Prevailing infections after System Restore

I had accidentally ran an .exe file before scanning it, and my system was flooded with various viral infections (one of them was the MS Antivirus 2008, which made my desktop white and tons of popups.) I am sure that was not the only infection my system recieved.

I panicked and removed what I could with Antivir/Spybot, and I stopped a few processes in the startup (msconfig) that were obviously viral. Apparantly the virus was still there (desktop was still messed.) Then I remembered how you guys fixed my old system a few years ago with my HJT logs, so I came to this site and was following the directions that one should follow before posting any Hijack log.

I was following the steps and getting ready to post a log; and in the middle of that I came to the conclusion that a System Restore would be the best idea. So I did a system Restore to a restore point merely just a couple of hours before my system got infected.

Upon reboot, everything seems ok (only because the desktop image has returned to normal.) Im still quite paranoid. I see a file called $$DeleteMe.es.dll.01c9087bdac806e7.0000 in my C: folder, and folders called RdDrv001, Reference Assemblies, in my program files folder.

Can someone please review my logfile? (I created the logfile after booting up, but I was already running Mozilla and doing another system scan with Antivir at the same time, is that ok?)

One last thing: my external Hard-drive was connected while the infection occured. I disconnected it about an hour later; and the system restore was done after I disconnected it. I am worried that a prevailing infection could be present on that hard-drive. What do you think?

Sorry for the wordy post, I just get really panicky about this sort of thing!

Thanks in advance,
Scott

 

Hello MaliceMizer661,

After we verify your computer is clean of malware I would hook it back up and run a full anti-virus scan on the drive.

That's fine, but to get a good look into your system we will need more information then just a HijackThis log.


Please follow the instructions in the below link and attach the requested logs when you finish these instructions.

• READ & RUN ME FIRST. Malware Removal Guide

• If something does not run, write down the info to explain to us later but keep on going.

• Do not assume that because one step does not work that they all will not.

Notes:

1. If you run into problems trying to run theREAD & RUN ME or any of the scans in normal boot mode. You can running steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:
   
   • Starting your computer in Safe mode
2. If you have problems downloading on the problem PC, download the tools on another PC and burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections can spread to them.

 

Thanks alot for the quick reply.

I just finished all the prescribed steps. If everything is ok, will I have to do all that again with my external drive hooked up?

 

Hello MaliceMizer661,

Do you also have the logs from MalwareBytes' Anti-Malware and Combofix handy?

 

Oh yes, I forgot to mention I did not complete the Combofix step. I was afraid to proceed because I do not have my Vista disc handy (left if it in America.) I did in fact do the Malwarebytes scan though, where is the logfile located?

 

If you open MalwareBytes' anti-Malware and go to the logs tab it should list all the scanning logs it has on record. Simply double click the newest one (only one probably) and copy and paste the log into your next reply.

 

Thanks, here it is:


Malwarebytes' Anti-Malware 1.25
Database version: 1090
Windows 6.0.6000

23:26:16 2008/08/28
mbam-log-08-28-2008 (23-26-16).txt

Scan type: Quick Scan
Objects scanned: 36388
Time elapsed: 2 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

 

Hello MaliceMizer661,

Your logs actually look pretty good, I would indeed suggest running an anti-virus scan on your external hard drive the moment you plug it back in to the computer again.

How is your computer currently running?

 

The computer seems to be running as it did before this ordeal started. Perhaps the boot-up process seems to take longer, but that could just be paranoia. I will connect the hard-drive when I get back to my home later. The thing I just keep thinking though, is what if there is some infection that is not being detected by any scanner? Of course then there wouldnt be much we could do about that, but the thought of someone possibly having access to my system (and then it eventually crashing,) is making me really paranoid. Thanks alot for the help though, what do you think?

 

Hello MaliceMizer661,

If my computer ever became heavily infected I can tell you this is one thing I would always be worried about, and it is for this reason if a computer is heavily infected with backdoor trojans or key-loggers I will always highly recommend a complete system reformat. However, in regards to your case specifically, if you were this heavily infected I assure you there still would have been more traces left lying around then there previously were.

There can obviously never be a 100% guarantee that a computer is perfectly clean again, but I would say your odds are looking pretty good. I do have some final cleanup advice for you, but I'll wait until the other hard drive is dealt with first.

 

I agree that a system reformat would be the best option; I would have already done so if I had my Vista-installation disc. Now I understand, I should not go anywhere without an OS disc.

Upon scanning my external drive, I first scanned with Antivir, it recommend that I also scan the "boot" (? I dont remember what it said) so I said yes, it then picked up this detection:

-TR/Dldr.small.ewa

I chose the "delete" option (does that even do anything?)

It was intended to be just a scan of the external HD, but scanned my whole system again and picked up that 1 detection, 2 suspicious files, and 130 warnings. I have the logfile if needed.

Super AntiSpyware scan indicated that no harmful software was found (scan was only run on the external HD.)

