Cleaning Neighbor's Desktop, only got 4 logs

Hi! I'm back with another friend's computer. When I got it, it was not booting. It would just give the message, "Windows Boot Manager: Windows failed to start. A recent hardware or software change might be the cause... etc. about using the disk to repair... File: c:\windows\system32\winload.exe ... Info: The selected entry could not be loaded because the application is missing or corrupt." And so on.

The owner didn't have a Vista disk, and neither do I, so I booted it with UBCD4WIN and used it to explore the drive. I saw the familiar Total Security on there, so I asked her if she had clicked on a popup telling her she had a boatload of viruses shortly before her computer crashed, and she had. She actually is somewhat computer-savvy, and was surprised she fell for it.

I tried to start chkdsk several ways on the computer exploring with UBCD4WIN, but even navigating straight to it to start it, and starting it from command line, didn't work. I got "c:\windows\system32\chkdsk.exe is not a valid win32 application."

So, knowing that most applications on UBCD4WIN can be run on Vista without hurting anything, I carefully started choosing some to try. I figured I couldn't do much more harm than had already been done.

I ran Avast Virus Cleaner, but it didn't find anything. I ran Avira, and it detected and deleted:
FakeAV.TS
Alureon.BK.99 (3 detections)
FakeAV.TT

I then deleted six more Total Security files and five registry keys. Then I tried to run Spybot S&D from UBCD4WIN, and got the message "The file or directory c:\Windows\System32 is corrupt and unreadable. Please run the CHKDSK utility."

Well, I figured XP chkdsk couldn't fix Vista, but I gave it a shot since I wasn't getting anywhere and seemed to be out of tools. It didn't fix it, no surprise. I finally went searching again for tools, and finally, finally found the downloadable Vista Recovery Disk. I downloaded and burned it, and booted it. It didn't ask me anything, just went into repairing, and when it finished, I rebooted. This time, I got: "Windows Boot Manager: A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source."

I ran Vista Recovery Disk again, and this time it repaired "Boot manager generic failure 0xc0000428". The computer finally booted. Unsure of how long that would last, since the computer was still running poorly, I at first cut straight to scans. At this point, I was just trying to get things stable.

I immediately ran MalwareBytes. It fixed:
Registry - Broken.OpenCommand ->Bad: (Notepad.exe)
Files:Rootkit.tdss (5 detections)
Registry:Total Security, Trojan FakeAlert

I could not run ComboFix; it would hang at attempting to create a restore point. SuperAntiSpyware just got a couple of cookies.

At next boot, I got a white screen, so I attempted to boot into safe mode (which hadn't worked up to this point). This time I got there, and ran chkdsk right away. It did all kinds of things, part of which I am sure was cleaning up after the XP chkdsk scan. This time I was able to boot normally.

I then began the Read & Run. UAC already was not enabled, the computer did not have Java, and I could not delete the items in the AVG 8.5 Virus Vault -- but they were only tracking cookies. Incidentally, I couldn't update AVG either.

I got down to the end of the page where it has the OS-specific instruction links, and put the computer aside to work an another friend's computers, since this one came with no time limit, and the others were used for business.

I hooked this one back up today, and was back to not booting. I had to run the VRD again. It said, "Root cause found - Boot manager failed to find OS loader. Repair completed successfully." It then rebooted and ran the chkdsk I had previously scheduled (again doing many repairs), and then booted successfully.

On a whim I tried updating AVG, and this time it did! This gave me some hope that the computer was going to run somewhat better, and it is.

I then began the Vista specific instructions. I ran the scan in SAS, which found nothing, and then MBAM, which found some shopping related entries, but not the rootkit.tdss. This was a surprise to me, because what I had seen online had led me to believe that this was a difficult infection that MBAM would say it cleaned when it in fact could not.

ComboFix still will not run, and hangs in the same place. MGTools, rather than extracting and then me navigating into the folder to run it, ran itself automatically after extracting.

I left to run an errand, leaving the computer up (still not trusting boot, since I think the display driver is corrupted). When I returned, it was hung at the POST screen. I have no idea what caused it to reboot, or what caused it to hang. I punched reset, and when it started, it automatically ran chkdsk (again fixing many things), and then rebooted successfully.

I hope I am not being too thorough, but you tell us to explain the situation in detail! :-D I am now posting the four logs I do have.

 

Thank you very much! I can't believe this computer is clean already! I really thought I was going to need dental tools to remove that rootkit!

I did the stuff you said, and yes it was successfully added to the registry. I'll now do the final things. I'll reinstall the display driver, and if that doesn't solve my other problems, I'll post in the software forum.

Thank you very much, again!!! Y'all are the best! :clap :major

 

BTW, I've noticed the last few times I've uninstalled ComboFix that the uninstall does not reset all the hidden files and folders. Hidden files are still visible. I re-hide them manually.

Thanks!