afd.sys missing

[vlabla]

Hi, Have a problem on WinXP machine after malware removal. Cannot obtain IP address from the wi-fi router. AFD.sys file is missing and DHCP client service cannot be started. I have copied afd.sys from i386 folder but still no luck. Attached is FSS scan from Farbar scanner. Please help. Thanks.

[chaslang]

Welcome to Major Geeks!


Please follow the instructions in the below link:

READ & RUN ME FIRST. Malware Removal Guide


and attach the requested logs when you finish these instructions.

[vlabla]

Hi, Here are logs attached. In the meantime I have recovered afd.sys and can connect to the wi-fi router and and can obtain IP address but DNS is still not working. Thanks a lot!

[chaslang]

Several reboots will be necessary during the below procedure!!

Rescan with HitmanPro

• When it finds services.exe - Virus, allow it to Replace by clicking the down arrow next to the detection and choosing Replace.
• Leave any other detections alone (Ignore them).
• Afterwards, click the Next button.
• HitmanPro may want to reboot the PC in order for the changes to take affect, please do so.
• After reboot and when you are back in Windows, run another scan with HitmanPro and then attach the latest hitmanpro.zip log See: HOW TO: Attach Items To Your Post.

Then run RogueKiller and run a scan. After it finishes the scan, select the Registry tab and then select any of the below that exist and then click the Delete button.

Quote:

[SUSP PATH] HKCU\[...]\Winlogon : Shell (C:\Dokumente und Einstellungen\muminovic\Lokale Einstellungen\Anwendungsdaten\fc7762e3\X) -> FOUND
[SUSP PATH] HKUS\S-1-5-21-844815161-3566420864-622588331-1006[...]\Winlogon : Shell (C:\Dokumente und Einstellungen\muminovic\Lokale Einstellungen\Anwendungsdaten\fc7762e3\X) -> FOUND

Then immediately reboot your PC.

After reboot, run a new scan with RogueKiller and save a log as in original instructions and attach the new log.

Then uninstall the below old versions of software:
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 6
Java(TM) 6 Update 16

Now run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R3 - URLSearchHook: (no name) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O4 - HKLM\..\RunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninst..."ver=10.0.1424

After clicking Fix, exit HJT.



Please download OTM by Old Timer and save it to your Desktop.

• Right-click OTM.exe and select Run as administrator to run it.
• Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C
  (or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of
  the code box

Code:

:Processes
explorer.exe
 
:Files
C:\Dokumente und Einstellungen\muminovic\Lokale Einstellungen\Anwendungsdaten\fc7762e3\X
C:\Dokumente und Einstellungen\muminovic\Lokale Einstellungen\Anwendungsdaten\fc7762e3
 
:Reg
[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\winlogon]
"Shell"="explorer.exe"
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MSMSGS]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\QuickTime Task]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ROC_roc_dec12]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\updateMgr]
:Commands
[purity]
[EmptyTemp]
[start explorer]
 

[Reboot]

• Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar
  ) and choose Paste.
• Now click the large button.
• If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
• Close OTM.

Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be
saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach
this log file to your next message.

After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment



Be patient while doing the below. The fixes can take quite awhile to run. Especially the permissions repairs. It may be best to kick it off and goto bed or do something else. It is better not to run anything while the repairs are going on.

Download Windows Repair by Tweaking.com and unzip the contents into a newly created folder on your desktop.

• Now run Repair_Windows.exe by double clicking on it ( if you are running Vista or Win 7, use right click and select Run As Administrator)
• Now select the Start Repairs tab.
• The click the Start button.
• Create a System Restore point if prompted.
• On the next screen, click the Unselect All button to first deselect all repairs.
• Now select the following repair options:
  • Reset Registry Permissions
  • Reset File Permissions
  • Register System Files
  • Repair WMI
  • Repair Windows Firewall
  • Remove Policies Set By Infections
  • Repair Winsock & DNS Cache
  • Repair Proxy Settings
  • Repair Windows Updates
  • Set Windows Services To Default Startup
• Now on the lower right side check the box to Restart/Shutdown System When Finished
• Then make sure the Restart System radio button is enabled.
• Shutdown any other programs that you are running now before continuing.
• Now click the Start button.
• Be patient while the tool repairs the selected items.
• It should reboot automatically when finished.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).



Then attach the below logs:

• the the new RogueKiller log log
• the C:\_OTM\MovedFiles log
• C:\MGlogs.zip

Make sure you tell me how things are working now!

[vlabla]

Hi,
Cannot download OTM as it is reported as a virus on my machine. I am downloading on another machine, not the damaged one as DNS is not working on it.
Will it work without TM? Any alternative or clean version of OTM?
Also didn't find services.exe in the first step.
Thanks.

[chaslang]

OTM is not a virus. You need to shutdown your protection software since it appears to be getting in your way and it is incorrect.

[vlabla]

Hi, cannot download OTM as my other machine is a business one and cannot shut down anti virus.. Here are two other logs. DNS still does not work. thanks for the advice.

[chaslang]

Your Windows Firewall has now been fixed. It was not running previously.

Quote:

Originally Posted by vlabla

Hi, cannot download OTM as my other machine is a business one and cannot shut down anti virus..

You need to be able to download and save the tools we require inorder for us to help you. Find another PC ( a friends ....etc ) and get the tools onto a USB drive to copy to the infected PC.

Also please do the below.


Now please download Farbar Service Scanner and run it on the computer with the issue.

• Put a check mark in each option box on the left side.
• Click "Scan".
• It will create a log (FSS.txt) in the same directory the tool is run.
• Please attach this log to your next reply.

Now please also download MBRCheck to your desktop.


See the download links under this icon

• Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
• It will show a Black screen with some information that will contain either the below line if no problem is found:
  • Done! Press ENTER to exit...
• Or you will see more information like below if a problem is found:
  • Found non-standard or infected MBR.
  • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
• Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
• MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
• Attach this log to your next message. (See: HOW TO: Attach Items To Your Post )

Are you using a router? Does DNS work if you temporarily by pass your router?