Majorly infected computer

Hi,

This computer got a virus a few months ago which the antivirus detected as "Eldorado", this virus has since spread to another computer which had not progressed to the degree of infection and with help from this forum is now clean in functioning properly. This computer's symptoms began with simple browser crashing, and progressed to prohibiting any downloads and even not allowing the disk drive to be used. I transferred the files for cleaning from a clean computer via flash drive.

When running the cleaning procedure SAS and Malwarebytes both ran fine. I then attempted to run combofix but it never would run correctly stating that the file was corrupted or incomplete. After multiple downloads and various attempts I finally got an error message about NSIS error. I don't know what the problem was, but i went on to try the other tools. RootRepeal ran fine, but MG tools was aborted with an error message about an entry point problem. It does seem to have created a log, so perhaps the rest of the information is included in that.

Any direction or help would be GREATLY appreciated !

Sincerely,
Joyfulsong11

PS. the logs attached are all the logs I was able to produce.

 

I uninstalled the old version of SuperAntiSpyware, downloaded and installed the current one, automatically updated the signature files (at least I think I did, it didn't take very long so I don't know if it really did download them), and then just to be safe manually downloaded and installed the signature update from the SAS website. When I set the program to scan I got an error message. I tried running three times, and all three times got the first error message. After the last try, I also got the second error message. Screenshots attached. I wasn't sure if I should go ahead with the other steps you mentioned, so I figured I'd wait for an official analysis.

 

I ran the TDSSK just fine. It found two malicious/suspicious files which I deleted. Then ran MGtools from the cmd prompt as per the instructions. The "ShowNew" did just fine, no error messages. The "GetRunKey" said the following:

********

Running scan with GetRunKey.bat - <c> 01/28/2006 By Chaslang

NOTE: Ignore any error messages about not finding registry keys!
Just wait for the program to finish running!!

The system cannon find the file specified.
updating: runkeys.txt <188 bytes security> <deflated 81%>


********
I don't know why the file isn't there. I'm attaching the log files created.

Also, internet connection is gone, could that be from something in the MGTools scan ?

 

I am slightly confused about your last instructions.

I understand that the internet connection problem is because of one of the files that I deleted through TDSSKiller, the part I'm confused about is how to restore them. From your instructions it seems as if I should run the scan again and then instead of deleting the files to quarantine them. Unfortunately since they're deleted, the program doesn't detect them anymore, nothing comes up in a scan.

Is there something else I should be doing to find the deleted files and restore them ? They are not in the recycle bin, which I wouldn't expect them to be. There is no C:\TDSSKiller_Quarantine folder since I deleted them not quarantined, and therefore no quarantine file in that folder and I do have hidden folders showing. In the future I will certainly quarantine items found instead of deleting them !

Would a system restore undo the damage ? Sorry for the confusion !

 

Thanks !

 

Hi,

What has happened is that your networking drivers appear to have been wrongly flagged as malware - there was a suspected bad version of this driver around in 2008 and that may be what triggered the false detection.

I need the full details of Compaq model# and Serial number please, the details should be on a sticker on the rear or sides, possibly the top of the case, I can then point you to the correct download of the drivers to get you fixed up.

If you have the Drivers or support CD, you may be able to install the networking drivers directly.

A third, and probably fastest option might be to try to roll back the networking drivers from Device Manager:

Please report back with your results, serial number etc.

 

I have internet working !

Thanks for the directions for the network drivers. I tried the roll back option first, and it said there was not driver to be found, so I figured it'd be quicker to just find the driver myself from Compaq and save you the time. So, I downloaded the driver from Compaq's support page, installed, and that's not working ! Thanks so much.

And now, back to the virus removal . . . Anything else I need to do with that ? Will the MGtools work properly now ?

 

Right, it looks like we're now safe to continue!

Yes please, try to collect a full set of MG logs, I'll review the earlier findings.

 

okay, let's try this.

 

Sorry, I've found it hard to find a timeslot for checking the logs. Now that I have, I find there's file corruption on some of them, we're conferring on the next move.

 

You should now delete your current MGlogs.zip file and then rerun the MGtools.exe to create a new set of logs.

Attach the latest MGlogs.zip with your next reply please.

 

Okay, will do, and thanks for checking them.

 

Okay, here's the new MGlogs

 

First off, I apologize - this is a bump.

