Infected Computer

Hello,
Thanks in adavnce for your help. I have used your malware removal before and it worked like a charm, this time however it came back and I do not know what else to do...

I am sorry I do not remember what brought this about but in the end I found that the computer was infected by
"File Name: C:\WINDOWS\system32\drivers\ndis.sys"
"Threat Name: Trojan horse Rootkit-Agent.Dl"

I ran in order everything I could from this forum and I am attaching the logs. I thought it was removed because of ComboFix finding and removing it. But about an hour later I get another notice from AVG that it is still there.

The computer has been removed from the internet and network. All other computers on network have been inspected and found to be virus free.

I will try and answer any question to the best of my ability. Sorry for not remembering everything.

Again thanks in advance for all your help

Chip

 

Thank You TimW, I could not find the orignal Combofix log so I ran a new one for you. When I run ComboFix is reboots my computer each time. The MGTools starts out with "c:\MGTools\swreg.exe is not a valid Win32 Application" like a 100 times, the Dos Box says Access is Denied. And it seems to complete as I get the zip file. Hope this helps.

 

Thanks for the continued support.
I downloaded the fix form XP pro and extracted to system32 folder. I deleted the cdiv9r 1236255302.job file. However I can not find any of the trusted zones files you want me to remove. I looked in IE>Tools>Internet Options>Security>Trusted sites Nothing in there, or in Local intranet. Looked in Firefox can not find anything. Searched the C drive to include hidden folders nothing. Seached in Reg Edit and only found //about.htm and //exclude but did not delete in reg edit. Looked in windows firewall. Could not find it in Spybot S&D, googled how to remove trusted zones. I am at a loss on this one.:cry

I tried running MG again and got the same errors. Please let me know where those file are to remove. Combolog does not tell me where they are. Sorry


Happy Thanksgiving
Chip

 

I tried TimW first and recieved error "C:\MGTools\swreg.exe is not a valid Win32 application about 100 times. Ran the shownew did not recieve any errors log is below mgtoolsnewfiles.txt.
I then did chaslang suggestion and it also ran with no errors log is attached mglogsgood.zip.

Again Thank you very much for the help and Happy late Thanksgiving.

Chip

 

I believe so. I removed AVG antivirus (which told me about the virus) and installed Comodo, it will not update. Plus the windows firewall shows as On in the Security Center window but if I go to the windows firewall window the Off box is checked. Comodo says that "The network firewall is not functioning properly!". I go to Comodo system status and click on run diagnostics it says nothing is wrong. Any ideas? Nevermind on the Firewall figured it out. Still can not update though.

 

Not updating is a problem on my end I believe. If I find any more malware I will post in this thread? Forgot to tell you that I scanned with Comodo and it found nothing.

Thanks for all your help
Chip

 

Well I got Comodo to update and I scaned again and it found a virus in the same file.
Location: C:\WINDOWS\system32\drivers\ndis.sys
Malware Name: Virus.Win32.Protector.B@82810198
Action: Detect
Status: Success

It will also pop up a message saying it found the same Virus...

:cry

 

I think I will reformat the drive, this is taken to much time from you and me. BTW your bump comment is not warranted I answered your question it just took 3 replies. I never bumbed and waited longer for a reply. Again thank you for your help and time it is greatly appreciated. Happy Holidays

Chip

 

Thank you for the response and your contiuned support but I am still going to reformat, it is just easier. You more than I have wasted enough time on this little bugger that I also believe is a false postive. Again thank you for your time, it is and has always been appreciated.:wave