that, but it is an other option to avoid going back to factory setup.

Hi David, I have had all sorts of weird things happening with this virus, being locked out of document and music folders etc, when I when I ran my own recovery s/w (power data recovery) it showed the damage that the virus had already done, removing important security and boot files. I am assuming that when I ran the Fix in aswMBR.exe that the system immediately shut down and rebooted for a clean default bootup, but as a reboot causes the virus to kick in again, the boot sequence file was again removed leaving me back at square one.

I did have avast on backup, but the information from bleepingcomputer.com stated:

"Please take note of some guidelines for this fix:

•Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools."

This is why I was reluctant to install avast, and the Mcafee installed after return to factory settings on my computer is fully uptodate albeit a 30 day trial I just wanted to limit the activity as the advice above stated.

I do have a complete drive image, but to be honest, I did this when I first received the laptop so effectively it would have only taken me back to factory settings, but I will take on board what you are saying and start doing a weekly image backup. I am also interested to hear which firewalls you would recommend.

I have been using computers now for 31 years and I guess I become blase as this is my first ever virus and has certainly given me the kick up the ass I require in becoming more backup savvy.

Thank you for your advice and for taking the time to get back to me! Cheers

The reboot shouldn’t cause the the virus to kick in again and reinfect the MBR if it was only the MBR rootkit present. You also said “I am now frightened to press Fix in case it reboots me to the previous state” and you later downloaded and ran TDSSKiller. So I don’t see where you ran aswMBR and clicked the Fix option, confused.

The aswMBR log you posted doesn’t show the presence of an MBR rootkit but the default MBR.

02:27:23.038 Disk 0 Windows 7 default MBR code

So it looks like you are clear of that TDL4 Rootkit according to the aswMBR log, are you getting any further detections or symptoms ?

The information on bleepingcomputer.com is going to be stating different information as it isn’t a guided tutorial, but one that you are doing on your own without guidance. So installing/uninstalling random applications could complicate the issue.

Are your start programmes missing ? Or did you set them hidden

Download Unhide.exe to your desktop and run

THEN

Download RogueKiller to your desktop

[*]Quit all running programs
[*]For Vista/Seven, right click → run as administrator, for XP simply run RogueKiller.exe
[*]When prompted, type 6 and validate
[]The RKreport.txt shall be generated next to the executable.
[
]If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe

Please post the contents of the RKreport.txt in your next Reply.

In response to your reply David:

"The reboot shouldn’t cause the the virus to kick in again and reinfect the MBR if it was only the MBR rootkit present. You also said “I am now frightened to press Fix in case it reboots me to the previous state” and you later downloaded and ran TDSSKiller. So I don’t see where you ran aswMBR and clicked the Fix option, confused.

The aswMBR log you posted doesn’t show the presence of an MBR rootkit but the default MBR."

The first time I ran aswMBR.exe it detected the rootkit, When I hit Fix, the computer went black and went to reboot. At this stage I had to again reinstall from advanced repair options as the computer would not boot as the boot sequence was once again missing. Once reinstall was complete, I again downloaded a fresh copy of aswMBR and checked to see if the fresh install had cleared the infection, but alas the rootkit was still present. I did not want to hit Fix again. I reread the post by essexboy which did not say to press fix so I googled for additional advice.

The advice I then found suggested to download tdsskiller.exe and I figured at this stage it was worth the risk. tdsskiller removed the rootkit and after a reboot aswMBR.exe showed the log which I pasted here (the one you are referring to as clean).

Does that make more sense?

Yes that now makes sense.

Hi Essexboy, many thanks for your reply. I believe that since the full clean install, the program files are by default set to hidden. All appears to be stable and functioning correctly.

RogueKiller V5.2.3 [06/16/2011] by Tigzy
contact at http://www.sur-la-toile.com
mail: tigzyRKgmailcom
Feedback: http://www.sur-la-toile.com/discussion-193725-1-BRogueKillerD-Remontees.html

Operating System: Windows 7 (6.1.7600 ) 64 bits version
Started in : Normal mode
User: TinklePump [Admin rights]
Mode: Shortcuts HJfix – Date : 06/18/2011 22:58:39

Bad processes: 1
[SUSP PATH] PLFSetI.exe – c:\windows\plfseti.exe → KILLED

File attributes restored:
Desktop: Success 0 / Fail 0
Quick launch: Success 0 / Fail 0
Programs: Success 2 / Fail 0
Start menu: Success 0 / Fail 0
User folder: Success 68 / Fail 0
My documents: Success 0 / Fail 0
My favorites: Success 0 / Fail 0
My pictures: Success 0 / Fail 0
My music: Success 0 / Fail 0
My videos: Success 0 / Fail 0
Local drives: Success 31 / Fail 0
Backup: [NOT FOUND]

Drives:
[C:] \Device\HarddiskVolume3 – 0x3 → Restored
[D:] \Device\CdRom0 – 0x5 → Skipped
[E:] \Device\HarddiskVolume4 – 0x2 → Restored

Finished : << RKreport[1].txt >>
RKreport[1].txt

Many thanks!

OK looks good, but for all reading this be advised that I do not use fix with aswMBR on a windows 7 64 bit system as in about 1 in 30 cases the system fails to boot to normal mode. All other windows versions have no problem

Thanks for that, I presume that you have reported your experience up the chain.

Is that the same for Fix and FixMBR options with win7 x64 ?

Gmer has been informed but as it appears to be random I feel it is just a system specific element as opposed to a programme problem

Fixmbr works OK

Thanks.