I just figured it's been almost a month since I posted the last logs and wanted to check and see if anyone had any ideas since the computer is still having problems. I know the boards are busy and I understand the overload so I really appreciate all the help so far, not trying to rush anyone just wasn't sure if we'd hit a brick wall and I should just retire the computer or if there was still hope.

Joyfulsong11

 

Don't apologise, it's my fault, I hadn't noticed your earlier post with the logs come in. I'll look into it now.

 

Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

Run C:\MGtools\analyse.exe by double-clicking it (Vista and Win7 right-click and select Run as Administrator)
Note: This is actually Trend Micro HiJackThis - v2.0.4
Choose Do a system scan only and select the following lines but DO NOT CLICK FIX until you exit all explorer windows and all browser sessions including the one you are reading in right now:

After clicking Fix, exit out of Trend Micro HiJackThis - v2.0.4

Please download Disable/Remove Windows Messenger to your Desktop.
See the download links under this icon http://forums.majorgeeks.com/chaslang/images/MGDownloadLoc.gif

1. Double-click MessengerDisable.exe
2. Place a check-mark in Uninstall Windows Messenger
3. Click Apply
4. Click Exit

Now we need to use ComboFix

• Make sure that ComboFix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFScript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFScript.txt on top of ComboFix.exe
  http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
• Follow the prompts.
• When it finishes, a log will be produced named C:\ComboFix.txt
• Attach this log to your next message. (How to attach items to your post)

Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

If after running ComboFix you discover none of your programs will open up because you recieve the following error: Illegal operation attempted on a registry key that has been marked for deletion then you will need to reboot your computer which will normally fix this problem.

Now download and install Sun Java Runtime Environment 7
See the download links under this icon http://forums.majorgeeks.com/chaslang/images/MGDownloadLoc.gif

Now run C:\MGtools\GetLogs.bat by double-clicking on it (Vista and Win7 right click and select Run as Administrator)

This will automatically update all the logs in MGlogs.zip!
Make sure you click Accept on the License Agreement from HiJackThis!/analyse.exe twice (yes twice) if prompted.

Then attach C:\MGlogs.zip to your next message (How to attach items to your post)

 

Scans have run successfully !

I did have a couple of error messages when I first tried to run Combofix. One wouldn't let me run the program at all, so I deleted the version I had, and redownloaded it after which it ran fine. I did get two other warnings about my F-prot antivirus being active. I don't know how that can be since I uninstalled it and checked the services and didn't find any entries for F-prot. If there's something I need to do to further disable it let me know, but I went ahead and ran it as is despite the warnings. I've attached the logs that resulted, as well as the revised MGlogs as well.

Thanks so much !

Joyfulsong11

 

Your logs look clean to me.
What problems are you still having?

I have a small registry fix that you can use, but this is not related to malware. This will just remove some remnants of Norton AV and Firewall which might have been causing some conflicts ComboFix and/or F-PROT Antivirus.
Note: Remember, this is purely optional.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double-click it and allow it to merge with the registry.

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.

Also, are you aware of these folders?

Please download MBRCheck by GeeksToGo to your desktop.
See the download links under this icon http://forums.majorgeeks.com/chaslang/images/MGDownloadLoc.gif

• Double click MBRCheck.exe to run (Vista and Win7 right click and select Run as Administrator)
• It will show a Black screen with some information that will contain either the below line if no problem is found:
  • Done! Press ENTER to exit...
• Or you will see more information like below if a problem is found:
  • Found non-standard or infected MBR.
  • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
• Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
• MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
• Attach this log to your next message. (How to attach items to your post)

 

Sorry I didn't see this earlier.
The below is for removing the remnants of F-Prot Anti-Virus:
Note: You can do this either before or after the above set of instructions (If you do decide to do those)

Please download The Avenger bySwandog46 to your desktop.
See the download links under this logo: http://forums.majorgeeks.com/chaslang/images/MGDownloadLoc.gif

• Open avenger.zip and extract avenger.exe to your desktop
• Run avenger.exe by double-clicking on it.
• Click OK at the warning to continue to use The Avenger
  Note: Do not change any of the check box options!
• Shut down your protection software now to avoid possible conflicts.
• Copy everything in the Quote box below, and paste it into the Input script here: part of The Avenger
  
• Now click the http://img651.imageshack.us/img651/7710/avengerexec.png button
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when The Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from The Avenger will be produced at C:\avenger.txt and it will pop-up for you to view when you login after reboot.
• Attach this log to your next message. (How to attach items to your post)