Cleaning Uncle's Computer... long distance.

Hi! My uncle's computer was infected some time ago... at least a couple of years. He pretty much hasn't used it since then, having no idea what to do about it. He used to use NetZero for minor internet access and e-mail, but now is unable to connect at all. Around the time (not sure how close) his computer got infected, he had completed his first online purchase and had his identity stolen.

My mom is staying with him for a while to take care of things after the death of my grandmother. I sent her with a CD with all the Read & Run programs with their updates. This was before the ComboFix bug; around January 3 or 4. I should also note that I completely forgot to provide the Windows Recovery Console on the CD. We forged ahead with the ComboFix scan without it. My mom mistakenly sent me a registry backup instead of the ComboFix log, so I will upload it in a followup post as soon as I have it.

Meanwhile, I am attaching what I have, which is SAS, MB, and MGTools. RootRepeal would not run, and did something to the computer that required a chkdsk to repair. Please forgive me the vagueness of my notes; it was a hectic time, and I didn't write things down like I normally do.

Thank you in advance for any assistance you can give me with this computer! It would be nice to get the thing up and running right again.

 

Hi, Kestrel13! Thank you for your quick response!

It's going to be a bit slow to work with me, because I'll need to burn disks to send to my mom, and then she has to get the logs to someone to email them to me. I'm not sure right now what's keeping the internet connection down, but hopefully we can figure that one out soon!

I know that with at least SAS (or is it MB?), the manual updates are significantly behind the live updates. But until I can fix the internet connection, that's the best I'll be able to do. I hope that's okay. I'll work on that connection as a top priority.

I had no idea that Ad-Aware had fallen behind like that. If it's of no use, we'll certainly remove it.

I had not even looked at his memory yet, and I'm amazed it has done as well as it has on that little memory. We'll be talking to him about an upgrade! I'll also put SP2 and SP3 (or do I just need SP3?) on a disk and send it off. And IE8... and Firefox! But if he insists on using IE, at least he'll have IE8. I hadn't noticed yet that he was running SP1... I was just trying to get the infection off first.

I forgot to tell you that there is no antivirus installed because it did have Norton on it, and we removed it pretty much first thing. I was hoping that would restore the internet connection, but it didn't. I sent copies of Online Armor firewall and Avast antivirus to install after we were finished with Combofix... I understand OA and Combofix don't play well together. Oh, and I need to get the Recovery Console on the disk too.

I saw the keygen on there when I had a quick look at the computer in December! I knew my uncle hadn't put it on there, so I figured its presence was a symptom of whatever virus the computer had. I didn't know if I could just delete it or not, so I didn't. Glad we can go ahead and do so.

Did you see any infection that got cleaned off?

I will get back to you as soon as I can, but it could be a week or so. I'll try to get the internet connection up so we can proceed a bit more quickly. Thank you so much!

 

Just letting you know, I'm just waiting for my mom to find a computer to email the logs to me! I'll post again as soon as I have them.

The computer is not being actively used in the meantime. At most, my mom plays solitaire on it sometimes.

 

Okay! Here are 4/5 logs, I'll post the 5th one next.

I had forgotten, we did a couple of scans before we decided to do the Read & Run... I know one of the scans was with Spybot S&D... I know it cleaned some stuff off, but the log folder was empty, so I don't remember what exactly... I seem to remember looking one of them up and finding out it was some sort of trojan.

At any rate, here is the first Combofix log, without Windows Recovery Console installed. Also, you will find the second Combofix log, before which my uncle found his XP disk and we installed the Recovery Console.

There are the SAS and MB logs, and I will post the MGtools log next. These are all from Saturday and Sunday, I believe, except for the first Combofix log. We haven't removed Ad-Aware yet, and we need to remove the keygen still, I think. We were in a hurry to get all the logs Saturday so she could give the logs to a friend Sunday so he could send them to me. Then it turned out they couldn't go to church, so she wasn't able to get the logs to someone.

Thank you for your patience! MGtools log below.

 

MGtools log... I've also priced memory for my uncle's computer, so I'll be hearing about that soon. I sent an XP SP3 disk (apparently you don't have to install SP2 first, you just have to have SP1) and IE and Firefox. I have a feeling the IE is just a downloader that needs an internet connection, though, which he doesn't have yet. We'll see. I've had lots of trouble installing IE8. It's failed quite a few times for me, for no apparent reason. I think I still have one computer I haven't been able to get it on. Do you know where the link is where you can download the entire thing? I know you can do that somewhere, I just can't figure out where it was.

