Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

TDL4@MBR code has been found


  • Please log in to reply
3 replies to this topic

#1 ImBubba

ImBubba

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kissimmee, FL, USA
  • Local time:12:56 PM

Posted 30 July 2011 - 12:42 AM

HP Media Center Edition Version 2002 Windows XP (SP3), Pentium D (2.8GHz), 1GB RAM, 250 GB HD

Although I am having multiple problems with this computer, neither my anti-virus program (AVG free), nor Malwarebytes AntiMalware, nor SuperAntiSpyware are reporting any problems (though SuperAntiSpyware never gets finished before the system hangs). The symptoms I am having are that the computer will only run for a few minutes after booting up, before it 'seizes up'. This appears to be the result of some process running behind svchost and sucking up memory and cpu. When it 'seizes up' programs which are already running go "not resonding" and I cannot launch anything else. I mean, when I click on a shortcut icon on the desktop, the hourglass appears as if it is going to launch the requested program, but the program never launches ... this includes Ctl-Alt-Delete to invoke the Task Manager, and clicking on the Start button to do a shutdown. The hourglass shows up then goes away and nothing happens! Before the system grinds to a halt I have a few minutes to get in and run a diagnostic or two, but if I have to Google something on the Internet, more often than not my browser (IE8) gets hijacked and I end up looking at something other than what I was looking for (though I have found that if I open another browser tab I can often get where I need to go). When the system stops responding I'm dead in the water and can do nothing but hold the power buttun down until its lights go out. I give it a minute or two and press the power button again to reboot.

I read in these fora that if I wanted help I should do some up front work first ... like getting and running Defogger.exe, DDS.scr, and GMER ... and so I have. I had to download these programs to another computer and copy them to a USB flash drive and sneeker-net them over to my sick computer, boot it up, and hurry to get the programs onto the sick computer's desktop before it died. Once the programs were in place I ran each in the recommended order. Sometimes the computer would "seize up" before a program could complete and I would have to reboot and start that program over again.

Defogger reported that it ran successfully and disabled the firewall. DDS.scr produced a DDS.txt file which I saved and can post if requested to, but it did NOT create the expected ATTACH.txt file. GMER was an eye opener! At the beginning of the GMER scan it produced a message that said that "GMER has detected modifications that look like rootkit activity". At the end of the scan it reported "WARNING GMER has found modifications caused by rootkit activity". In between, during the scan there was a line which said,"TDL4@MBR code has been found" and indicated that it was on Disk Device Harddisk0\DR0 sector 00: rootkit-like behavior. By the time GMER had finished its scan and produced its report, the system was not launching any more programs and just did nothing when I clicked on GMER's 'Save' button to save its report. I rebooted and quickly ran GMER again and this time clicked the 'Save' button just after I saw that it had encountered the MBR rootkit ... I hit 'Save' before GMER finished thinking that saving something was better than not being able to save anything at all. It required another boot, but I was able to copy the few logs that I captured to the USB flash drive and sneaker-net it back to my good computer from which I am sending this request for help.

Thanks, in advance for whatever direction and assistance you can provide me with.

ImBubba

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:56 PM

Posted 30 July 2011 - 06:29 AM

DDS logs are not permitted in this forum. The Malware Response Team members are all volunteers who contribute to helping members as time permits but currently there is a backup and you may have to wait for assistance. Referrals are made to the Virus, Trojan, Spyware, and Malware Removal Logs forum if we cannot assist you here and we need to use more powerful tools or you don't mind waiting.

If you do not mind waiting and want someone to check your system thoroughly, then please start a new topic and post your log in the above forum, NOT here.

If you want to try disinfection in this forum first, continue as follows:

Please follow these instructions: How to remove Google Redirects or the TDSS, TDL3, Alureon rootkit using TDSSKiller
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • When the program opens, click the Start Scan button.
  • Any objects found, will show in the Scan results - Select action for found objects and offer three options.
  • If an infected file is detected, the default action will be Cure...do not change it.

    Posted Image
  • Click Continue > Reboot now to finish the cleaning process.<- Important!!

    Posted Image
  • If 'Suspicious' objects are detected, you will be given the option to Skip or Quarantine. Skip will be the default selection. Leave it as such for now.
  • A log file named TDSSKiller_version_date_time_log.txt will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.
-- If TDSSKiller does not run, try renaming it. To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extensio, please refer to these instructions. In some cases it may be necessary to redownload TDSSKiller and randomly rename it before downloading and saving to the computer or to perform the scan in "safe mode".