MalwareBits (ran only on the external HD) found an infected file:
"Files Infected:
G:\Programs\WinAVI.Video.Converter.v8.0.Incl.Keymaker- CORE\CORE10k.EXE (Trojan.Agent) -> Quarantined and deleted successfully."
Full log can be posted if neccessary.
(I guess i deserved that one, downloading a keygen)

What do you think? Is there another scan I am missing? It seems minimal infections are present on both drives, but I havent noticed anything that seems to be hindering my system. Could this bite me in as* 6 months down the road if I dont do a full re-format?

 

Hello MaliceMizer661,

It should actually delete the infected file if that option is chosen, on the hope the file doesn't manage to respawn later.

It would be nice if you could post the logfile here for review.

Let me take a look at the full anti-virus scan log, we'll see what specific infections might still be hanging around. I think you'll be alright 6 months down the road.

 

Thanks alot for the advice. I can't attach the logfile:
"Your submission could not be processed because a security token was missing."
Probably because the logfile is 14MB, the scan took over an hour. What should I do?

By the way, is that file it deleted a serious trojan or something?

Also, do you know what this "$$DeleteMe.es.dll.01c9087bdac806e7.0000" file is in my C: folder? I dont want to delete it because it says 'delete me', haha. Sounds like a trick.

 

Hello MaliceMizer661,

The one Malwarebytes' Anti-Malware deleted?

Well, as long as you don't click on it you should be ok. Go ahead and just select it and permanently delete the file, just use the key combination Shift + Del at the same time.

Please run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only!

• Follow the Instruction Here for installation.
• Accept the License Agreement.
• Once the ActiveX installs,Click Full System Scan
• Once the download completes,the scan will begin automatically.
• The scan will take some time to finish,so please be patient.
• When the scan completes, click the Automatic cleaning (recommended) button.
• Click the Show Report button and Copy&Paste the entire report in your next reply.

 

Thanks again for the help.
I was referring to the TR/Dldr.small.ewa, which I "deleted" with Antivir. Wont it just come back after I tried to delete it?

The online scanner said everything was safe, except that need to update some programs.

Is there another scan I do again? Re-do the antivir scan or something?

 

Hello MaliceMizer661,

Unless it has come back before after you've deleted it with AntiVir, I think you'll be alright there.

You can run through AntiVir again if you wish, but I would like to see the MGTools logs again.

Please run the C:\MGtools\GetLogs.bat file by double clicking on it, and then attach the resulting logfile here.

 

I see what you mean regarding that file. I will re-do the Antivir scan and see if it picks it up.

I will gladly post those logs again, but I am slightly confused because won't they be the same as before? I haven't run the scans with the other programs (MGtools programs) since the first MGlogs that I posted before.

 

Hello MaliceMizer661,

I want to make sure no new malware has appeared in the logs since this time.

 

Oh the logs automatically update themselves? I've only run the antivir scan since then I think.

(I just tried twice to attach the file Mglogs.zip, and it says its already been uploaded in this thread. Should I just change the filename or something?)

 

Hello MaliceMizer661,

Yes, just change the file name to something else.

 

Hello __RiP_ChAiN_,

Here is the file with the modified file name. I just dont understand how the logs will be any different than they were the first time I posted them (?)

Thanks


(I just tried uploading it twice with different filenames, and the same issue is occuring!)

 

Hello MaliceMizer661,

When you run though the MG logs process again it creates new logs for us to go through. I deleted your older attachment from your post, please try attaching the newer logs again.

 

Oh, I thought you were saying the post the same file again. I stil have not had time to run through those scans again. So I just run through the scaning process again for all those programs and then post it? Ok, I can do it soon, its just that I'm having many other non-computer related obligations which have needed my attention. Thank you

 

Hello MaliceMizer661,

Just the logs for MGTools. You can do this by running the C:\MGtools\GetLogs.bat file by double clicking on it, and then attaching the resulting logfile here.

 

I just re-did the whole scanning process prescribed by MG (except for the combofix) here is the resulting logfile (my external drive was not connected
Thanks alot for staying with me on this.

 

Hello MaliceMizer661,

Your logs look pretty good now, how is your computer currently running?

 

I think everything seems to be running normally, though one of the scans said something about detecting a registry-alteration (?) or something like that. Also, the programs picked up stuff that did not pick up the other times I did the scans before. Does that mean something is hiding and comes back after I delete it?

 

Hello MaliceMizer661,

There could be quite a few reasons for a registry alteration, it probably doesn't mean malware.

Which programs are picking up what? Most times these anti-malware programs will find basic cookies and other minor stuff that is of no worry.

 

I'm not sure what exactly it had picked up, and I forgot which programs picked up something. It was something which was not in the first scans though. Should I re-run the scans and include my external HD now? If you are right though I am worrying about nothing at this point and everything is ok

 

Hello MaliceMizer661,

You can hook up your external hard drive and re-run your scans if you wish, but if you're no longer noticing anything out of the ordinary I think you're about good to go now and we'll finish up here.

Let me know