Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

# BSOD & Pop-up Ad at bottom of left & right of webpages

8 replies to this topic

### #1 dreamalife

dreamalife

• Members
• 5 posts
• OFFLINE
•
• Local time:04:06 AM

Posted 04 August 2013 - 01:18 AM

Hi, I'm using Windows 7, IE 9, & free AVG 2013. AVG detected a threat & removed it as usual, but with this threat, AVG requires my PC to restart. After I restarted, I started to have pop-up ad at the bottom of left & right of webpages when I surf. After an hour, everything is gone but a blue screen popping up with messages & then the PC will restart itself.

I tried to do system restore, it didn't work. I scanned with AVG, came out clean. I deleted the temporary files, histories & cookies under Tool in IE. I unchecked system protection/restore & then started the PC in Safe Mode. I scanned it with Malwarebytes till there was nothing anymore. I also used CCleaner to clean up the Registry. But the problem still persist, please help me on this.

I had similar thing happened in the past where I got advice to manually remove the infected file which was hiding in folders which worked because I got the name of the infected file, I can't remember the steps anymore.

### #2 GodfatherKing

GodfatherKing

• Members
• 587 posts
• OFFLINE
•
• Gender:Male
• Local time:10:06 PM

Posted 04 August 2013 - 02:53 AM

Let's have a look...

Note: Sometimes AV's thinks Rkill is infected, this isn't true, it's just a false-positive. Just let it terminate the malware processes.

Running TDSSKiller to obtain log

Note: Don't cure or delete a threat, but choose skip for all instead.

• Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters

• In the Additional options: Check Detect TDLFS file system
• Click Start Scan and allow the scan process to run

• Choose for all threats to Skip for all of them.
• Click Continue
• Please post the TDSSKiller.[Version]_[Date]_[Time]_log.txt found in your root directory (typically c:\)

===================================================

ESET Online Scanner

==================

I'd like us to scan your machine with ESET OnlineScan This process may may take several hours, that is normal.

• Hold down Control and click on this link to open ESET OnlineScan in a new window.
• Click the  button.
• For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
• Double click on the icon on your desktop.
• Click the Start button.
• Accept any security warnings from your browser.
• Under scan settings, check "Scan Archives" and » UNCHECK "Remove found threats" <== Important
• Click Advanced settings and select the following:
• Scan potentially unwanted applications
• Scan for potentially unsafe applications
• Enable Anti-Stealth technology
• When the scan completes, click List Threats
• Copy and paste the information in your next reply. (If no malware was found you will not be presented with a log).
• Click the Back button.
• Click the Finish button.

===================================================

If you have received help from me and I don't have respond to you for almost >= 3 days, send me a Private Message.

### #3 dreamalife

dreamalife
• Topic Starter

• Members
• 5 posts
• OFFLINE
•
• Local time:04:06 AM

Posted 04 August 2013 - 07:21 PM

Hi, thanks for responding.

I can't find the TDSSKiller.[Version]_[Date]_[Time]_log.txt in my root directory nor on my desktop where I TDSSKiller Rootkit Removing Tool. I'm typing what I see here:-

There are unprocessed malware objects

Duration: 00:00:58

Processed: 441 objects, details

Found: 2 threats

Neutralized: 0 threats

Quarantined: 0 objects

When I clicked on the details, these are what I saw:-

Event                    Objects

---------------------------------------------------------------------

Suspicious            \Device\Harddisk0\DR0 ( Rootkit.Win32.BackBoot.gen )

Infected                 \Device\Harddisk0\DR0\Partition1 ( Rootkit.Boot.Cidox.b )

Skipped by user    \Device\Harddisk0\DR0 ( Rootkit.Win32.BackBoot.gen )

Skipped by user    \Device\Harddisk0\DR0\Partition1 ( Rootkit.Boot.Cidox.b )

For Eset Online Scanner, this is what I got:-

C:\Program Files (x86)\UtilityChest_49\bar\1.bin\49datact.dll a variant of Win32/Toolbar.MyWebSearch.A application
C:\Program Files (x86)\UtilityChest_49\bar\1.bin\49htmlmu.dll probably a variant of Win32/Toolbar.MyWebSearch.B application
C:\Program Files (x86)\UtilityChest_49\bar\1.bin\49ieovr.dll probably a variant of Win32/Toolbar.MyWebSearch.P application
C:\Program Files (x86)\UtilityChest_49\bar\1.bin\49Plugin.dll probably a variant of Win32/Toolbar.MyWebSearch application
C:\Program Files (x86)\UtilityChest_49\bar\1.bin\49skin.dll a variant of Win32/Toolbar.MyWebSearch.P application
C:\Program Files (x86)\UtilityChest_49\bar\1.bin\T8HTML.DLL probably a variant of Win32/Toolbar.MyWebSearch.F application
C:\Windows\winsxs\amd64_microsoft-windows-autochk_31bf3856ad364e35_6.1.7600.16385_none_3de8def0db722996\autochk.exe a variant of Win32/CompuTrace.B application

