AFD service keeps getting stopped and deleted and more bad signs

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by jgray127, Nov 27, 2012.

  1. jgray127

    jgray127 Private E-2

    Hi, and thanks in advance!

    Over the weekend, my computer stopped being able to connect to the network - both in house and the general internet. MS Security informed me my firewall wasn't functioning (and I am unable to get it to start) and I cannot run Windows Update. SuperAntispyware and AVG seem to be running fine.

    The system event viewer was full of red errors, and I was able to figure out that the AFD service was not starting, nor did it exist any longer. Using advice from a forum, I was/am able to boot into safe mode, replace the AFD.SYS into the systerm32/drivers folder, add the AFD registry key back (from another working XP computer) and reboot which gives me back network connectivity until I reboot. Monitoring the system32/drivers folder, I can see that the AFD.SYS is being deleted when rebooted. At no point was I able to get the Windows firewall working. I was able to install Zone Alarm in the interim and it appears to be functioning. I am unable to use System Restore as well.

    Nothing I've run appears to have found anything damaging. The only thing that I noticed prior to all this happening was that when opening a new tab in Chrome, I was getting a search box similar to Google's but to the left of the box was a pinwheel like icon in Google's primary colors.

    I ran/did everything that was asked to do before posting for help. I am attaching all the requested log files.

    Help!
     

    Attached Files:

    jgray127, Nov 27, 2012
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    Please download Junkware Removal Tool to your desktop.
    • Shut down your protection software now to avoid potential conflicts.
    • Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
    • The tool will open and start scanning your system.
    • Note: That JRT may reset your home page to a google default so you will need to restore your home page setting if this happens.
    • Please be patient as this can take a while to complete depending on your system's specifications.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Attach JRT.txt to your next message.

    Per your logs you still don't have the AFD service running. Did you do your fixes after obtaining the logs? If so it would have been better to give us more current logs.


    Be patient while doing the below. The fixes can sometimes take quite awhile to run. Especially the permissions repairs. It may be best to kick it off and goto bed or do something else. It is better not to run anything while the repairs are going on.

    Download Windows Repair by Tweaking.com and unzip the contents into a newly created folder on your desktop.
    • Now run Repair_Windows.exe by double clicking on it ( if you are running Vista or Win 7, use right click and select Run As Administrator)
    • Now select the Start Repairs tab.
    • The click the Start button.
    • Create a System Restore point if prompted.
    • On the next screen, click the Unselect All button to first deselect all repairs.
    • Now select the following repair options:
      • Reset Registry Permissions
      • Reset File Permissions
      • Register System Files
      • Repair WMI
      • Repair Windows Firewall
      • Remove Policies Set By Infections
      • Repair Winsock & DNS Cache
      • Repair Proxy Settings
      • Repair Windows Updates
      • Set Windows Services To Default Startup
    • Now on the lower right side check the box to Restart/Shutdown System When Finished
    • Then make sure the Restart System radio button is enabled.
    • Shutdown any other programs that you are running now before continuing.
    • Now click the Start button.
    • Be patient while the tool repairs the selected items.
    • It should reboot automatically when finished.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Nov 29, 2012
    #2
  3. jgray127

    jgray127 Private E-2

    Ok..

    First, you have the most current log. If I start the computer in Safe mode (no networking) I can place a copy of AFD.sys in windows/system32/drivers and add the AFD registry entry that I exported from a good installation. Then, if I power down and start the computer again, 2 out of 3 times when the computer starts, I have networking capability. If I then reboot, the AFD service has been removed from the registry and AFD.sys gets deleted from windows/system32/drivers. It was after a reboot with no AFD service that I ran the logs.

    JRT ran without a problem, and it's log is attached.

    Repair Windows ran for 11 hours and then abruptly quit. It was resetting permissions in c:programs when this occurred. I rebooted and ran it again. This time it completed in about an hour. The MGLogs.zip from this are attached.

    When it rebooted after running Repair Windows, Zone Alarm (which I had temporarily installed since Windows Firewall was not functioning) through up several warnings that Hijack This was attempting to change the hosts file, as well as trying to set a program to launch when Windows starts. I've also attached these warnings. I denied it the ability to make the changes, and got another message from HiJack This about its failure to change the host file. This message is attached as well.

