TDL 4. Is it there or a misread by ComboFix?

ComboFix detected TDL4 as long as the second run (the reboot to fix TDL4) was in safe mode. It couldn’t finish its second run in nomal mode. But TDSSKiller cannot detect it. Hitman detected MBO.exe trojan, but cannot delete it. I deleted it manually, but another file MBO without .exe came back after reboot.

Somebody asked me to upload master boot file and told me that was normal and combofix misread.

My PC cannot read the volumns of CDs correctly and somebody said the CDs may be culprit.

What do you think?

Thank you in advance.

ss10000

Why did you ran Combofix? Have you read the warnings that Combofix was pop-up?
You should not run ComboFix unless you are specifically asked to by a helper.

Please read this topic:
http://www.bleepingcomputer.com/forums/topic273628.html
also read:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

then attach here logs:
C:[b]ComboFix.txt[/b]
C:\Qoobox[b]ComboFix-quarantined-files.txt[/b]

also run aswMBR tool as instructed above.

Thank you very much. I was out of town over the weekend. I will follow your instructions and reply with log files. Thank you again.

ss10000

nothing is clearing up this.here is my log file.

aswMBR version 0.9.7.777 Copyright(c) 2011 AVAST Software
Run date: 2011-07-19 13:02:48

13:02:48.781 OS Version: Windows 5.1.2600 Service Pack 2
13:02:48.781 Number of processors: 1 586 0x2F00
13:02:48.781 ComputerName: YOUR-55E5F9E3D2 UserName:
13:02:49.625 Initialize success
13:02:49.734 AVAST engine defs: 11070401
13:02:53.218 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP2T0L0-7
13:02:53.218 Disk 0 Vendor: ST3250823AS 3.03 Size: 238475MB BusType: 3
13:02:53.234 Disk 0 MBR read successfully
13:02:53.234 Disk 0 MBR scan
13:02:53.234 Disk 0 unknown MBR code
13:02:53.250 Disk 0 scanning sectors +488376000
13:02:53.328 Disk 0 scanning C:\WINDOWS\system32\drivers
13:02:59.671 Service scanning
13:03:00.859 Disk 0 trace - called modules:
13:03:00.859 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
13:03:00.859 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x84bc8440]
13:03:00.859 3 CLASSPNP.SYS[f751105b] → nt!IofCallDriver → \Device\0000005d[0x84b74f18]
13:03:00.859 5 ACPI.sys[f73a7620] → nt!IofCallDriver → \Device\Ide\IdeDeviceP2T0L0-7[0x84b2ad98]
13:03:01.468 AVAST engine scan C:\WINDOWS
13:03:11.750 AVAST engine scan C:\WINDOWS\system32
13:04:27.515 AVAST engine scan C:\WINDOWS\system32\drivers
13:04:36.687 AVAST engine scan C:\Documents and Settings\HP_Administrator.YOUR-55E5F9E3D2.001
13:05:25.640 AVAST engine scan C:\Documents and Settings\All Users
13:06:47.812 Scan finished successfully
13:06:57.343 Disk 0 MBR has been saved successfully to “C:\Documents and Settings\HP_Administrator.YOUR-55E5F9E3D2.001\Desktop\MBR.dat”
13:06:57.343 The log file has been saved successfully to “C:\Documents and Settings\HP_Administrator.YOUR-55E5F9E3D2.001\Desktop\aswMBR.txt”

@psw
First aswmbr is only meant for mbr rootkits and not for tdl4 do not throw tools when u dont know their use pls.
@ss10000
try removing the tdl4 rootkit via kaspersky tdss killer.

*]Download TDSSKiller and save it to your Desktop.
[*]Extract its contents to your desktop.
[*]Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillermain.png

[*]If an infected file is detected, the default action will be Cure, click on Continue.

http://support.kaspersky.com/images/support_new/2663-2-eng.png

[*]If a suspicious file is detected, the default action will be Skip, click on Continue.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerSuspicious.png

[*]It may ask you to reboot the computer to complete the process. Click on Reboot Now.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerCompleted.png

[*]If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
[*]If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of “TDSSKiller.[Version][Date][Time]_log.txt”. Please copy and paste the contents of that file here.

http://support.kaspersky.com/images/support_new/2663_3_en.png

THEN

download mbam from here: http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html

post mbam and tdss logs on next comment.

