Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus Removed (I hope), other issues?


  • This topic is locked This topic is locked
19 replies to this topic

#1 Mike Davalos

Mike Davalos

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:34 AM

Posted 07 May 2012 - 06:43 PM

Edit: Whhops, forgot to add what the virus was.. I believe "Windows Internet Security 2012 ! Thanks !

Hi All!

Let me introduce myself, my name is Mike. I'm not a computer expert, however I do know my way around a computer and can perform and follow instructions for the most part. Now on to the problem.

Her Computer Specs:
Windows Xp HOME Edition (SP2)
Intel Celeron D @ 3.20 Ghz
222MB RAM


A friend of mine asked me to look at her computer, she claims it was running 'slow'. Upon boot up I notice this is a very old computer (222 MB RAM and an Intel Celeron D Processor :wacko: ), besides that she was infected with what looked like an adware virus, telling her she cannot connect to the internet, her computer is infected, and that purchasing the advertised virus remover was the only solution (screw that!). I was able to get Malwarebyes installed through safe mode from a USB drive, however MBAM rules were about 5 months old. MBAM was able to remove the virus (as far as I can tell!), however I am now receiving a "Limited or No Connectivity" popup, and I am unable to connect to the internet.

I am assuming the virus(es) did something to her internet connection, disabling, corrupting, or deleting some important files! I come here today asking you guys with some help on this, any and all help will be much appreciated!

I will post some logs here, a Malwarebytes log (note - I was able to get malwarebytes updated manually, so I will post a new log with a new scan), and a SuperAntiSpyware log (attached via txt file). Hopefully her computer is cleaned up after MBAM and SAS ran their course. Thanks for looking!

-Mike

Attached Files


Edited by Mike Davalos, 07 May 2012 - 06:47 PM.


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:34 AM

Posted 10 May 2012 - 07:38 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#3 Mike Davalos

Mike Davalos
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:34 AM

Posted 10 May 2012 - 08:10 PM

Hi m0le! Thread is subscribed, awaiting your instructions! And Thanks!

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:34 AM

Posted 11 May 2012 - 05:10 PM

Let's check the connection first of all

Please download Farbar Service Scanner and run it on the computer with the issue.
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

Posted Image
m0le is a proud member of UNITE

#5 Mike Davalos

Mike Davalos
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:34 AM

Posted 11 May 2012 - 06:33 PM

Hiya m0le, here is the FSS Log:

Farbar Service Scanner Version: 11-05-2012
Ran by Familia Caro (administrator) on 11-05-2012 at 18:24:23
Running from "C:\Documents and Settings\Familia Caro\Desktop"
Microsoft Windows XP Home Edition Service Pack 2 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
There is no connection to network.
Attempt to access Google IP returned error: Google IP is unreachable
Attempt to access Yahoo IP returned error: Yahoo IP is unreachable


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll
[2004-08-03 17:00] - [2006-05-19 07:59] - 0111616 ____A (Microsoft Corporation) EF545E1A4B043DA4C84E230DD471C55F

C:\WINDOWS\system32\Drivers\afd.sys
[2004-08-03 17:00] - [2008-06-20 05:44] - 0138368 ____A () 379996DC1FFF09354442463A8EA698C7

ATTENTION!=====> C:\WINDOWS\system32\Drivers\afd.sys IS INFECTED AND SHOULD BE REPLACED.

C:\WINDOWS\system32\Drivers\netbt.sys
[2004-08-03 17:00] - [2004-08-03 17:00] - 0162816 ____A (Microsoft Corporation) 0C80E410CD2F47134407EE7DD19CC86B

C:\WINDOWS\system32\Drivers\tcpip.sys
[2004-08-03 17:00] - [2008-06-20 05:45] - 0360320 ____A (Microsoft Corporation) 2A5554FC5B1E04E131230E3CE035C3F9

C:\WINDOWS\system32\Drivers\ipsec.sys
[2004-08-03 17:00] - [2004-08-03 17:00] - 0074752 ____A (Microsoft Corporation) 64537AA5C003A6AFEEE1DF819062D0D1

C:\WINDOWS\system32\dnsrslvr.dll
[2004-08-03 17:00] - [2008-02-20 00:32] - 0045568 ____A (Microsoft Corporation) AAC8FFBFD61E784FA3BAC851D4A0BD5F

C:\WINDOWS\system32\svchost.exe
[2004-08-03 17:00] - [2004-08-03 17:00] - 0014336 ____A (Microsoft Corporation) 8F078AE4ED187AAABC0A305146DE6716

C:\WINDOWS\system32\rpcss.dll
[2004-08-03 17:00] - [2005-07-25 23:39] - 0397824 ____A (Microsoft Corporation) CE94A2BD25E3E9F4D46A7373FF455C6D