    After running "Repair Windows" I was able to choose to restore my computer to a previous restore point (I did not choose to, I was just checking.) Prior to this when booting in safe mode and given the option, system restore couldn't/wouldn't start.

    Finally when it rebooted, I was still unable to connect to the network, but the AFD.SYS file had not been deleted and was still in its proper place.

    I hope this makes sense!

    Thanks again for the help...
     

    Attached Files:

    jgray127, Nov 29, 2012
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Normal and should not be intrerrupted. It would actually be better to uninstall Zonealarm as it will serve more to get in your way than it will to help. Please uninstall it now. Also uninstall AVG2013 as it is also getting in the way. Then continue with the below.

    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.

    Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

    Run MGtools.exe ( Note: If using Vista or Win7, make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )

    Now attach the below log:
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Nov 30, 2012
    #4
  5. jgray127

    jgray127 Private E-2

    You said to copy the bold text below to notepad to create a registry entry. Does that include "Windows Registry Editor Version 5.00?" I wanted to be sure, as it was in bold.

    Also, what about the fact that I allowed Zone Alarm to block the hosts file from being written? Will that correct itself or will it be addressed after I take the next steps in your instructions?

    Thanks again for your assistance!
     
    jgray127, Nov 30, 2012
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes everything in bold inside the quote box. Thw Windows Registry Editor Version 5..00 line must be the 1st line in the file.

    Did you uninstall ZA as requested? If so, we can fix any locked files manually if necessary.
     
    chaslang, Dec 1, 2012
    #6
  7. jgray127

    jgray127 Private E-2

    Yes, ZA was uninstalled as requested.

    I did as you requested. I got a "successfully merged" once I double clicked it. I think it's identical to the AFD regfix I mentioned in my initial post that I use in safe mode. I attached it to this so you can compare if needed, along with the MGLogs.

    Upon reboot, I still did not have any network. I checked windows/system32/drivers and the afd.sys file was once again gone. I also checked (via regedit) to see if the AFD entry was still in currentcontrolset/services and it was not. Double clicked the newly created 'fixme.reg' again and saw the AFD entry appear in regedit. Something keeps removing that entry and the afd.sys file upon reboot.

    I rebooted in safemode, placed the afd.sys file in windows/system32/drivers and reclicked the 'fixme.reg' and rebooted. I did not have network. Shut down and repeated the safemode process and upon reboot had network again. If I either shut down or reboot network is gone, along with the file/entry.

    Argghh!
     

    Attached Files:

    jgray127, Dec 1, 2012
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay from this point on, please only do what I ask you to do and nothing else.


    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    R3 - URLSearchHook: (no name) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)
    O2 - BHO: (no name) - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - (no file)
    O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)

    After clicking Fix, exit HJT.



    Now download and save a copy of combofix.exe and save it directly onto your Desktop folder.
    Then double click on it to run it. Do not disturb it by clicking in the window that opens or it may stall.
    After it finishes, it may reboot your PC. Attach the C:\combofix.txt log that it creates.
    If after running Combofix you discover none of your programs will open up because you receive the following error: Illegal operation attempted on a registry key that has been marked for deletion then you will need to reboot your computer which will normally fix this problem.
     
    chaslang, Dec 1, 2012
    #8
  9. jgray127

    jgray127 Private E-2

    Done. No problems.

    I received an error stating that Windows Recovery Console was not installed, and had an option to download/install it. However, without network connectivity, that wasn't possible so it ran without doing so. I've attached both the recovery console warning and the combofix log.

    Upon completion it rebooted but there was still no network connectivity. I did notice that it had removed UltraVNC from the system tray at startup. I do use it for PC-PC control inside the house.

    I also apologize if this ends up being a double post. I had replied and got the "successfully posted" message from MajorGeeks, but the post never appeared, so I replied a second time.
     

    Attached Files:

    jgray127, Dec 2, 2012
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You have been putting afd.sys here >> c:\windows\system32\drivers\afd
    It needs to be in >> c:\windows\system32\drivers

    Disable any protection software that you have running and then do the below.



