My wife has this virus on her Dell Vostro 410 PC. From what I can gather off the web it hides in the MBR and reinfects the machine on every boot even after rootkit cleaners have erased it from the OS.
Hello Tony and welcome
I'm kevinf80 and I will be helping with any malware issues you may have with your system.
I note you have been using a pen drive to transfer to the infected PC, that`s what we`ll do with Combofix. Please proceed as follows on a known clean PC.
Download Combofix from either of the following links and save to your Pen drive
Before you save it change the name to Gotcha.exe as below, I know it says desktop on the image, but you`ll save to you pen drive.
Transfer to the infected PC Desktop, it must be run from the Desktop nowhere else <--- Very important
Ensure you have disabledyour Firewall and all anti virus and anti malware programs so they do not interfere with the running of ComboFix. <---Very important
Please include the C:\ComboFix.txt in your next reply for further review.
Examples of how to disable realtime protection available at the following link :-
Disable realtime protection
Double click Gotcha.exe icon to start, if CF asks to install the Recovery console, please allow it. Just follow the prompts..
Note: Do not click combofix's window with your mouse while it's running. That action may cause it to stall.
Just to update you - I managed to get Kaspersky's online virus check to run. I had made the mistake of using Opera, this seems to be the reason is wasn't running. It means I can get online, but it's a bit flaky - plus I ran the Kaspersky online tool up to 19% before I stopped it, by which time it had found a lot of trojans. It's probably a good idea to keep the machine off-line from now on.
I'll run the Combofix tool and get back to you.
I'm relieved there's someone out there trying to help.
OK Tony, any time you`re ready...
Sorry, I've had to deal with something else - non-pc related and haven't been able to run it yet. How long does Combofix take to run. I ask as it's late evening here in the UK and if it's hours then we'll need to pick this up again tomorrow.
I`m in the UK myself, CF takes approximately 10 minutes to run, this may extend to 20 minutes on heavily infected systems..
I`m usually here Tony, just post when you`re ready. Make sure you back up any important data. TDL4 is a nasty infection and always has plenty of friends with it..
Unfortunatley things don't seem to be going to plan.
Downloaded the Combofix file and gave it a random name. Transferred via the pen drive to the destop, ran it, got a slash screen asking me to accept the conditions, I accepted and was greeted with the message, Combofix must have an alphanumerical name - install aborted (there was a " [ " symbol in the name).
Downloaded the Combofix file again and gave it the name Gotcha.exe this time as directed. Transferred it via the pen drive to the desktop, ran it, blue dosbox opened with the message "access denied". Install aborted.
Renamed the Gotcha.exe file in the pendrive to zfh.exe. Transfered to the desktop. This time something popped up very briefly in a blue dosbox again before returning the "access denied" message again. However, this time after a little delay it started (is the "access denied" message normal behaviour? - if so, it foxed me). It asked me to download and install the recovery console (done) and reboot (done). It's now scanning.
About 10 minutes ago I heard the windows shutdown sound and went to look (I'm on a different floor to my wife's PC). It's frozen at the shutdown stage - just a blank blue screen (not a BSOD - it's the desktop colour) and the cursor.
Shall I switch off and switch back on?
If CF is dealing with a Rootkit it may re-boot and sit idle for several minutes then boot again, leave it a while and see how it goes, if no change after 30mins force a re-start and let me know..
TDL4 is very unpredictable lets see how it goes..