### #4 GodfatherKing

GodfatherKing

• Members
• 587 posts
• OFFLINE
•
• Gender:Male
• Local time:10:06 PM

Posted 05 August 2013 - 03:45 AM

Backdoor/Rootkit warning: BackBoot.gen

This computer is infected with a rootkit called  BackBoot.gen. You will need to change all passwords after this and pay attention to do not homebanking. Don't use the machine now for other goals then malware removal.

Rerun TDSSKiller This time: Cure >> BackBoot.gen

Note: The tool may ask to reboot.

Rerun TDSSKiller, the rootkit should be gone.

Edited by GodfatherKing, 05 August 2013 - 03:46 AM.

If you have received help from me and I don't have respond to you for almost >= 3 days, send me a Private Message.

### #5 dreamalife

dreamalife
• Topic Starter

• Members
• 5 posts
• OFFLINE
•
• Local time:04:06 AM

Posted 05 August 2013 - 08:31 AM

The only options I got are Skip, Copy to quarantine, & Restore. I don't have the Cure option for Rootkit.Win32.BackBoot.gen. What can I do to cure/remove this?

Then I've the Cure option for Rootkit.Boot.Cidox.b, do I select cure for this also?

Thanks.

### #6 dreamalife

dreamalife
• Topic Starter

• Members
• 5 posts
• OFFLINE
•
• Local time:04:06 AM

Posted 05 August 2013 - 08:39 AM

I selected Copy to quarantine for BackBoot.gen & selected Cure for Cidox.b. After PC reboot & scanned with TDSSKiller, no more threats are found, I guess my PC is virus free now? Thanks a lot!

### #7 GodfatherKing

GodfatherKing

• Members
• 587 posts
• OFFLINE
•
• Gender:Male
• Local time:10:06 PM

Posted 05 August 2013 - 09:29 AM

I would run ESET again and this time check "Remove found threats".

==

Use WOT to inspect sites if they are safe or not :http://www.mywot.com/

A good working AntiVirus is also important. I personally advice Avast free or Avira. MSE it's detection is not so great.

Let's check how good your security is:

Download Security Check from here or here and save it to your Desktop.

• Double-click SecurityCheck.exe
• Follow the onscreen instructions inside of the black box.
• Notepad document should open automatically called checkup.txt; please post the contents of that document.

NOTE 1. If one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.
NOTE 2 SecurityCheck may produce some false warning(s), so leave the results reading to me.

If you have received help from me and I don't have respond to you for almost >= 3 days, send me a Private Message.

### #8 dreamalife

dreamalife
• Topic Starter

• Members
• 5 posts
• OFFLINE
•
• Local time:04:06 AM

Posted 06 August 2013 - 06:12 AM

Ok, I ran Eset again & removed the threats. Uninstalled AVG 2013 free & installed Avast 2013 free. Downloaded & ran the SecurityCheck, the result is this:-

Results of screen317's Security Check version 0.99.71
Windows 7 Service Pack 1 x64 (UAC is enabled)
Internet Explorer 10
Antivirus/Firewall Check:

Windows Firewall Enabled!
avast! Antivirus
Antivirus up to date!
Anti-malware/Other Utilities Check:
Malwarebytes Anti-Malware version 1.75.0.1300
Mozilla Firefox (Firefox.)
Process Check: objlist.exe by Laurent
AVG avgwdsvc.exe
AVAST Software Avast AvastSvc.exe
AVAST Software Avast AvastUI.exe
System Health check
Total Fragmentation on Drive C: 2%
End of Log

So, I guess I'm really virus free this time  & with a better antivirus . Thank you, you're the best !

Edited by dreamalife, 06 August 2013 - 06:13 AM.

### #9 GodfatherKing

GodfatherKing

• Members
• 587 posts
• OFFLINE
•
• Gender:Male
• Local time:10:06 PM

Posted 06 August 2013 - 06:23 AM

That's a good choice, I also have Avast free. I scan every month.

Keep MBAM as on-demand scanner, other tools may be removed. Run every month a scan with MBAM and Avast.

As browser I use Chrome or Firefox. Because IE is more vulnerable to infections, + HTML 5 & CSS 3 (technology that webdesigners/programmers use) are displayed better in Firefox and Chrome.

Happy and safe browsing again.

If you have received help from me and I don't have respond to you for almost >= 3 days, send me a Private Message.

#### 0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users