    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    If after running Combofix you discover none of your programs will open up because you recieve the following error: Illegal operation attempted on a registry key that has been marked for deletion then you will need to reboot your computer which will normally fix this problem.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


    Then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Dec 4, 2012
    #10
  11. jgray127

    jgray127 Private E-2

    I created that folder and kept a copy of afd.sys which I was using to replace the one that kept disappearing from c:\windows\system32\drivers. This was when I was booting into safe mode and restoring it.

    However, rest assured I've not done anything other than what you've instructed me, including booting into safe mode.

    When this started, I was again met with the warning about Windows Recovery Console not being installed.

    During this process, the computer rebooted. I believe CFix was about done and rebooted automatically but I was not looking at the screen. It had been working about as long as in times prior. Upon reboot, CFix automatically opened and generated the logfile, which is attached.

    There was still no network connectivity. However, the afd.sys file survived reboot and is in c:\windows\system32\drivers.

    I then ran the getlogs.bat and an error message was generated (attached) but it continued and finished the logs, also attached.

    While there is still no network connectivity, it is very noticeably faster when opening/closing windows, and it does shut down much, much quicker now. I also was able to turn the windows firewall on/off.

    Thanks for your ongoing help.
     

    Attached Files:

    jgray127, Dec 4, 2012
    #11
  12. jgray127

    jgray127 Private E-2

    I forgot to mention that if I boot using a Live Linux disc (Mint 11 specifically) I do have full network connectivity, so I know the cable/router connections are good.
     
    jgray127, Dec 6, 2012
    #12
  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay this is good. The AFD service now has a registry entry and the service is running. The problem is that you still have other services that are not running. With just a quick check, I can see that your DHCP Client and BITS services are not running. Let's see if we can now fix these. First we will try it a less intrusive way.



    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.

    See if you have network connectivity now. If not, please rerun the same Windows Repair fix given back in message # 2. No matter what happens after this continue on with getting the new MGtools log below.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Dec 7, 2012
    #13
  14. jgray127

    jgray127 Private E-2

    It was successfully added to the registry. Upon reboot, no network. I ran Combofix and still no network after reboot.

    Logs are attached.
     

    Attached Files:

    jgray127, Dec 7, 2012
    #14
  15. jgray127

    jgray127 Private E-2

    I don't believe the MGLogs.zip in the previous reply was the full set of logs. When running the .bat file, I received the same pop-up error as last time (I've attached it-forgot to in the prior post) but noticed after I replied the MGLogs.zip was much smaller in size than previously. I ran the .bat file again and am attaching the MGLogs.zip file that is 309 KB, much closer in size to the previous ones.
     

    Attached Files:

    jgray127, Dec 8, 2012
    #15
  16. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Correct! ;)

    Did you also rerun Windows Repair this time as requested?

    Your DHCP Client service is still not running and neither is the BITS service required for Windows Update. Let's try using ComboFix to patch the registry. You may need to download a new version of Combofix if it gives you any messages about being out of date or running in reduce functionality mode.


    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    If after running Combofix you discover none of your programs will open up because you recieve the following error: Illegal operation attempted on a registry key that has been marked for deletion then you will need to reboot your computer which will normally fix this problem.


    Now please download Farbar Service Scanner and run it on the computer with the issue.
    • Put a check mark in each option box on the left side.
    • Click "Scan".
    • It will create a log (FSS.txt) in the same directory the tool is run.
    • Please attach this log to your next reply.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


    Then attach the below logs:
    • C:\ComboFix.txt
    • FSS.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    Last edited: Dec 9, 2012
    chaslang, Dec 9, 2012
    #16
  17. jgray127

    jgray127 Private E-2

    I'm not sure. I wasn't sure which one you were referring to by "Windows Repair fix given back in message # 2" and guessed it you were referring to Combox Fix based on the log request.

    Should I still try that before attempting what you just asked me to do? If so, please clarify which is the "Windows Repair Fix."

