I need help getting rid of Troj/TdlMbr-A

December 17, 2010 at 05:00:32
Specs: Windows XP
My Win-XP desktop picked up a virus and froze. On reboot, I got a bluescreen and a message something to the effect of "You may have a virus. Hard drive controller not responding." It was a lot longer and I'm sorry I didn't write down the whole message.

I pulled the drive and connected it externally to a USB port on my laptop via a SATA-USB bridge.
I then used Dr. Web Scanner to find and cure/remove several viruses/trojans.
I ran Sophos to scan both my laptop and the external-connected drive.
Sopho found Troj/TdlMbr-A on PhysicalDrive1.
I checked Windows Disk Management and it says Disk 1 is the external-connected drive.
I don't know if Disk 1 = PhysicalDrive1 (hope so or else my laptop is infected too).

So now I need to remove the trojan and I don't know how. I don't know if it is any help to have it externally connected to my laptop or whether I should re-install it.

Any help/advice/directions/references would be greatly appreciated.


See More: I need help getting rid of Troj/TdlMbr-A

Report •


#1
December 17, 2010 at 12:56:32
Connecting your infected Hdd to other computer is a great idea. Sometimes it's the only way to get rid of really nasty malware. I think you should scan your disk, also your laptop with antispyware software to be sure the infections are gone. Download and install a legitimate anti-spyware software. Choose from alwarebytes antimalware or superantispyware.Download links http://www.pcrisk.com/top-spyware-r... Both are free and does a great job at detecting and removing spyware. Download, install and update before running a full system scan. You may also want to enter safe mode before running a scan. Click Start, click Shut down, click Restart, click Ok. During your computer starting process
press F8 key on your keyboard multiple times until you see Windows Advanced Option menu, then select Safe mode from the list.If above mentioned programs can't detect infections try Hitman Pro, sometimes it can detect infections that other misses.

Report •

#2
December 18, 2010 at 21:21:52
Thanks Thomas, I really appreciate the response. It's helped remove over 700 infected files...

What I did:

After running Dr. Web Scanner on the infected drive (while it was connected to my laptop as an external drive), I reinstalled it in my desktop. In Safe Mode, I installed and ran MalwareBytes, removed what was found, rebooted and ran MalwareBytes again. It said everything was clean.

I ran Firefox and it keeps redirecting to some other pages...

So, in Safe Mode, I installed and ran SuperAntiSpyware. It found ALOT. I removed what was found. Rebooted. Ran SuperAntiSpyware again, it was clean.

Then I ran Firefox again and it still is redirecting. It will take me to the first page I want to go to, but usually the second page is something else... including what looks like a "You've got Viruses!" web page that wants me to install something...

Anyway, it would seem that something is still infecting my system.
Should I uninstall - reinstall Firefox? Or should I do something else?

I guess I can try the HitMan program Thomas suggested.

Any other help in working this out would be fantastic.

UPDATE-- I checked my msconfig and found two lines in it that have weird characters (box shapes) and they invoke these two registry lines:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion
\Windows:Load

and

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion
\Windows:Run

I checked the registry and the values for those two keys are empty.

I tried disabling them and rebooting. When I rebooted, I got a series of 4 windows messages. One saying that 'box characters' could not be run. The next saying 'box characters' in msconfig was invalid. The two windows messages were then repeated in the same sequence. I assume that was two messages for each of the msconfig lines.

I checked msconfig and the lines were back and enabled.

And I still had the problem of my web browser redirecting to other pages (amazonaws.com and others).

Any thoughts or ideas?



Report •

#3
December 19, 2010 at 00:07:53
I finally found the rootkit and it is called tld3. I had to use tdsskiller from kaspersky.com to finally get rid of it. The only thing detecting it was Sophos.

Found the necessary info on it here: http://www.bleepingcomputer.com/vir...

Hope this helps anyone following in my tracks...


Report •

Related Solutions


Ask Question