C:\WINDOWS\system32\services.exe
[2004-08-03 17:00] - [2004-08-03 17:00] - 0108032 ____A (Microsoft Corporation) C6CE6EEC82F187615D1002BB3BB50ED4


Extra List:
=======
Gpc(3) IPSec(5) NetBT(6) PSched(7) Tcpip(4)
0x080000000800000005000000010000000200000003000000040000000600000007000000


**** End of log ****

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:34 AM

Posted 11 May 2012 - 06:41 PM

ATTENTION!=====> C:\WINDOWS\system32\Drivers\afd.sys IS INFECTED AND SHOULD BE REPLACED.


Well, that's fairly clear then. :)


Please run SystemLook which will locate a clean backup for us to use

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :filefind
    afd.sys
    
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
Posted Image
m0le is a proud member of UNITE

#7 Mike Davalos

Mike Davalos
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:34 AM

Posted 11 May 2012 - 06:59 PM

SystemLook log file:

SystemLook 30.07.11 by jpshortstuff
Log created at 18:54 on 11/05/2012 by Familia Caro
Administrator - Elevation successful

========== filefind ==========

Searching for "afd.sys"
C:\WINDOWS\$hf_mig$\KB951748\SP2QFE\afd.sys --a---- 138368 bytes [10:44 20/06/2008] [10:44 20/06/2008] D99DDFFB33DEACDCF20717CB520379F6
C:\WINDOWS\$hf_mig$\KB951748\SP3GDR\afd.sys --a---- 138496 bytes [11:40 20/06/2008] [11:40 20/06/2008] E3049B90FE06F3F740B7CFDA44995E2C
C:\WINDOWS\$hf_mig$\KB951748\SP3QFE\afd.sys --a---- 138496 bytes [11:48 20/06/2008] [11:48 20/06/2008] D6EE6014241D034E63C49A50CB2B442A
C:\WINDOWS\$NtUninstallKB951748$\afd.sys -----c- 138496 bytes [09:22 18/07/2008] [22:00 03/08/2004] 5AC495F4CB807B2B98AD2AD591E6D92E
C:\WINDOWS\system32\dllcache\afd.sys --a--c- 138368 bytes [22:00 03/08/2004] [10:44 20/06/2008] 944CA435BFCFC82CC1ED9E3A7D731AA9
C:\WINDOWS\system32\drivers\afd.sys --a---- 138368 bytes [22:00 03/08/2004] [10:44 20/06/2008] 379996DC1FFF09354442463A8EA698C7

-= EOF =-

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:34 AM

Posted 11 May 2012 - 07:18 PM

We have a couple of candidates here. The next part is tricky, because we have to do this in the recovery environment in the command prompt.


First we need to copy a clean file to replace the infected one.

Please do this:
  • Click on the Start button, then click on Run...

  • In the empty "Open:" box provided, type cmd and press Enter This will launch a Command Prompt window (looks like DOS).

  • Copy the entire blue text below to the clipboard by highlighting all of it and pressing Ctrl+C (or after highlighting, right-click and select Copy).

    copy C:\WINDOWS\system32\dllcache\afd.sys C:\ /y

  • In the Command Prompt window, paste the copied text by right-clicking and selecting Paste.

  • Press Enter. When successfully, you should get this message within the Command Prompt: "1 file(s) copied"
  • Exit the Command Prompt window.
Now we need to boot into the Recovery Environment:

Reboot your computer. Combofix should have installed the recovery console so this should already be available.

Follow the instructions here to start it

Next

Type cd system32\drivers and press Enter.
Type ren afd.sys afd.vir and press Enter.
Then type copy C:\afd.sys afd.sys and press Enter.
Now type exit and press Enter to reboot your computer into normal mode.


Please run FSS again and post the log.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#9 Mike Davalos

Mike Davalos
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:34 AM

Posted 11 May 2012 - 07:28 PM

Hi m0le, prior to coming here to Bleeping I did try to run ComboFix however it did not install correctly, or work correctly. A recovery console was never installed/created, how to proceed from here?

#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:34 AM

Posted 11 May 2012 - 07:35 PM

See the Microsoft installation guide here
Posted Image
m0le is a proud member of UNITE

#11 Mike Davalos

Mike Davalos
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:34 AM

Posted 11 May 2012 - 07:56 PM

Hi m0le, this will have to wait until tomorrow, I do not have a Windows XP CD disc with me :killcomp: . I will see if I can get it from the person who's computer this is, or see if a buddy has one laying around. Can we continue this tomorrow?


Edit: Typo!