    Sorry I got confused on this one. :confused
     
    jgray127, Dec 9, 2012
    #17
  18. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    No! See message number 2 which has instructions beginning with the below text
    Run Windows Repair first and then run the Combofix, Farbar Service Scanner, and MGtools instructions.
     
    chaslang, Dec 9, 2012
    #18
  19. jgray127

    jgray127 Private E-2

    (Understood :-o) and did everything as instructed. Still no network connection. Requested logs are attached.
     

    Attached Files:

    jgray127, Dec 10, 2012
    #19
  20. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Now we need to use ComboFix to replace your tcpip.sys file
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    If after running Combofix you discover none of your programs will open up because you recieve the following error: Illegal operation attempted on a registry key that has been marked for deletion then you will need to reboot your computer which will normally fix this problem.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
     
    chaslang, Dec 10, 2012
    #20
  21. jgray127

    jgray127 Private E-2

    Done. No problems. Reboot. Still no network. Logs attached.
     

    Attached Files:

    jgray127, Dec 11, 2012
    #21
  22. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay since there does not appear to be any malware reason for your problem and we are getting close to not being able to do anything but reinstall, let's see if something else you have installed has some how gotten broken and may be the cause of this problem.

    Uninstall all of the below:
    PeerBlock 1.1 (r518)
    ZoneAlarm Free Firewall
    ZoneAlarm LTD Toolbar

    Then reboot your PC and see if you have the ability to connect now. If not, then continue on with the below.


    Please run C:\MGtools\FixNet.bat by double clicking on it.

    This will run a few commands and then reboot your computer.

    After your computer reboots, see if there is any changed to your ability to connect. If not, then continue on with the below.



    Now continue with the below which will attempt to repair your network connection

    1. Go to Start ==> Run (or Windows key+R)
      • Type the following in the run box and click OK: notepad c:\windows\inf\nettcpip.inf
        (note that there is space after notepad)
      • The above file will open in the notepad.
      • Under TCP/IP Primary Install section find the following: Characteristics = 0xA0
      • Edit 0xA0 and replace it with 0x80 (replace A with 8)
      • Under File menu click Save and close the notepad.
    2. Go to Start ==> Control Panel. Double-click Network Connections. Right-click Local Area Connection, and select Properties.
      • On the General tab, click Install a popup window opens.
      • Select Protocol from the list and then click Add.
      • A new window opens, click Have Disk....
      • In the browse... box type c:\windows\inf
      • Click OK.
      • Select Internet Protocol (TCP/IP), and then click OK.
      • On the Local Area Connection Properties screen select Internet Protocol (TCP/IP) and click Uninstall, and then click Yes.
      • Wait until it asks to restart, and then restart as requested. Continue with the below after restarting.
    3. Go to Start ==> Run (or Windows key+R)
      • Type the following in the run box and click OK: notepad c:\windows\inf\nettcpip.inf
        (note that there is space after notepad)
      • A file opens in the notepad. Under TCP/IP Primary Install section find the following: Characteristics = 0x80
      • Edit 0x80 and replace it with 0xA0 (replace 8 with A)
      • Under File menu click Save and close the notepad.
    4. Go to Start ==> Control Panel. Double-click Network Connections. Right-click Local Area Connection, and select Properties.
      • On the General tab, click Install
      • A popup window opens. Select Protocol.
      • A new popup window opens. Select Internet Protocol (TCP/IP), and then click OK.
      • Wait until it asks to restart, and then restart as requested. Continue with the below after restarting.
    5. Now see if you have the ability to connect, if not continue with the below.

    Now we need to use ComboFix again
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    If after running Combofix you discover none of your programs will open up because you recieve the following error: Illegal operation attempted on a registry key that has been marked for deletion then you will need to reboot your computer which will normally fix this problem.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


    Then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now! If still no connection, it may be time to reinstall.
     
    chaslang, Dec 12, 2012
    #22
  23. jgray127

    jgray127 Private E-2

    I appreciate all your assistance. I'm not sure how/why ZoneAlarm was installed as I did uninstall it many steps back when requested. Anyway, it and PeerBlock are now uninstalled. After reboot still no connection.

    No change.

    Possibly of note, when selecting the TCP/IP Protocol, there was a notification that it was not properly signed. I attached a pic of this.

