Jump to content

Computer was infected with trojans/malware


Recommended Posts

I had to use Malwarebytes (great program) as the MS SE didn't protect my machine from malware.

I was infected with what I thought was XP 2009 antivirus (or some form there)

After cleaning with Malwarebytes, I'm still getting the stream of alerts about "outgoing" web address being blocked

with addresss: 83.133.121.147 etc.

also, my network logon has the error: migratewinsockconfiguration failed.... MSWSICK.DLL not found and IFMON.DLL not found. I have checked and both those "files" exist in system32

hopefully one of the many experts here will find what I've missed.

thanks!

Sat

dds.txt

attach.txt

Link to post
Share on other sites

Thanks for the instructions

here is the paste for the FSS.txt

Farbar Service Scanner

Ran by ssingh (administrator) on 16-12-2011 at 10:38:29

Microsoft Windows XP Professional Service Pack 3 (X86)

********************************************************

Service Check:

==============

File Check:

===========

C:\WINDOWS\system32\svchost.exe => MD5 is legit

C:\WINDOWS\system32\rpcss.dll => MD5 is legit

C:\WINDOWS\system32\services.exe => MD5 is legit

C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit

C:\WINDOWS\system32\Drivers\afd.sys

[2006-02-28 04:00] - [2011-08-17 05:49] - 0138496 ____A (Microsoft Corporation) 5BE37C30C9751AB97A1C731CA571FC14

C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit

C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit

C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit

C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit

Connection Status:

==================

Localhost is accessible.

LAN connected.

Google IP is accessible.

Yahoo IP is accessible.

**** End of log ****

Link to post
Share on other sites

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1

Download Mirror #2


  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :filefind
    afd.sys


  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

MrC

Link to post
Share on other sites

Thank you for the help so far!

SystemLook 30.07.11 by jpshortstuff

Log created at 16:16 on 16/12/2011 by ssingh

Administrator - Elevation successful

========== filefind ==========

Searching for "afd.sys"

C:\WINDOWS\$hf_mig$\KB2503665\SP3QFE\afd.sys --a---- 138496 bytes [20:24 16/06/2011] [13:25 16/02/2011] 8D499B1276012EB907E7A9E0F4D8FDA4

C:\WINDOWS\$hf_mig$\KB2509553\SP3QFE\afd.sys --a---- 138496 bytes [15:07 16/10/2008] [15:07 16/10/2008] 38D7B715504DA4741DF35E3594FE2099

C:\WINDOWS\$hf_mig$\KB2592799\SP3QFE\afd.sys --a---- 138496 bytes [12:27 12/10/2011] [13:41 17/08/2011] F6B7B1ECD7B41736BDB6FF4B092BCB79

C:\WINDOWS\$hf_mig$\KB951748\SP2QFE\afd.sys --a---- 138368 bytes [10:44 20/06/2008] [10:44 20/06/2008] D99DDFFB33DEACDCF20717CB520379F6

C:\WINDOWS\$hf_mig$\KB951748\SP3GDR\afd.sys --a---- 138496 bytes [11:40 20/06/2008] [11:40 20/06/2008] E3049B90FE06F3F740B7CFDA44995E2C

C:\WINDOWS\$hf_mig$\KB951748\SP3QFE\afd.sys --a---- 138496 bytes [11:48 20/06/2008] [11:48 20/06/2008] D6EE6014241D034E63C49A50CB2B442A

C:\WINDOWS\$hf_mig$\KB956803\SP3QFE\afd.sys --a---- 138496 bytes [17:33 15/10/2009] [10:34 14/08/2008] 4D43E74F2A1239D53929B82600F1971C

C:\WINDOWS\$NtServicePackUninstall$\afd.sys --a--c- 138368 bytes [23:19 08/10/2008] [10:44 20/06/2008] 944CA435BFCFC82CC1ED9E3A7D731AA9

C:\WINDOWS\$NtUninstallKB2503665$\afd.sys -----c- 138496 bytes [21:38 16/06/2011] [14:43 16/10/2008] 7618D5218F2A614672EC61A80D854A37

C:\WINDOWS\$NtUninstallKB2509553$\afd.sys -----c- 138496 bytes [15:09 14/04/2011] [10:04 14/08/2008] 7E775010EF291DA96AD17CA4B17137D7

