TDL4 found, but unable to fix with aswMBR

I downloaded aswMBR to try to remove the TDL4 root kit from my system, but after the scan completes the only option is to FixMBR, the Fix button is greyed out. I’m not sure how to proceed from here. I have run MBAM and OTS, logs from all three attached.

Have you tried Avast Boot time scan— & Malewarebytes in safe mode Also you can try ESET online scanner

http://www.malwarecity.com/blog/free-removal-tool-for-tdl4-available-now-1106.html

avast and Malwarebytes will not remove this…and Malwarebytes works best in normal mode

Essexboy will fix this when he arrive :wink:

Hi it appears that aswMBR is unable to find the original MBR which is why the fix is greyed out

So lets see what the MBR problem is

Download MBRCheck.exe to your Desktop. Run the application.

If no infection is found, it will produce a report on the desktop. Post that report in your next reply.

If an infection is found, you will be presented with the following dialog:

[QUOTE]Enter ‘Y’ and hit ENTER for more options, or ‘N’ to exit:
[/quote]
Type N and press Enter. A report will be produced on the desktop. Post that report in your next reply.

MBRCheck found infected or nonstandard MBR, log attached.

Ah OK it is not on the main boot drive PhysicalDrive1 Unknown MBR code

So lets use a different tool

Please read carefully and follow these steps.

[*]Download TDSSKiller and save it to your Desktop.
[*]Extract its contents to your desktop.
[*]Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillermain.png

[*]If an infected file is detected, the default action will be Cure, click on Continue.

http://i1224.photobucket.com/albums/ee362/Essexboy3/TDSSKillerMal-1.png

[*]If a suspicious file is detected, the default action will be Skip, click on Continue.

http://i1224.photobucket.com/albums/ee362/Essexboy3/TDSSKillerSuspicious.png

[*]It may ask you to reboot the computer to complete the process. Click on Reboot Now.

http://i1224.photobucket.com/albums/ee362/Essexboy3/TDSSKillerCompleted.png

[*]If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
[*]If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of “TDSSKiller.[Version][Date][Time]_log.txt”. Please copy and paste the contents of that file here.

2011/07/27 13:05:37.0591 3972 TDSS rootkit removing tool 2.5.11.0 Jul 11 2011 16:56:56
2011/07/27 13:05:38.0254 3972 ================================================================================
2011/07/27 13:05:38.0254 3972 SystemInfo:
2011/07/27 13:05:38.0254 3972
2011/07/27 13:05:38.0254 3972 OS Version: 6.1.7600 ServicePack: 0.0
2011/07/27 13:05:38.0254 3972 Product type: Workstation
2011/07/27 13:05:38.0255 3972 ComputerName: HOGWARTS
2011/07/27 13:05:38.0256 3972 UserName: Jessica
2011/07/27 13:05:38.0256 3972 Windows directory: C:\Windows
2011/07/27 13:05:38.0256 3972 System windows directory: C:\Windows
2011/07/27 13:05:38.0256 3972 Processor architecture: Intel x86
2011/07/27 13:05:38.0256 3972 Number of processors: 2
2011/07/27 13:05:38.0256 3972 Page size: 0x1000
2011/07/27 13:05:38.0256 3972 Boot type: Normal boot
2011/07/27 13:05:38.0257 3972 ================================================================================
2011/07/27 13:05:39.0223 3972 Initialize success
2011/07/27 13:05:46.0121 3036 ================================================================================
2011/07/27 13:05:46.0121 3036 Scan started
2011/07/27 13:05:46.0121 3036 Mode: Manual;
2011/07/27 13:05:46.0121 3036 ================================================================================
2011/07/27 13:05:52.0128 3036 MBR (0x1B8) (a36c5e4f47e84449ff07ed3517b43a31) \Device\Harddisk0\DR0
2011/07/27 13:05:52.0140 3036 Boot (0x1200) (f7384a6b615ac1373b6009d77365cfd5) \Device\Harddisk0\DR0\Partition0
2011/07/27 13:05:52.0163 3036 Boot (0x1200) (fcfdec96807303cff0ce35223fa27023) \Device\Harddisk0\DR0\Partition1
2011/07/27 13:05:52.0187 3036 Boot (0x1200) (463ba264bb97492fa2d7866dd6536d09) \Device\Harddisk0\DR0\Partition2
2011/07/27 13:05:52.0212 3036 Boot (0x1200) (f07b1cf4a9e367a1774887dac01ab7be) \Device\Harddisk0\DR0\Partition3
2011/07/27 13:05:52.0218 3036 ================================================================================
2011/07/27 13:05:52.0218 3036 Scan finished
2011/07/27 13:05:52.0218 3036 ================================================================================
2011/07/27 13:05:52.0233 2528 Detected object count: 0
2011/07/27 13:05:52.0233 2528 Actual detected object count: 0

What do you have on drive 1 ? Is it bootable ?

Drive 1 is bootable, it is my previous OS (Vista) that I no longer use.

Could you first boot to that drive and run TDSSKiller or aswMBR again (fix should be available)

Or we can do it manually using MBRCheck - your choice ;D

aswMBR reported nothing found, TDSSKiller found and cured a file. Log attached.

What problems now ?

When I tried to run Avast quickscan I got a bluescreen, but after the system restarted quickscan was able to complete and shows no threat found. I think we may have gotten it. Thank you so much for your help.

Maybe not but Bitdefender re malware city.com my link above will remove TDL4 Also Hitman pro3 will.
If someones got one rootkit installed they could have more & also other things, so it’s always a good idear to do a boot time scan. I use malware bytes in safe mode sometimes because it found things that didn’t show up in normal mode.

I would be very wary of running hitmanpro against a TDL infection as I have had to repair many an unbootable system after it

Once you are happy let me know and I will remove my tools