    Also, upon reboot, Windows' acceptance of the validity of my license vanished, and I now have 3 days to activate Windows. Should I go ahead and reactivate (obviously over phone as no network connection) or wait until some specific time at your request?

    Still no connection. Does the fact that I was able to boot into safe mode and replace the afd.sys file and registry entry and have network functionality with a reboot (prior to seeking help and your request to do nothing other that what you requested, but mentioned early on in this assistance process) have any significance?

    I proceeded and finished the rest of your instructions without incident, and I've attached the requested logs.

    I've so wanted to avoid reinstall. I have an imaged backup from its initial setup, but it's been several years, and Digital Lifeboat wasn't installed yet. I'm at 95% completion of its 250+ gig backup of my family photos/videos to its cloud storage. I mention this so you know, and if possible, preserve its state if a reinstall ends up being the only way left to solve my problem.
     

    Attached Files:

    jgray127, Dec 13, 2012
    #23
  24. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Interesting. Not sure this will be able fix it but try deleting you Network Interface Card from Device Manager but do not allow it to delete files. Then reboot your PC. The hardware should be redetected and drivers should load. See if this fixes it.

    Or perhaps instead of bothering with removing the NIC card in Device Manager, a reinstall of XP SP3 would be the way to go.

    One additional thing to try it the below additional registry patch for the DHCP Client service.


    Copy the bold text below to notepad. Save it as fixDHCP.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.


    This I don't understand at all. Never saw this happen due to running that procedure. Although I did inadvertantly delete a driver for Digital Lifeboat that I did not recognize. So let's put it back.


    Copy the bold text below to notepad. Save it as fixDL.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.


    It just gives reemphasizes my point that it is not likely malware. It is a Windows issue. And some driver/software that loads in normal mode but not in safe mode is causing a conflict.
     
    Last edited: Dec 15, 2012
    chaslang, Dec 15, 2012
    #24
  25. jgray127

    jgray127 Private E-2

    I activated Windows as the 3 days were up. Otherwise, the system is in the same state.

    I have not done anything you asked yet. I saw it a few minutes ago, right after I sent the above. My next post will have the results of what you asked to do next.
     
    jgray127, Dec 15, 2012
    #25
  26. jgray127

    jgray127 Private E-2

    :(

    Tried all the above. No luck. Some notes:

    When deleting the NIC card from Device Manager, I was not prompted to allow/disallow files from deletion. I'm using the MB's built in Yukon ethernet connection and have no actual card to remove, but could pop one in a slot (wired or wireless) or use USB wireless if that will help troubleshoot.

    I downloaded the standalone SP3 from Microsoft (318 megs) and installed it. It installed without issue, but no luck.

    Both registry patches were successful.

    I attached a screengrab, that may or may not help, of several network panels from Windows.

    What, if anything, is next? :confused
     

    Attached Files:

    jgray127, Dec 16, 2012
    #26
  27. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    While there is no physical card, the hardware exists and it can be deleted from Device Manager so give it a try to see what happens.

    Would be interesting to see what happens.

    This is not a good sign. Normally this would fix an issue like this. Seems to point towards missuing or corrupted drivers for your hardware.
     
    chaslang, Dec 18, 2012
    #27
  28. jgray127

    jgray127 Private E-2

    I did give it a try and deleted it. You said not to allow it to delete files, but I was never prompted to allow/disallow. Still didn't make a difference. I went and got a newer Yukon driver from FoxConn for my MB. However, when I pointed to this driver after 'scan for new hardware' it said the latest drivers were installed and I do have newer drivers available.

    Uninstalled the Yukon driver and connected a TP-Link USB wifi adapter. Installed it's driver's (latest from their website) and while it will authenticate with the router, it continuously hangs on "acquiring network address," and their utility shows an IP of 0.0.0.0.

    Anything else to try?
     
    jgray127, Dec 20, 2012
    #28
  29. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Sorry but at this point, there is only one more thing and that is reinstall Windows and hope that there is actually nothing wrong with your hardware.
     
    chaslang, Dec 21, 2012
    #29
  30. jgray127

    jgray127 Private E-2

    Thanks for all your help. I appreciate it.

    I'm pretty confident the hardware is all good. I've been using the newest version of Mint's Live DVD to get at all the media on this machine while Windows has been down.