C:\WINDOWS\$NtUninstallKB2592799$\afd.sys -----c- 138496 bytes [14:28 12/10/2011] [13:22 16/02/2011] 355556D9E580915118CD7EF736653A89

C:\WINDOWS\$NtUninstallKB951748$\afd.sys --a--c- 138112 bytes [23:31 08/10/2008] [19:19 13/04/2008] 322D0E36693D6E24A2398BEE62A268CD

C:\WINDOWS\$NtUninstallKB951748_0$\afd.sys --a--c- 138496 bytes [21:29 08/10/2008] [12:00 28/02/2006] 5AC495F4CB807B2B98AD2AD591E6D92E

C:\WINDOWS\$NtUninstallKB956803$\afd.sys --a--c- 138496 bytes [17:44 15/10/2009] [11:40 20/06/2008] E3049B90FE06F3F740B7CFDA44995E2C

C:\WINDOWS\ServicePackFiles\i386\afd.sys --a---- 138112 bytes [23:14 08/10/2008] [19:19 13/04/2008] 322D0E36693D6E24A2398BEE62A268CD

C:\WINDOWS\SoftwareDistribution\Download\cd75fc2c9aa3d47009fe2d95c9f43154\SP3GDR\afd.sys --a---- 138496 bytes [15:48 13/12/2011] [13:49 17/08/2011] 1E44BC1E83D8FD2305F8D452DB109CF9

C:\WINDOWS\SoftwareDistribution\Download\cd75fc2c9aa3d47009fe2d95c9f43154\SP3QFE\afd.sys --a---- 138496 bytes [15:48 13/12/2011] [13:41 17/08/2011] F6B7B1ECD7B41736BDB6FF4B092BCB79

C:\WINDOWS\SoftwareDistribution\Download\ff0686f2f699fa07ed5ad0848fa3055b\sp3gdr\afd.sys --a---- 138496 bytes [14:43 16/10/2008] [14:43 16/10/2008] 7618D5218F2A614672EC61A80D854A37

C:\WINDOWS\system32\dllcache\afd.sys --a--c- 138496 bytes [11:40 20/06/2008] [13:49 17/08/2011] 1E44BC1E83D8FD2305F8D452DB109CF9

C:\WINDOWS\system32\drivers\afd.sys --a---- 138496 bytes [12:00 28/02/2006] [13:49 17/08/2011] 5F56E641A750FE48D4D6A24C0081FCD2

-= EOF =-

Link to post
Share on other sites

Did you run any tools? Because the file in question is now the correct one.

It's now this one:

C:\WINDOWS\system32\drivers\afd.sys --a---- 138496 bytes [12:00 28/02/2006] [13:49 17/08/2011] 5F56E641A750FE48D4D6A24C0081FCD2

Was this one (malware)

C:\WINDOWS\system32\Drivers\afd.sys

[2006-02-28 04:00] - [2011-08-17 05:49] - 0138496 ____A (Microsoft Corporation) 5BE37C30C9751AB97A1C731CA571FC14

-------------------

Please download and run TDSSKiller as outlined in the post below:

http://forums.malwarebytes.org/index.php?showtopic=100665&view=findpost&p=499595

Post back the log, MrC

Link to post
Share on other sites

Ok,

I ran the TDSSKILLER.EXE, it found 1 infected file (high risk) one moderate risk, I deleted them both.

Then my ADD kicked in, as I got distracted by eight $100 bills. Was selling a used forklift.

I didn't save the log, did a restart of the computer and what do you know:

A. The NETSH.EXE errors in the cmd prompt never occured

B. The "archive Outlook Express content" box didn't come up (I dont' use Outlook Express)

C. My email began working again

D. A full run of AV and Malwarebytes (updating both first) came up clean

Thank you so very much with your help MrCharlie, it was very nice dealing with a person and community that wasn't talking down to me as some forums seem to do.

Sat

Link to post
Share on other sites

OK

Please download OTL from one of the links below:

http://oldtimer.geekstogo.com/OTL.exe

http://oldtimer.geekstogo.com/OTL.com

Save it to your desktop.

Run OTL and hit the CleanUp button. (This will cleanup the tools and logs used including itself)

Any questions...please post back.

Take a look at My Preventive Maintenance to avoid being infected again.

Good Luck and Thanks for using the forum, MrC

Have a Good Holiday and New Year!

Link to post
Share on other sites

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.