[Julian]

Hang it up folks, dont a single cleaner work on the current infection, no need boasting this cleaner does or this cleaner doesnt.

It seems Kaspersky 2012 can clean it. At least Hitman Pro didn't find infected driver stack after cleaning with KIS.

[CodeAddiction]

Hello,

PX5 said:
Even in 2 live cases, attempts to boot from a Windows CD failed, I even tried booting from the UBCD4Win and it failed as well, so they have figured a way to monitor/hook cd-roms/DVD

Using both my BartPE and Win7PE bootable CDs on a freshly infected box, this was not the case for me. Successfully booted into RAM environment.

[rossetoecioccolato]

If this was actually caused by TDL4 then this would be a very big advancement in rootkit technology.

Not if they are flashing the firmware of the optical drive. Have seen this for a few years with BIOS-based infection. No reason it could not be applied to bootkit as well. Interesting to know which optical drive it is. If the drive is infected it may brick up when you try to read the firmware.

[a_d_13]

Hello,

PrevX released new blog post discussing recent changes to TDL4.

Thanks,
--AD

[erikloman]

Hitman Pro 3.5.8 build 121 BETA detects and removes the sample from InsaneKaos:

32-bit: http://dl.surfright.nl/HitmanPro35beta.exe
64-bit: http://dl.surfright.nl/HitmanPro35beta_x64.exe

[Blitskrieg]

Updated TDSSKiller (2.5.0.0) will be released tomorrow.

Now it is available on ftp://SLArchive-ro:vOs1onEcsM@data6.kas ... Killer.exe

[markusg]

dll.exe
http://www.virustotal.com/file-scan/rep ... 1304345866
dll.exe
http://www.virustotal.com/file-scan/rep ... 1304346701

[InsaneKaos]

Okay, I've tested aswMBR, HitmanPro, TDSSKiller against TDL4 on Windows XP 32bit SP3 and Windows 7 32bit SP1, both with the miniport driver atapi.sys. (VirtualBox)

• aswMBR: Was able to detect and also to remove TDL4. It is necessary that aswMBR detect it as TDL4, otherwise the "FIX" -button will not be available.
• Hitman Pro: Was not able to detect it as TDL4 (It detected TDL3 instead) and gave me no options to remove it.
• TDSSKiller: Detected and removed TDL4 without any problems.

Greetings, Kaos.

[erikloman]

Okay, I've tested aswMBR, HitmanPro, TDSSKiller against TDL4 on Windows XP 32bit SP3 and Windows 7 32bit SP1, both with the miniport driver atapi.sys. (VirtualBox)

• aswMBR: Was able to detect and also to remove TDL4. It is necessary that aswMBR detect it as TDL4, otherwise the "FIX" -button will not be available.
• Hitman Pro: Was not able to detect it as TDL4 (It detected TDL3 instead) and gave me no options to remove it.
• TDSSKiller: Detected and removed TDL4 without any problems.

Greetings, Kaos.

Did you use the beta? It should list $MBR as infected. Click next to remove.

[nullptr]

Did you use the beta? It should list $MBR as infected. Click next to remove.

Do you need the paid version of HMP to detect it? With the 30 day free licence, I couldn't even get HMP to detect it.
I can confirm InsaneKaos' findings regarding latest TDSSKiller 2.5.0.0 and aswMBR.