    It just stinks as there was no one event that happened before Windows went kablooey. I hadn't installed/uninstalled anything, there wasn't a power failure, no error messages, lockups or reboots.

    Again, thanks!
     
    jgray127, Dec 21, 2012
    #30
  31. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome.
    Yes and no malware either.
     
    chaslang, Dec 21, 2012
    #31
  32. jgray127

    jgray127 Private E-2

    Looking through the event viewer, I noticed another reference to the AFD service failing to start because "a device attached was not functioning." There was also a reference that the SASKUTIL service was also failing to start. SuperAntiSpyware was uninstalled early on in this process, so I'm not sure why it is still trying to start. I also found this discussion on their support forums (http://forums.superantispyware.com/index.php?/topic/4370-saskutil-and-sasdifsv-are-hardware-devices/

    Now, I do know that the Yukon controller is working just fine and isn't the issue. I've been using the machine heavily throughout our sessions from a live boot of Linux Mint, as it contains the bulk of my media that I watch from other rooms via Samba shares and XBMC.

    I don't know if they're connected or mean anything to you in connection to my issue. However I thought possibly that the AFD service isn't starting due "to an attached device not functioning" and the SuperAntiSpyware issue from the thread above might be related.

    Possible? I've attached the errors from the event viewer.
     

    Attached Files:

    jgray127, Dec 24, 2012
    #32
  33. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes I know all of this as I could see this information in the logs we obtained already. However AFD was running per the last logs you attached. It was DHCP Client that was not running. See the last nwktst.txt log in the MGlogs.zip file you attach where you will see the below.
    Code:
    =====================================================================================  
Checking DHCP, AFD, NetBT, TCP/IP, IPsec Service States 
   Dynamic Host Control Protocol -DHCP-     is NOT running  
        C:\WINDOWS\System32\dhcpcsvc.dll exists  
   AFD Networking Support Environment -AFD- is running  
   NetBios over Tcpip -NetBT-               is running  
   TCP/IP Protocol Driver -TCP/IP-          is running  
   IPSEC driver  -Ipsec-                    is running  
=====================================================================================
    We can fix/delete the left over service ( there are actually two not one ) from SUPERAntiSpyware just to make sure it is not having an effect some how.

    I also will cleanup some more left overs from ZoneAlarm.

    Now download ( do not run yet ) and save a new copy of combofix.exe and save it directly onto your Desktop folder. You need a new version because it expires every few days.




    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    If after running Combofix you discover none of your programs will open up because you recieve the following error: Illegal operation attempted on a registry key that has been marked for deletion then you will need to reboot your computer which will normally fix this problem.

    Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

    Run MGtools.exe ( Note: If using Vista or Win7, make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )



    Now attach the below log:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
     
    chaslang, Dec 24, 2012
    #33
  34. jgray127

    jgray127 Private E-2

    Yay! You brought a great Christmas present. It seems to have worked! I've done multiple hard and soft reboots and the network was there every time. The only thing I noticed is that several services that I had manually stopped from starting (CCleaner Enhanced, Unlocker) now start at launch again. I had actually forgotten about them.

    I've attached the logs.

    Digital Lifeboat also reconnected and my backup is no longer in danger.

    I currently have no virus or malware protection. I had AVG Free and SAS paid. Should I continue with them, or go with MS Security Essentials? What do you recommend?

    Thanks again!
     

    Attached Files:

    jgray127, Dec 25, 2012
    #34
  35. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Excellent news! You're welcome.

    If you are happy with them stay with AVG and SAS. But before reinstalling any of this, I wand to restore a folder I inadvertantly removed with ComboFix for Gear software.

    Now we need to use ComboFix to DeQuarantine some files that it should not have removed.
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named C:\DeQuarantine_log.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • C:\DeQuarantine_log.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Dec 26, 2012
    #35
  36. jgray127

    jgray127 Private E-2

    Did as instructed, no issues. Everything is still functioning after reboot.

    Anything else?
     

    Attached Files:

    jgray127, Dec 27, 2012
    #36
  37. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome.

