Need help with removing malware

Hi! Yesterday avast stopped working. When I booted Windows 7 it started doing a chkdsk scan. After that I logged in and after a few minutes I saw an alert from avast. When I opened AvastUI it had 2 warnings. Silent/Gaming mode was enabled and the Avast service was stopped. I tried to disable Silent/Gaming mode but nothing happened. It just re-enables instantly. When I tried to start the Avast service (Tried both in servicemgr and in AvastUI) but it fails to start. My first thought was that the config file was corrupted because every time I change it it resets. I tried to reinstall but when I run aswclear.exe it says I need to disable an option in Avast (Something about self-protect. I can’t remember exactly) This obviously didn’t work because the config file resets so I rebooted to enter failsafe mode. After loading the drivers it got stuck for a few minutes ant then rebooted. That’s when I realized my system was infected. I plugged out my ethernet cable as fast as I could and logged in. The computer was running much slower and some applications craches/dosn’t respond randomly. Some (not all) of my Firefox bookmarks got deleted but I can recover those with Firefox sync. I managed to do a Malwarebytes scan and it found 3 things. 2 Trojans and a PUP.BundleInstaller.BI. See the attachments for logs and quarantined files. I’m using Ubuntu now because I don’t want to connect to the internet on a infected system. My guess is that it’s a rootkit because it has access to SYSTEM and disabled Avast and failsafe. Dose anyone know what to do?

OS:NT6.1 Windows 7 Ultimate x86_64/Linux Ubuntu 12.04 x86_64
Quaranted files (don’t run unless you know what you’re doing):http://dl.dropbox.com/u/43754218/quar.tar.gz

If you know what this is or how to remove it without formating the harddrive please reply. Thank you.

follow this guide and attach the logs…not copy and paste. http://forum.avast.com/index.php?topic=53253.0

AdwCleaner
Malwarebytes
OTL
aswMBR

when done the removal specialists will be notified

awsMBR.exe stops working after I open it. All the other tools worked.
Logs:http://dl.dropbox.com/u/43754218/logs.tar.gz

you may try running it from safe mode… if no success, dropp it
the removers have more tools in there tool box and will select another if needed

OK lets go in with the big boy first

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Here’s the ComboFix log. The computer is running really slow, files are being corrupted and every time it boots it runs chkdsk and asks if I want to do a startup repair.

OK this looks more like a system than malware problem, I will use a different tool to confirm the MBR is OK just to be sure

[*] Download RogueKiller and save it on your desktop.

NOTE: If using IE8 or better Smartscreen Filter will need to be disabled

[*]Quit all programs
[*] Start RogueKiller.exe.
[*] Wait until Prescan has finished …
[*] Click on Scan

https://dl.dropbox.com/u/73555776/RKScan.GIF

[]Wait for the end of the scan.
[
] The report has been created on the desktop.

I already did a RK scan. The log is in my first post. I don’t think it is just a system problem. That wouldn’t explain why Avast is always disabled and why awsMBR closes instantly. Malwarebytes found a bundle installer. Do you know what that is?
Edit: All system restore points have been deleted. It’s definitely malware.

Oops missed that one

I will do a final malware sweep, but I do not feel it will find anything

How long have you had exploit shield on the system ?

Download the latest version of TDSSKiller from here and save it to your Desktop.

[*]Doubleclick on TDSSKiller.exe to run the application

http://dl.dropbox.com/u/73555776/TDSSFront.JPG

[*]Then click on Change parameters.

http://dl.dropbox.com/u/73555776/TDSSConfig.JPG

[*]Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

[*]Click the Start Scan button.

[*]If a suspicious object is detected, the default action will be Skip, click on Continue.

http://dl.dropbox.com/u/73555776/TDSSFound.JPG

[*]If malicious objects are found, they will show in the Scan results and offer three (3) options.
[*]Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

[*]Get the report by selecting Reports

http://dl.dropbox.com/u/73555776/TDSSEnd.JPG

[*]Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

Please copy and paste its contents on your next reply.