Recently a person brought in a laptop troubled with, as he referred to, “the ever present blue-screen-of death”. He continued to clarify the computer system, at first, would on occasion display an error screen primarily after at least an hour of computer usage, however recently the pc showed a stop error at the time of each log in. He tried using various anti-malware analyses, in safe mode, with the software MalwareBytes and Avast. After the scans and a reboot the computer system booted immediately to a black screen with not a thing but a mouse cursor displayed on the monitor. He needed help.
This computer would not boot accurately so, in order to analyze and fix boot issues, we employ a tool developed to run in the Windows Recovery Environment. In such cases, We perform a diagnostic scan using Farbar Recovery Scan Tool via an open USB drive. The FRST analysis exposes contamination from the TDL4 rootkit.
TDL is a robust rootkit and botnet. TDL employs a variety of techniques to evade all types of discovery, and uses encryption to be able to aid transmission amongst its bots and the botnet command center. TDL also consists of a potent rootkit factor, that permits it to hide the existence of any various other types of adware in the computer system. Left unchecked, TDL might trigger complete system failure.
After that, I develop a simple FRST fixlist script and run this file through the flash drive. The FRST log reveals successful completion of the operation.
The laptop continues to be not able of booting into normal mode so we move forward with a comboFix check inside safe mode. The comboFix log shows numerous things. First, the infected computer system has lingering registry items of uninstalled Anti-virus and Spyware software program. In such a case, it turned out McAfee sticking around – this provides an undesirable scenario because these kinds of remnants may conflict with recovery programs, such as comboFix which was now displaying an error, and future anti-virus software packages. It’s significant to be aware, just one single anti-virus program really should be installed on the pc at any time. Next, the comboFix log reveals successful removal of malware which stayed undetectable by TDL4. In this case, the applications are located in the following directories: c: users[user]AppDataLocal, c: usersElliotAppDataRoaming, and c: windows. ComboFix sufficiently cleans these spyware and adware. I create a small comboFix script that erases the lingering McAfee registry records.
The pc continues to be unable to start up into normal mode consequently we move forward with an analysis utilizing TDSSkiller. The TDSSkiller report implies successful discovery and eradication of a suspicious hard drive partition.
After completion of the TDSSkiller repair, the pc currently boots into Normal mode free of issues.
These kinds of rootkits increase their grip deeply into the operating-system so we continue on a more comprehensive investigation of the laptop with OTL. The OTL report reveals a number of hidden system files in the C: UsersElliotAppDataLocal and C: ProgramData directories. Hidden system files shouldn’t be found here – so we create an OTL script to remove these unnecessary executables. The resulting OTL report reveals a clear laptop!
This computer now boots up and operates splendidly.