Thank you again!!!

 

Okay, we'll get on this!

Is it okay if we try turning on Windows Firewall and installing Avast, and then attempt to figure out what is up with the internet connection? That way, my mom could download this directly, instead of waiting for a disk. And she could email me the logs without burning a disk and going to Kinkos.

We weren't going to do IE8 or SP3 yet, I was just talking too much. I'm good at that.

 

Wow! New avatar!

I think I'm turning into your worst nightmare... a good bit has changed. I sent the files my mom needed, only to discover Combofix was out of date. I sent her a new copy. Meanwhile, we tried to fix the internet connection. Avast would not install, so she tried Online Armor (We coudn't find Windows Firewall, or the Security Center -- SP1 didn't have it! I didn't remember that!). It produced an error and rendered the computer incapable of completing booting.

I had her go into safe mode and remove it. It hadn't completely installed, so she couldn't uninstall it. Reluctantly, I had her simply delete the folder in which it was contained, and then run CCleaner. Thankfully, that worked, and the computer booted.

I found out that the problems we were having were due to the computer being only at SP1. So, with a sigh of "Forgive me, Kestrel!" I had her upgrade to SP3. It went perfectly, but, of course, that means the configuration has changed.

Then my uncle finally divulged that his internet connection problems started right after something had happened -- like a storm or something -- FOUR YEARS ago! So I concluded the modem had been fried, and had died saving the computer itself. I had a computer in the past that didn't have such a considerate modem.

I happened to have an old modem on hand, and decided to go through the old memory I had as well. Turned out I had a stick identical to what he already had. I talked my mom through installing the memory and the modem. The computer recognizes the memory (so now it has 512MB), and, even though it really said it wanted a disk for the modem, the modem is working. However, we discovered at this point that not only had the modem been fried, the phone line itself has too much noise on it (probably as a result of that same 4-year-old event) for the modem to hear a dial tone. So now we're waiting on the phone company.

(In all fairness to my uncle, he had been caring for his mom for the last several years as her health slowly declined, so when he started having phone trouble and internet trouble, it got put onto the back burner... as long as the phone still mainly worked, it didn't get dealt with. It's only getting dealt with now because my grandmother passed away, and my mom is over there helping him get everything taken care of.)

So, with all that's changed, I don't know if the new logs are very useful to you, but I will attach them anyway. Systemlook gave us an error message... what was it... oh drat. Still gave us a log, though.

Please don't kill me! :duck

 

Hi! We came up with a way to get this turned around faster. I have the Combofix log, but I forgot to have my mom do MGtools before she left to send it to me. So I'll upload that one hopefully tomorrow.

I'm really sorry about all the craziness that happened in the last couple of weeks. I hope I didn't do too awfully bad. :-o

I'm glad it looks like the infection he had was probably cleaned off before I even started the Read & Run. I like it when it comes off easily.

 

Oh, okay... I didn't realize SAS had found anything. I could see that we were replacing qmgr.dll, but I had no idea why!

Thank you so much for all your help with this computer, and your extreme patience with me! I've been on here a few times for help cleaning up friends' computers, and I promise I'm not normally this much trouble! :-o

Here's the MGtools log zip file. Mom's renting a computer at Kinko's to transfer back and forth. Hopefully, we can get the phone line fixed soon.

 

I appreciate that, I was sure that at some point in there, you were ready to kill me. :-D

YAY!! It's so great to have this computer clean again!! We worked through the rest of it, and ran CCleaner, and Defraggler. The machine is running so smoothly now, it's like a new computer!

My mom says to thank you so much for helping us and being so patient, and that it's nice to know there are people out there like you who are willing to help others get their computers running again!

We'll be installing Avast and Online Armor now, and Firefox. That should go fine this time, since the computer is at SP3. Eventually, we'll be working on some real upgrades to the hardware... maybe I'll build him a new computer. But whatever happens, I'll be able to transfer all his stuff from this drive to a new one, without worrying about it being infected! :cool

 

You take care too!

Marilyn