-- For any files detected as 'Suspicious' (except those identified as Forged to be cured after reboot) get a second opinion by submitting to Jotti's virusscan or VirusTotal. In the "File to upload & scan" box, browse to the location of the suspicious file and submit (upload) it for scanning/analysis.

Step 7 instructs you to scan your computer using Malwarebytes Anti-Malware. Don't forget to check for database definition updates through the program's interface (preferable method) before scanning.

Malwarebytes may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • After completing the scan, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab .
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
  • Exit Malwarebytes when done.
Note: If Malwarebytes encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes from removing all the malware.

-- Some types of malware will target Malwarebytes Anti-Malware and other security tools to keep them from running properly. If that's the case, please refer to the suggestions provided in For those having trouble running Malwarebytes Anti-Malware as you may need to rename it or use RKill by Grinler.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 ImBubba

ImBubba
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kissimmee, FL, USA
  • Local time:12:56 PM

Posted 31 July 2011 - 03:10 AM

Thank you very much for the self-help information ... it worked a charm! I haad to use a second computer to download the fix to a USB flash drive, rename it, and sneaker-net it over to the sick computer. I copied it to the desktop and ran it. It found one item and recommended 'Cure'. I accepted the recommendation and re-booted when requested and ... ba-da-bing ... the problem was gone! I proved that by firing up MalwareBytes antimalware, updating it, and running it to completion ... CLEAN ... twice! It has been a very long time since that computer could launch ANY programs that long after a reboot. It is faithfully launching everything I ask it to now. My browser hasn't been redirected again, either, and I've been giving it a workout.

This item can be closed. Thank you VERY MUCH!

ImBubba

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:56 PM

Posted 31 July 2011 - 07:28 AM

You're welcome.

:thumbup2: Tips to protect yourself against malware and reduce the potential for re-infection:

Keep Windows and Internet Explorer current with all security updates from Microsoft which will patch many of the security holes through which attackers can gain access to your computer. When necessary, Microsoft releases security updates on the second Tuesday of each month and publishes Security update bulletins to announce and describe the update. If you're not sure how to install updates, please refer to Updating your computer. Microsoft also recommends Internet 6 and 7 users to upgrade their browsers due to security vulnerabilities which can be exploited by hackers.

Avoid gaming sites, porn sites, pirated software (warez), cracking tools, and keygens. They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. In some instances an infection may cause so much damage to your system that recovery is not possible and the only option is to wipe your drive, reformat and reinstall the OS.

Avoid peer-to-peer (P2P) file sharing programs (i.e. Limewire, eMule, Kontiki, BitTorrent, BitComet, uTorrent, BitLord, BearShare). They too are a security risk which can make your computer susceptible to malware infections. File sharing networks are thoroughly infected and infested with malware according to Senior Virus Analyst, Norman ASA. Malicious worms, backdoor Trojans IRCBots, and rootkits spread across P2P file sharing networks, gaming, porn and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans, and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users. The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.
Beware of Rogue Security software as they are one of the most common sources of malware infection. They infect machines by using social engineering and scams to trick a user into spending money to buy a an application which claims to remove malware. For more specific information on how these types of rogue programs install themselves and spread infections, read How Malware Spreads - How did I get infected.

Keeping Autorun enabled on flash drives has become a significant security risk as they are one of the most common infection vectors for malware which can transfer the infection to your computer. One in every eight malware attacks occurs via a USB device. Many security experts recommend you disable Autorun as a method of prevention. Microsoft recommends doing the same.Note: If using Windows 7, be aware that in order to help prevent malware from spreading, the Windows 7 engineering team made important changes and improvements to AutoPlay so that it will no longer support the AutoRun functionality for non-optical removable media.

Always update vulnerable software like browsers, Adobe Reader, Adobe Flash Player and Java Runtime Environment (JRE) with the latest security patches. Older versions of these programs have vulnerabilities that malicious sites can use to exploit and infect your system and vendors regularly issue Security bulletins and advisories.
Use strong passwords and change them anytime you encounter a malware infection, especially if the computer was used for online banking, paying bills, has credit card information or other sensitive data on it. This would include any used for taxes, email, eBay, paypal and other online activities. You should consider them to be compromised and change all passwords immediately as a precaution in case an attacker was able to steal your information when the computer was infected. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connecting again.

• Finally, use common sense, safe computing and safe surfing habits provides the most complete protection.

Security Resources from Microsoft:Other Security Resources:Browser Security Resources:
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users