TDL 4. Is it there or a misread by ComboFix?

[ss10000]

ComboFix detected TDL4 as long as the second run (the reboot to fix TDL4) was in safe mode. It couldn't finish its second run in nomal mode. But TDSSKiller cannot detect it. Hitman detected MBO.exe trojan, but cannot delete it. I deleted it manually, but another file MBO without .exe came back after reboot.

Somebody asked me to upload master boot file and told me that was normal and combofix misread.

My PC cannot read the volumns of CDs correctly and somebody said the CDs may be culprit.

What do you think?

Thank you in advance.

ss10000

[psw]

Download aswMBR.exe ( 1.8mb ) to your desktop.
 
Double click the aswMBR.exe to run it
 
Click the "Scan" button to start scan
 
 
On completion of the scan click save log, save it to your desktop and post in your next reply

[magna86]

ComboFix detected TDL4 as long as the second run (the reboot to fix TDL4) was in safe mode.

Why did you ran Combofix? Have you read the warnings that Combofix was pop-up?
You should not run ComboFix unless you are specifically asked to by a helper.


> Please read this topic:
http://www.bleepingcomputer.com/forums/topic273628.html
also read:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix



> then attach here logs:
C:\ComboFix.txt
C:\Qoobox\ComboFix-quarantined-files.txt


> also run aswMBR tool as instructed above.

[ss10000]

Thank you very much. I was out of town over the weekend. I will follow your instructions and reply with log files. Thank you again.

ss10000

[ump001]

nothing is clearing up this.here is my log file.

aswMBR version 0.9.7.777 Copyright(c) 2011 AVAST Software
Run date: 2011-07-19 13:02:48
-----------------------------
13:02:48.781    OS Version: Windows 5.1.2600 Service Pack 2
13:02:48.781    Number of processors: 1 586 0x2F00
13:02:48.781    ComputerName: YOUR-55E5F9E3D2  UserName:
13:02:49.625    Initialize success
13:02:49.734    AVAST engine defs: 11070401
13:02:53.218    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-7
13:02:53.218    Disk 0 Vendor: ST3250823AS 3.03 Size: 238475MB BusType: 3
13:02:53.234    Disk 0 MBR read successfully
13:02:53.234    Disk 0 MBR scan
13:02:53.234    Disk 0 unknown MBR code
13:02:53.250    Disk 0 scanning sectors +488376000
13:02:53.328    Disk 0 scanning C:\WINDOWS\system32\drivers
13:02:59.671    Service scanning
13:03:00.859    Disk 0 trace - called modules:
13:03:00.859    ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
13:03:00.859    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x84bc8440]
13:03:00.859    3 CLASSPNP.SYS[f751105b] -> nt!IofCallDriver -> \Device\0000005d[0x84b74f18]
13:03:00.859    5 ACPI.sys[f73a7620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-7[0x84b2ad98]
13:03:01.468    AVAST engine scan C:\WINDOWS
13:03:11.750    AVAST engine scan C:\WINDOWS\system32
13:04:27.515    AVAST engine scan C:\WINDOWS\system32\drivers
13:04:36.687    AVAST engine scan C:\Documents and Settings\HP_Administrator.YOUR-55E5F9E3D2.001
13:05:25.640    AVAST engine scan C:\Documents and Settings\All Users
13:06:47.812    Scan finished successfully
13:06:57.343    Disk 0 MBR has been saved successfully to "C:\Documents and Settings\HP_Administrator.YOUR-55E5F9E3D2.001\Desktop\MBR.dat"
13:06:57.343    The log file has been saved successfully to "C:\Documents and Settings\HP_Administrator.YOUR-55E5F9E3D2.001\Desktop\aswMBR.txt"

[com155]

@psw
First aswmbr is only meant for mbr rootkits and not for tdl4 do not throw tools when u dont know their use pls.
@ss10000
try removing the tdl4 rootkit via kaspersky tdss killer.

*]Download TDSSKiller and save it to your Desktop.

• Extract its contents to your desktop.
• Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
   
  
   
   
  
• If an infected file is detected, the default action will be Cure, click on Continue.
   