Obviously YOU don’t know aswMBR’s use.
Tdsskiller is used in cases of a TDL-3 infection btw.

@psw
here is the info that i was pointing out to u.tdsskiller is used for tdl4 and tdl3.Read it carefully.
http://support.kaspersky.com/viruses/solutions?qid=208280684

You are claiming that TDL4 doesn’t infect the MBR ? Obviously it does and if you do a simple google search you will come to the same conclusion. It’s time to report you to the mods yet again.

quote com155

First aswmbr is only meant for mbr rootkits and not for tdl4 do not throw tools when u dont know their use pls.
naaaaaa....you would never do that com155

and yes all this mumbo jumbo should be deleted…

@darth mikey
oh i just wanted say to him not to throw tools that dont solve the problem :‘( :’(i will report u for harrassing!!!

TDL-4 can be cured by aswMBR,no need to use tdsskiller.Only in cases of tdl-3 infections,tdsskiller is used,i repeat.

@Pondus

Mabo Jambo? ;D May i ask what “majo jambo” is? :slight_smile:

well,case closed everybody is saying different things…all mambo jambo!!! ;D ;D ;D

“aswmbr” in the name “MBR”…better pay attention here!!!

if gmer removes tdl1 and tdl2 then tdsskiller kills tdl3 and tdl4…its understood even if it is not written there:http://support.kaspersky.com/viruses/solutions?qid=208280684

well,as i said case closed!!!

And you should follow that advice yourself, you obviously don’t know wth you are posting. Besides my reply had nothing to do with that statement, i only pointed out that TDL4 does indeed infect the MBR and if you were such an expert as you claim to be you would already know that. It’s quite obvious you don’t know how aswmbr works and for what it is used for. Left123 already informed you that it is indeed used for TDL4 infections and you keep banging on that it is not when you are clearly mistaken. BTW the only mumbo jumbo that is posted here is by YOU, which is why you keep getting reported to the mods. Now please go ahead and report my post, the little good it will do you. ::slight_smile:

What are you smoking, must be some strong stuff indeed ? ::slight_smile: You are claiming that aswmbr is not used for cleaning TDL4 infections and the rest of us are telling you that it is. And again TDL4 DOES INDEED INFECT the MBR, why can’t you get that through your thick skull ? As i already suggested to you, do a google search on TDL4 and you will come to the same conclusion. Now who needs to pay attention here huh ?

i certainly… ;D ;D ;D…sorry and thanks for that info…another suggestion that was needed for a malware remover…thanks!!! ;D ;D ;D

you say you are training at Bleepingcomputer!

then maybe you should look at this TDL4 remowal from Bleepingcomputer…using aswMBR :wink:
http://www.bleepingcomputer.com/forums/topic390804.html

If he is indeed training at bleepingcomputer or geekstogo then he really needs to read their rules because they do not allow their trainees to provide malware removal advice before they’ve completed their training. ::slight_smile:

sorry will keep a note…"note:aswmbr removed tdl4 rootkits."Hmmmm… :frowning:

@com155
I warned you to do not use tools if you do not know how to use them.
Know this:
aswMBR is able to detect known TDL4 and known & and unknown sectors infection known us MBR rootkit.

also prease read:

ComboFix detected TDL4

@ss10000
You should follow my instructions. I asked for Combofix reports.
If you ran TDSSKiller you should attach report.

My guess is that you no longer have google redirections…
If you have google redirects follow my instructions:
If you dont have google redirect please remove the malware removal tools!

Start >> Run

Combofix /Uninstall

Enter

also:
http://forums.majorgeeks.com/showthread.php?t=31668