Posted 27 April 2012 - 05:13 PM
I hope I can find some answers as I have been searching through Google for half the day.
Windows XP Home SP3
Client machine came in infected with a Fake Alert and bundled with it was a TDSS Rootkit. The client was running AVG Free and the paid version of SuperAntiSpyware. SAS caught part of the infection and prompted the client to reboot their computer, upon the reboot they experienced a BSOD STOP: C21A
I used the saved copies of the registry from inside the system restore folder from a couple days earlier and was able to get the machine up and running.
Installed MBAM and ran a full scan....Clean
TDSSKiller scan detected no Rootkits but did find a TDSS File System and it was quarantined
Customer had outdated version of AVG Free, updated and experienced issues with the resident shield not starting
Uninstalled AVG and replaced with Microsoft Security Essentials.
Full Scan with MSE - No threats detected
AVG Rescue CD Full Scan - 1 threat detected inside System restore.
chkdsk several times to repair broken indexes and recover lost files
During this process I have rebooted the machine a few times, each time after a reboot the security center reports Automatic Updates are turned of. Inspection of the service through services.msc shows the service as disabled.
Now whats funny is that I can set the service to automatic and start the service and it will operate normally until the next reboot. then I have to go through the process again. I thought it might be a Group Policy setting but that's not available in Home Edition.
To troubleshoot the issue I have completed the following...
-Reregistered the DLL Files
-Ran the FixIt from Microsoft which found issues and fixed them but didnt report what they were
-tried to install the windows update agent but wouldnt take because it was already installed
-Reset all Services to their default startup states via a registry file found on the web
-checked the machine again for Rootkits using TDSSKiller and Blacklight - Nothing found.
and as a last ditch resort I ran ComboFix with my fingers crossed that it would find what I wasn't able to...Log file shows "other deletions" but nothing of to much importance from what I could tell.
And advice would be greatly appreciated. I'm sure the answer is in front of my face but I just cant see it.