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Press and hold the Windows key http://forums.majorgeeks.com/chaslang/images/Windows_Logo_key.gif and then press the letter R on your keyboard. This opens the Run dialog box.
      • Copy and paste the below into the Run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Go back to step 4 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista or Win 7, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
      related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 6 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
    chaslang, Dec 28, 2012
    #37
  38. jgray127

    jgray127 Private E-2

    Ok, I did all the cleanup procedures and re-installed SASPro, Peerblock, UltraVNC and AVGFree. After AVG ran for the first time, it found a trojan named Dropper. The system then became verrrryyy slow, and the start button would depress, but no popup would occur. Connecting to the machine remotely via VNC, I was able to launch task manager and shutdown the machine. However, it took more 15 minutes to shutdown.

    Upon reboot, everything appeared to be fine, and speed was back to normal. I ran AVG again, and it found the heur.dropper virus which I let it remove. However the machine was back to a crawl, but seemed ok again after a reboot.

    Looking at the system event viewer, the following error was present -
    I believed AVG was the culprit and was going to uninstall it and put on MS Security Essentials, but then AVG found the second virus mentioned above.

    I have done minimal with this computer since network access came back other than allowing Digital Lifeboat to finish and reconnecting to the home network for XBMC access to its media.

    Is this something that has come back to life, or something new?

    I've attached two pics of the AVG screens, while awaiting instructions.

    Thanks. :)
     

    Attached Files:

    jgray127, Jan 6, 2013
    #38
  39. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Looks like you did not complete all of my last instructions. See step 9 again. And if you did not do ALL of the steps, do all of them this time.

    Oh and the Event Viewer error you mentioned may well be an AVG issue. See the below very long thread ( about 4 pages worth ) on AVGs Forum.

    http://forums.avg.com/us-en/avg-forums?sec=thread&act=show&id=216800

    Personally, since you started having problems again after installing AVG, I recommend that you remove it and use something else.
     
    Last edited: Jan 6, 2013
    chaslang, Jan 6, 2013
    #39
  40. jgray127

    jgray127 Private E-2

    I _did_ go through the process of disabling/re-enabling system restore and all the other steps. I was puzzled as to the location of the virus/trojan reported by AVG. I will do it again, along with the rest.

    Thanks for the link. I had seen that thread on AVG's forum last night, and disabled AVG's self-protection as was recommended. After doing that, after running a scan with AVG, the system still crawled, and it had found the aforementioned malware. That is what prompted my return.

    I am going to uninstall AVG and install something else, but now I fear an infection has started.
     
    jgray127, Jan 7, 2013
    #40
  41. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    The items you posted snapshots of are just in System Restore. So either you did not get System Restore disable or the old restore points did not get cleaned up when toggling System Restore. Another possibility is that you got reinfected.

    My suggestion is to uninstall AVG completely. Then disable System Restore. Then reboot your PC but do not reenable System Restore yet. Now just do the below:


    Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

    Run MGtools.exe ( Note: If using Vista or Win7, make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )


    Now attach the below log:
    • C:\MGlogs.zip
     
    chaslang, Jan 7, 2013
    #41
  42. jgray127

    jgray127 Private E-2

    Log file attached. I had already uninstalled AVG and installed MS Security Essentials. Let me know if I need to run MGTools without Essentials installed.

    The sllllooowww system response seems to have been AVG's fault, as it hasn't returned since AVG was uninstalled.

    Was there an initial infection when this all started, or was the networking issue not connected to malware?
     

    Attached Files:

    jgray127, Jan 9, 2013
    #42
  43. jgray127

    jgray127 Private E-2

    Quick update - even with AVG uninstalled, the system has begun to realllly drag. Just saw a minimized window slowwwllly move to the left to fill in the gap of another closed window.
     
    jgray127, Jan 9, 2013
    #43
  44. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Your log is clean. Perhaps you are having issues with what you are running. Have you tested booting in Safe Mode with Networking to see how your PC runs? I suggest that you test it this way. Maybe DigitalLifeboat is running a backup and eating up all your resources.

    No real malware was observed in your logs. Just junkware and the issue with AFD which may or may not have been caused by malware before you started posting here.
     
    chaslang, Jan 10, 2013
    #44

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds