AFD service deletion

Discussion in 'Malware Help (A Specialist Will Reply)' started by edged1g, Dec 10, 2012.

  1. edged1g

    edged1g Private E-2

    A few days ago i ran SuperAntispyware to check for any problems as i do regularly. It found some things(I didn't save a log!) and i let it fix them. After rebooting, my computer stopped being able to connect to the internet. The computer hangs and the icon in the task bar shows it constantly trying to get an IP.

    I was able to figure out that the AFD service was not starting, nor did it exist any longer. I was able to replace the AFD.SYS into the systerm32/drivers folder, add the AFD registry key back (from another working XP computer) and reboot which gave me back network connectivity. Even with network connectivity i still had no internet access. After a reboot, the afd.sys file is gone again and I am back at hanging, waiting for an IP address. I am stuck at this point. Logs are attached, hopefully someone can help. Thanks in advance!

    Notes from running procedure:
    The only problem i had was running TDSSKiller the first time. When i ran it, i got a BSOD:Kernel_stack_INpage_error. Then after shutting down, CHKDSK ran and i got a bunch of disk errors:
    correcting a minor error in file
    deleting orphan file record segment
    deleting an index entry from index $0 of file
    inserting an index entry into index $0 of file

    After it started up, windows displayed the error shown in the error.jpg. I tried running it again and it ran fine.
     

    Attached Files:

    edged1g, Dec 10, 2012
    #1
  2. edged1g

    edged1g Private E-2

    Adding Hitman Pro log!
     

    Attached Files:

    edged1g, Dec 10, 2012
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    While I look thru all of your logs, please do the below in the meantime.

    First disable Avira and Zonealarm.

    Now run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O2 - BHO: (no name) - {728CF8AC-F6B0-4F29-8E53-83715111D5A8} - C:\WINDOWS\system32\tuvTliIC.dll (file missing)
    O3 - Toolbar: sqvgnrpx - {1BFB720F-B45D-43FF-8AE1-54C86718DE99} - C:\WINDOWS\sqvgnrpx.dll (file missing)
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O20 - Winlogon Notify: awtrOgFy - awtrOgFy.dll (file missing)

    After clicking Fix, exit HJT.

    Also is your Zonealarm software a full security suite with antivirus? It looks like it.
     
    chaslang, Dec 12, 2012
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You did not restore a proper version of afd.sys that belongs with Windows XP SP3. I'm not sure this is the reason for having network connectivity issues but having an incorrect version can make it look like you have a malware version installed since the MD5 code for what you have will not match what should be there for SP3. Do you have another Windows XP pc that is running SP3 where you can run MGtools on? If yes, I can see if there is a correct copy there for you to use as this current PC, does not have a proper version anywhere to use. It only has older versions.
     
    chaslang, Dec 12, 2012
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Also I can see that you have several other services that are not running properly including things that will impact Windows Update. Let's run the below.

    Uninstall the below software. The Java version are old and security risks:
    Ad-Aware < No longer that effective and installs Blekko junkware
    J2SE Runtime Environment 5.0 Update 6
    Java Auto Updater
    Java(TM) 6 Update 2
    Java(TM) 6 Update 29
    Java(TM) 6 Update 7


    Be patient while doing the below. The fixes can sometimes take quite awhile to run. Especially the permissions repairs. It may be best to kick it off and goto bed or do something else. It is better not to run anything while the repairs are going on.

    Download Windows Repair by Tweaking.com and unzip the contents into a newly created folder on your desktop.
    • Now run Repair_Windows.exe by double clicking on it ( if you are running Vista or Win 7, use right click and select Run As Administrator)
    • Now select the Start Repairs tab.
    • The click the Start button.
    • Create a System Restore point if prompted.
    • On the next screen, click the Unselect All button to first deselect all repairs.
    • Now select the following repair options:
      • Reset Registry Permissions
      • Reset File Permissions
      • Register System Files
      • Repair WMI
      • Repair Windows Firewall
      • Remove Policies Set By Infections
      • Repair Winsock & DNS Cache
      • Repair Proxy Settings
      • Repair Windows Updates
      • Set Windows Services To Default Startup
    • Now on the lower right side check the box to Restart/Shutdown System When Finished
    • Then make sure the Restart System radio button is enabled.
    • Shutdown any other programs that you are running now before continuing.
    • Now click the Start button.
    • Be patient while the tool repairs the selected items.
    • It should reboot automatically when finished.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Dec 12, 2012
    #5
  6. edged1g

    edged1g Private E-2

    Completed the HJT repairs you said to do. Also, ZA is just the free version, not the full security suite.

    I will try to run it on my other PC to get a correct version. The version i got was from a different location on the same computer(infected).
    What is causing it to constantly be deleted?

    While logged in as administrator, Ad-aware and Java auto updater do NOT appear in the add/remove programs window. I removed all the other software.

    I ran the windows repair and everything seemed to work. I restarted and AFD.sys doesn't seem to be getting deleted anymore but now I am getting a different error in event viewer. It now says AFD failed to start "either because it is disabled or because it has no enabled devices associated with it." The network interface was disabled so I enabled it and rebooted but still getting the same error. Logs attached. The MGlogs_uninfected... are logs i took from another XP SP3 PC that is uninfected to check for the right AFD.sys. Thanks for your help!
     

    Attached Files:

    edged1g, Dec 12, 2012
    #6
  7. edged1g

    edged1g Private E-2

    Just wanted to add that the problem seems to be that there is no AFD device listed in device manager under "Non-plug and play devices" as there is on a working XP computer. After researching, it says to restore it to add the AFD registry entry back in , but it is already there and it still isn't starting. Hope you can help me fix this. Thanks again!
     
    edged1g, Dec 13, 2012
    #7
  8. edged1g

    edged1g Private E-2

    I wanted to update this thread in case anyone else has this problem and comes across this thread. The reason for the error "either because it is disabled or because it has no enabled devices associated with it." is that there is no "non-plug and play device" named AFD in device manager. To check for this, open device manager and click view>show hidden devices. If AFD is not listed under non-plug and play devices, copy the below code into a file name afddevice.reg and merge it into your registry. To restore the service being started, go here

    Code:
    Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_AFD]
"NextInstance"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_AFD\0000]
"Service"="AFD"
"Legacy"=dword:00000001
"ConfigFlags"=dword:00000020
"Class"="LegacyDriver"
"ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
"DeviceDesc"="AFD"
"Capabilities"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_AFD\0000\LogConf]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_AFD\0000\Control]
"ActiveService"="AFD"
     
    edged1g, Dec 14, 2012
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I'm glad to hear that it sounds like you fix your issue with the AFD service, but you had a few other services that were not running. To name a few quick observations are the below not running:

    Background Intelligent Transfer ( BITS )
    Windows Update
    Windows Firewall Service

    You need to get these fixed too which was part of the reason I had you run the Windows Repair tool.

    Do you notice that these are still not running?
     
    chaslang, Dec 14, 2012
    #9
  10. edged1g

    edged1g Private E-2

    Yes, Windows Repair was able to restore these services and make them start correctly again. I was able to update windows and turn on the firewall. Thanks for your help!
     
    edged1g, Dec 17, 2012
    #10
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Okay then time for final instructions.




    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.
    3. Go back to step 4 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista or Win 7, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
      related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 6 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
    chaslang, Dec 17, 2012
    #11

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds