[Eric_71]

Hello,

New tool from Avast (by Gmer): http://public.avast.com/~gmerek/aswMBR.htm

It seems to work (tested on TDL4 0.03),

first time after reboot TDL is always present
second time, after reboot TDL is dead

aswMBR version 0.9.3 Copyright(c) 2011 avast! Software
Run date: 2011-02-16 19:16:56
-----------------------------
20:16:56.921 OS Version: Windows 5.1.2600 Service Pack 3
20:16:56.921 Number of processors: 1 586 0x80A
20:16:56.921 ComputerName: EEE-7DAE6D62252 UserName: XXXXX
20:16:57.203 Initialize success
20:16:58.468 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdePort0
20:16:58.484 Disk 0 Vendor: ST320414A 3.25 Size: 19092MB BusType: 3
20:16:58.500 Disk 1 \Device\Harddisk1\DR2 -> \Device\00000053
20:16:58.500 Disk 1 Vendor: PNY_____ 8.02 Size: 15283MB BusType: 7
20:16:58.500 Device \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskST320414A_______________________________3.25____#453331434a33325a202020202020202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} not found
20:16:58.500 Device \Driver\atapi -> DriverStartIo 81abf422
20:17:00.500 Disk 0 MBR read successfully
20:17:00.500 Disk 0 MBR scan
20:17:00.500 Disk 0 TDL4@MBR code has been found
20:17:00.500 Disk 0 MBR hidden
20:17:00.500 Disk 0 MBR [TDL4] **ROOTKIT**
20:17:00.500 Disk 0 trace - called modules:
20:17:00.500 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x81abf5dc]<<
20:17:00.500 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x81b8cab8]
20:17:01.031 3 CLASSPNP.SYS[f8511fd7] -> nt!IofCallDriver -> \Device\0000004f[0x81afbef8]
20:17:01.031 5 ACPI.sys[f8487620] -> nt!IofCallDriver -> [0x81b134e0]
20:17:01.046 \Driver\atapi[0x81b258f8] -> IRP_MJ_CREATE -> 0x81abf5dc
20:17:01.062 Scan finished successfully
20:17:14.796 Disk 0 Windows 501 MBR fixed successfully
20:17:18.359 Disk 0 fixing MBR
20:17:28.375 Disk 0 MBR restored successfully
20:17:28.375 Infection fixed successfully - please reboot ASAP

[liangtong]

1、Direct call atapi!IdePortDispatch seems unable to remove latest TDL4.
2、It hooks KiTrap ，which makes some tracers BSOD.
3、another BSOD:
ba0ab454 80826987 00000003 00000001 00000000 nt!RtlpBreakWithStatusInstruction
ba0ab4a0 8082788b 00000003 fffffff6 8083260e nt!KiBugCheckDebugBreak+0x19
ba0ab838 8088c993 0000000a fffffff6 d000001b nt!KeBugCheck2+0x5e1
ba0ab838 8083260e 0000000a fffffff6 d000001b nt!KiTrap0E+0x2a7
ba0ab8ec 80832a76 00000000 808311b3 0000d5ce nt!KiDeferredReadyThread+0x120
ba0ab8f4 808311b3 0000d5ce 808ab820 808ab820 nt!KiProcessDeferredReadyList+0x16
ba0ab910 808281f6 81176288 00000000 00000000 nt!KiExitDispatcher+0x25
ba0ab924 8086721e 028ab820 00000000 00000000 nt!KeSetEvent+0xcc
ba0ab948 80865c5e 81176288 0001fbd4 81378b30 nt!MiInsertPageInFreeList+0x1da
ba0ab968 8084891c 808ab300 000001d2 00000021 nt!MiDecrementShareCount+0x1be
ba0aba34 8089149d c0708ec8 00000002 00000000 nt!MiDeleteSystemPagableVm+0x2e2
ba0aba78 808925bb e11d2000 c0000001 820a1000 nt!MiFreePoolPages+0x2ed
ba0abad0 b9fa1d27 656e6f4e 00000000 819f5dc8 nt!ExFreePoolWithTag+0x277
WARNING: Stack unwind information not available. Following frames may be wrong.
ba0abb44 b9fa202c e255c430 03f0bc72 9988c100 aswMBR+0x5d27
ba0abb90 b9f9d267 81a357c0 81c26c08 0000020c aswMBR+0x602c
ba0abc04 b9f9d390 81a357c0 81c26c08 0000020c aswMBR+0x1267
ba0abc3c 8081df85 81663040 00000000 81a357c0 aswMBR+0x1390
ba0abc50 808f5437 81d6cda8 81a357c0 81d6cd38 nt!IofCallDriver+0x45
ba0abc64 808f61bf 81663040 81d6cd38 81a357c0 nt!IopSynchronousServiceTail+0x10b
ba0abd00 808eed08 00000100 00000000 00000000 nt!IopXxxControlFile+0x5e5
ba0abd34 808897bc 00000100 00000000 00000000 nt!NtDeviceIoControlFile+0x2a
ba0abd34 7c9585ec 00000100 00000000 00000000 nt!KiFastCallEntry+0xfc
0100f7d0 0045937c 00000100 9988c100 0100f7fc ntdll!KiFastSystemCallRet
0100fa1c 004552fd 00000001 00cac9e0 00ca4958 aswMBR_400000+0x5937c
0100fa30 0045a0fa 00000001 00cac9e0 00ca3da8 aswMBR_400000+0x552fd
0100fa44 00401a03 00000001 00cac9e0 010270b8 aswMBR_400000+0x5a0fa
0100ffb0 00401f7b 0100ffec 7c824829 00000000 aswMBR_400000+0x1a03
0100ffb8 7c824829 00000000 00000000 00000000 aswMBR_400000+0x1f7b
0100ffec 00000000 00401e90 00000000 00000000 kernel32!BaseThreadStart+0x34