  
   
   
  
• If a suspicious file is detected, the default action will be Skip, click on Continue.
   
  
   
   
  
• It may ask you to reboot the computer to complete the process. Click on Reboot Now.
   
  
   
   
  
• If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  
• If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
  
  
  
  THEN
  
  download mbam from here: http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html
  
  
  post mbam and tdss logs on next comment.
  
  
  
  
  
  

[Left123]

@psw
First aswmbr is only meantt for mbr rootkits and not for tdl4 do nnot throw tools when u dont know their use pls.
@ump001
try removing the tdl4 rootkit via kaspersky tdss killer.

*]Download TDSSKiller and save it to your Desktop.

• Extract its contents to your desktop.
• Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  Obviously YOU don't know aswMBR's use.
   
  
   
   
  
• If an infected file is detected, the default action will be Cure, click on Continue.
   
  
   
   
  
• If a suspicious file is detected, the default action will be Skip, click on Continue.
   
  
   
   
  
• It may ask you to reboot the computer to complete the process. Click on Reboot Now.
   
  
   
   
  
• If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  
• If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
  
  THEN
  
  download mbam from here: http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html
  
  
  post mbam and tdss logs on next comment.
  
  
  
  
  
  
  

Obviously YOU don't know aswMBR's use.
Tdsskiller is used in cases of a TDL-3 infection btw.

[com155]

@psw
here is the info that i was pointing out to u.tdsskiller is used for tdl4 and tdl3.Read it carefully.
http://support.kaspersky.com/viruses/solutions?qid=208280684

[Hard_ROCKER]

You are claiming that TDL4 doesn't infect the MBR ? Obviously it does and if you do a simple google search you will come to the same conclusion. It's time to report you to the mods *yet again*.

[Pondus]

quote com155

First aswmbr is only meant for mbr rootkits and not for tdl4 do not throw tools when u dont know their use pls.

naaaaaa....you would never do that com155


and yes all this mumbo jumbo should be deleted...

[com155]

@darth mikey
oh i just wanted say to him not to throw tools that dont solve the problem :'( :'(i will report u for harrassing!!!

[Left123]

@psw
here is the info that i was pointing out to u.tdsskiller is used for tdl4 and tdl3.Read it carefully.
http://support.kaspersky.com/viruses/solutions?qid=208280684

TDL-4 can be cured by aswMBR,no need to use tdsskiller.Only in cases of tdl-3 infections,tdsskiller is used,i repeat.


@Pondus

Mabo Jambo? May i ask what "majo jambo" is?

[com155]

well,case closed everybody is saying different things...all mambo jambo!!!

"aswmbr" in the name "MBR"....better pay attention here!!!

[com155]

if gmer removes tdl1 and tdl2 then tdsskiller kills tdl3 and tdl4...its understood even if it is not written there:http://support.kaspersky.com/viruses/solutions?qid=208280684

well,as i said case closed!!!

[Hard_ROCKER]

@darth mikey
oh i just wanted say to him not to throw tools that dont solve the problem :'( :'(i will report u for harrassing!!!

And you should follow that advice yourself, you obviously don't know wth you are posting. Besides my reply had nothing to do with that statement, i only pointed out that TDL4 does indeed infect the MBR and if you were such an expert as you claim to be you would already know that. It's quite obvious you don't know how aswmbr works and for what it is used for. Left123 already informed you that it is indeed used for TDL4 infections and you keep banging on that it is not when you are clearly mistaken. BTW the only mumbo jumbo that is posted here is by YOU, which is why you keep getting reported to the mods. Now please go ahead and report my post, the little good it will do you.  

well,case closed everybody is saying different things...all mambo jambo!!!

"aswmbr" in the name "MBR"....better pay attention here!!!

What are you smoking, must be some strong stuff indeed ?   You are claiming that aswmbr is not used for cleaning TDL4 infections and the rest of us are telling you that it is. And again TDL4 DOES INDEED INFECT the MBR, why can't you get that through your thick skull ? As i already suggested to you, do a google search on TDL4 and you will come to the same conclusion. Now who needs to pay attention here huh ?