Hey folks. A friend recently asked me to help with her pc problems. I was told that about 10-15 minutes after being turned on, it would always get a BSOD.

Avast will find the rovnix infection, but the pc gets the BSOD about 5 minutes later.
I also noticed that the windows update service was missing

Another problem is that I cant get the computer to stay on long enough to run MWB & otl so I had to do these in SAFEMODE.

AswMBR log attached…

Hi there whilst I am looking at the rest of the logs we will act on the AswMBR report

Download the latest version of TDSSKiller from here and save it to your Desktop.

[*]Doubleclick on TDSSKiller.exe to run the application

https://dl.dropbox.com/u/73555776/tdss%20start.JPG

[*]Then click on Change parameters.

https://dl.dropbox.com/u/73555776/tdss%20Change%20param.JPG

[*]Check the boxes beside Verify Driver Digital Signature, Detect TDLFS file system and Use KSN to scan objects , then click OK.

[*]Click the Start Scan button.

[*]If a suspicious object is detected, the default action will be Skip, click on Continue.

https://dl.dropbox.com/u/73555776/tdss%20threat.JPG

[*]If malicious objects are found, they will show in the Scan results and offer three (3) options.
[*]Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

[*]Get the report by selecting Reports

https://dl.dropbox.com/u/73555776/tdss%20report.JPG

[*]Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

Please copy and paste its contents on your next reply.

Uhh, Adware city right there. Dear good god.

Make sure you tell her to custom install everything to avoid that MBAM Log. If she is careful with custom installing and unchecking the boxes that contain Bloatware, she’ll be fine

Still more adware to remove plus some services to repair

Thats the same thing I said when I saw all the results. Problem is she is computer illiterate…

The tdsskiller log was kinda long, so I attached it instead.

Could you re-run TDSSKiller please and cure the following

13:17:16.0156 0x09e8 \Device\Harddisk0\DR0 ( HEUR:Rootkit.Boot.BackBoot.gen ) - skipped by user 13:17:16.0156 0x09e8 \Device\Harddisk0\DR0 ( HEUR:Rootkit.Boot.BackBoot.gen ) - User select action: Skip 13:17:16.0156 0x09e8 \Device\Harddisk0\DR0 ( TDSS File System ) - skipped by user 13:17:16.0156 0x09e8 \Device\Harddisk0\DR0 ( TDSS File System ) - User select action: Skip

In addition to the MBR bootkits there is also a Zero Access infection

So after the TDSSKiller run I will need you to run Combofix and then follow that up with another OTL scan so that I can see what remains. We will do the combofix first

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

• IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Tdsskiller doesn’t give me the option to Cure. Only skip,copy to quarantine, or delete…

Also, can I run combofix from safemode? I dont want the pc to get BSOD while its running.

Select delete for the TDSS File system only and then run combofix, safe mode is not ideal but it will work

Im getting a message from combofix to uninstall Panda Cloud Antivirus but I dont see it installed

Edit. Panda has an uninstaller for the SERVICE on their site. Should I use that. Only thing is, it reboots the pc afterwards, which means restarting combofix…

Ignore that and accept the warning

Combofix log attached

OK next step you should now be able to work in normal mode

Download the attached fix.tx to your desktop
Run OTL and press fix
It will ask for the location of fix.txt
Locate and select fix.txt and press run fix again

Then

Please download AdwCleaner by Xplode onto your desktop.

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S1].txt as well.

FOLLOWED BY

Please download Junkware Removal Tool to your desktop.

[]Right-mouse click JRT.exe and select “Run as Administrator” the tool will open and start scanning your system
[]please be patient as this can take a while to complete depending on your system’s specifications
[]On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
[]post the contents of JRT.txt into your next message.

FINALLY

Run OTL once more … There will only be one log this time

https://dl.dropboxusercontent.com/u/73555776/OTL_Main_Tutorial.gif

[*]Select All Users
[]Select LOP and Purity
[]Under the Custom Scan box paste this in

netsvcs
BASESERVICES
%SYSTEMDRIVE%*.exe
c:\program files (x86)\Google\Desktop
c:\program files\Google\Desktop
dir “%systemdrive%*” /S /A:L /C
/md5start
rpcss.dll
/md5stop
CREATERESTOREPOINT

[*]Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
[*]Attach both logs

The otl fix froze once it was nearly done. Once the pc rebooted, this log was left…

there is an _otl folder on my c drive with a bunch of moved files though.

Will do the next steps now

AdwCleaner log attached

We are getting there

So far we have removed 2 bootkits, 1 Zero Access and Adware that was well into double figures. What AV was installed prior to you installing Avast ?

Norton was on the pc. I used the norton removal tool to unistall it.Im guessing there were others on it before that. I see McAfee security scan plus in the programs menu, but I didnt check if a service was running.

BTW, I really appreciate your help man

JRT log attached.

OK all adware now gone… Just a matter of clearing the orphans and oddballs now

Is the computer behaving in normal mode now ?

Yep! No bluescreen. Windows update is back.

Will run otl for a log now

Panda Security Toolbar
avast! Online Security
McAfee, Inc.
IOBit

Were previous Contenders