Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

TDL4 Infection, TDSSKiller, MBR Rootkit


  • This topic is locked This topic is locked
7 replies to this topic

#1 cheebster

cheebster

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:42 PM

Posted 07 September 2010 - 10:32 AM

*** Note - This is a double post, as i originally posted in the wrong forum **

Hi. I had a pc infected with TDL4, which combofix detected (none of all of the other apps i've tried including MBAM, SAS, ESET, Avira, and many others found it..). The GMER Mbr rootkit detection tool included in combofix found the rootkit in the mbr. To fix it, i've used TDSSKiller, which found and 'cured' it.

However, on reboot, the computer is in a reboot loop. The safe mode wont boot up either.

Computer is running Win7 32 Bits. I've tried doing a recovery using 'Repair my computer' from the boot cd, won't work.

What did TDSSKiller mess with, only the MBR (since it's the only place it found something about the TDL4 rootkit..) ?

I'm wondering what are the options here to get this box working. Thanks for any advice !

BTW, the issue was redirections in any web browser to stop-malware-website.com !

BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:42 AM

Posted 10 September 2010 - 01:59 PM

Hi, and sorry for the delay.

Can you remember what TDSSkiller detected? A file in the Drivers folder or an infected MBR?

Can you also let me know at which point your computer reboots? Do you still see the windows splash screen?

Do you have your windows DVD?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 cheebster

cheebster
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:42 PM

Posted 12 September 2010 - 10:04 PM

Hi there. I do see 'starting windows' but it doesn't go further. It was an infected MBR with TDL4.

Combofix also saw it but couldn't fix it.

I can hit F8 for safe mode, wont boot.

I've tried a repair install using the Windows DVD, won't do the job either.

Guess i'm good for a clean install, eh ? smile.gif

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:42 AM

Posted 13 September 2010 - 02:27 AM

Not yet. smile.gif

Please follow the steps here to get at the Command Prompt.

Type bootrec /fixmbr and press enter.

Note - if you are using drive encryption, do nothing, but post back here.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 cheebster

cheebster
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:42 PM

Posted 16 September 2010 - 12:30 PM

Hi. Sorry for the long delay. Bootrec /fixmbr doesn't work, i just tried it.

The system gets to the 'Starting Windows' part, then it reboots. Safe mode no go either.

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:42 AM

Posted 16 September 2010 - 01:09 PM

Do you happen to own an XP CD? If so, we might be able to get a bit more details of what is happening here.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:42 AM

Posted 20 September 2010 - 05:40 AM

Hi, are you still there?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:42 AM

Posted 27 September 2010 - 05:47 AM

Due to lack of feedback, this topic will now be closed.

If you are the original topic starter and you need this topic reopened, please send me a PM.

Everyone else, please start a new topic.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users