Edited by Mike Davalos, 11 May 2012 - 07:57 PM.


#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:34 AM

Posted 11 May 2012 - 08:54 PM

No problem. :thumbup2:
Posted Image
m0le is a proud member of UNITE

#13 Mike Davalos

Mike Davalos
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:34 AM

Posted 12 May 2012 - 10:53 AM

Hi m0le, I was able to borrow a windows xp pro CD from my office, here is the FSS log after those instructions (internet working, yay!):

Farbar Service Scanner Version: 11-05-2012
Ran by Familia Caro (administrator) on 12-05-2012 at 10:49:08
Running from "C:\Documents and Settings\Familia Caro\Desktop"
Microsoft Windows XP Home Edition Service Pack 2 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll
[2004-08-03 17:00] - [2006-05-19 07:59] - 0111616 ____A (Microsoft Corporation) EF545E1A4B043DA4C84E230DD471C55F

C:\WINDOWS\system32\Drivers\afd.sys
[2012-05-11 19:26] - [2008-06-20 05:44] - 0138368 ____A (Microsoft Corporation) 944CA435BFCFC82CC1ED9E3A7D731AA9

C:\WINDOWS\system32\Drivers\netbt.sys
[2004-08-03 17:00] - [2004-08-03 17:00] - 0162816 ____A (Microsoft Corporation) 0C80E410CD2F47134407EE7DD19CC86B

C:\WINDOWS\system32\Drivers\tcpip.sys
[2004-08-03 17:00] - [2008-06-20 05:45] - 0360320 ____A (Microsoft Corporation) 2A5554FC5B1E04E131230E3CE035C3F9

C:\WINDOWS\system32\Drivers\ipsec.sys
[2004-08-03 17:00] - [2004-08-03 17:00] - 0074752 ____A (Microsoft Corporation) 64537AA5C003A6AFEEE1DF819062D0D1

C:\WINDOWS\system32\dnsrslvr.dll
[2004-08-03 17:00] - [2008-02-20 00:32] - 0045568 ____A (Microsoft Corporation) AAC8FFBFD61E784FA3BAC851D4A0BD5F

C:\WINDOWS\system32\svchost.exe
[2004-08-03 17:00] - [2004-08-03 17:00] - 0014336 ____A (Microsoft Corporation) 8F078AE4ED187AAABC0A305146DE6716

C:\WINDOWS\system32\rpcss.dll
[2004-08-03 17:00] - [2005-07-25 23:39] - 0397824 ____A (Microsoft Corporation) CE94A2BD25E3E9F4D46A7373FF455C6D

C:\WINDOWS\system32\services.exe
[2004-08-03 17:00] - [2004-08-03 17:00] - 0108032 ____A (Microsoft Corporation) C6CE6EEC82F187615D1002BB3BB50ED4


Extra List:
=======
Gpc(3) IPSec(5) NetBT(6) PSched(7) Tcpip(4)
0x080000000800000005000000010000000200000003000000040000000600000007000000


**** End of log ****

#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:34 AM

Posted 12 May 2012 - 04:09 PM

Please do a final scan with ESET

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Under scan settings, check Posted Image and check Remove found threats
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • Copy and paste the resulting log in your next reply
If no log is generated that means nothing was found. Please let me know if this happens.

If you think a log should have been generated then go to C:\Program Files\ESET\ESET Online Scanner\log.txt to find it.
Posted Image
m0le is a proud member of UNITE

#15 Mike Davalos

Mike Davalos
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:34 AM

Posted 12 May 2012 - 07:03 PM

Hi m0le, Eset found some viruses it looks like and removed them, here is the log:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=844e21bb86f81d4bb7dfa2dac2418a44
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2012-05-12 11:46:17
# local_time=2012-05-12 06:46:17 (-0600, Central Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=60260
# found=7
# cleaned=7
# scan_time=1729
C:\Documents and Settings\Familia Caro\Local Settings\Temp\21B.tmp a variant of Win32/BHO.OEB trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Familia Caro\Local Settings\Temp\237.tmp a variant of Win32/BHO.OEB trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Familia Caro\Local Settings\Temp\238.tmp a variant of Win32/BHO.OEB trojan (cleaned by deleting (after the next restart) - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Familia Caro\Local Settings\Temp\25C.tmp a variant of Win32/Kryptik.ACML trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Familia Caro\Local Settings\Temp\CSM6F.tmp a variant of Win32/Adware.Mongoose.A application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Familia Caro\Local Settings\Temp\iolowupd\SystemShield3.exe probably unknown NewHeur_PE virus (deleted - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\drivers\afd.vir a variant of Win32/Rootkit.Kryptik.KD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users