BleepingComputer.com: Cannot Connect after virus cleanup

Make and Model: Dell Mini Inspiron 910
How the computer is connected: It will not connect either wirelessly or via network cable regardless of how close I am to the router.
History up to this point
At the beginning of October, the computer became infected with Open Cloud AV. I followed the removal guides I found online and had thought I finally got rid of it, but that doesn't seem to be the case. In the process I have now lost the ability to connect to the internet on that computer either on wireless or through network cable. When I pull up the details of the wireless connection it says that the ip is invalid. I cannot connect in to the internet in safe mode either. Unfortunately I am unable to accurately recount every step I took previously. (I have since learned that this was foolish on my part.)

I am using a different computer and an external hard drive (both of which have been scanned extensively to ensure no infections.) to download what is needed and I always save it to the desktop of the new computer before I start working with that downloaded program.

My original post about wireless connection can be found here: http://www.bleepingcomputer.com/forums/topic424108.html
- I have made sure that IE browser>>click tools>>internet options>> Proxy server is not checked and that automatically detect settings is checked.
- I have tried Winsockxpfix without luck
- When I try to renew through ipconfig I get a message saying that the RPC server is unavailable even though it shows as running.

That forum sent me to the Am I infected forum. That post can be found here: http://www.bleepingcomputer.com/forums/topic424137.html/page__p__2446881#entry2446881

It looks like the virus is now gone thanks to the help of Nasdaq from the Malware response team. That can be found here: http://www.bleepingcomputer.com/forums/topic424950.html/page__gopid__2462496#entry2462496

Yet I still cannot connect. I DID notice in comparing the ipconfig /all of the computer I am using now and the infected computer that this computer had a DNS SUFFIX Search list entry as follows: DNS Suffix Search List. . . . . . : gateway.2wire.net I am presuming the fact that the previously infected computer did not have this is part of the problem? I cannot seem to find anything online about this for windows XP home.

Router: Manufacturer 2Wire, Inc. Model 3800HGV-B
Type: DSL - ATT Uverse

Result.txt
MiniToolBox by Farbar
Ran by Molly St.Cyr (administrator) on 03-11-2011 at 11:02:45
Microsoft Windows XP Service Pack 3 (X86)

***************************************************************************

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.
========================= Hosts content: =================================


127.0.0.1 localhost

========================= IP Configuration: ================================

# ----------------------------------
# Interface IP Configuration
# ----------------------------------
pushd interface ip


# Interface IP Configuration for "Local Area Connection"

set address name="Local Area Connection" source=dhcp
set dns name="Local Area Connection" source=dhcp register=PRIMARY
set wins name="Local Area Connection" source=dhcp

# Interface IP Configuration for "Wireless Network Connection 3"

set address name="Wireless Network Connection 3" source=dhcp
set dns name="Wireless Network Connection 3" source=dhcp register=PRIMARY
set wins name="Wireless Network Connection 3" source=dhcp


popd
# End of interface IP configuration




Windows IP Configuration



Host Name . . . . . . . . . . . . : D32K5JC1

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Broadcast

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No



Ethernet adapter Local Area Connection:



Media State . . . . . . . . . . . : Media disconnected

Description . . . . . . . . . . . : Realtek RTL8102E Family PCI-E Fast Ethernet NIC

Physical Address. . . . . . . . . : 00-21-70-D2-4D-1B



Ethernet adapter Wireless Network Connection 3:



Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Broadcom 802.11g Network Adapter

Physical Address. . . . . . . . . : 00-23-08-39-C0-AC

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 0.0.0.0

Subnet Mask . . . . . . . . . . . : 0.0.0.0

Default Gateway . . . . . . . . . :

DHCP Server . . . . . . . . . . . : 0.0.0.0

Server: UnKnown
Address: 127.0.0.1

Ping request could not find host google.com. Please check the name and try again.

Server: UnKnown
Address: 127.0.0.1

Ping request could not find host yahoo.com. Please check the name and try again.



Pinging 127.0.0.1 with 32 bytes of data:



Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128



Ping statistics for 127.0.0.1:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x10003 ...00 21 70 d2 4d 1b ...... Realtek RTL8102E Family PCI-E Fast Ethernet NIC
0x10004 ...00 23 08 39 c0 ac ...... Broadcom 802.11g Network Adapter
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
255.255.255.255 255.255.255.255 255.255.255.255 10003 1
255.255.255.255 255.255.255.255 255.255.255.255 10004 1
===========================================================================
Persistent Routes:
None

========================= Event log errors: ===============================

Application errors:
==================
Error: (11/03/2011 11:00:45 AM) (Source: Google Update) (User: Molly St.Cyr)Molly St.Cyr
Description: Network Request Error.
Error: 0x80072ee7. Http status code: 0.
Url=https://tools.google.com/service/update2
Trying config: source=IE, wpad=1, script=.
trying CUP:WinHTTP.
Send request returned 0x80072ee7. Http status code 0.
trying WinHTTP.
Send request returned 0x80072ee7. Http status code 0.
trying CUP:iexplore.
Send request returned 0x80004005. Http status code 0.
Trying config: source=IE, wpad=1, script=.
trying CUP:WinHTTP.
Send request returned 0x80072ee7. Http status code 0.
trying WinHTTP.
Send request returned 0x80072ee7. Http status code 0.
trying CUP:iexplore.
Send request returned 0x80004005. Http status code 0.

Error: (11/03/2011 11:00:29 AM) (Source: JavaQuickStarterService) (User: )
Description: Unable to create JQS API server: socket() failed (Socket error 10050)

Error: (11/03/2011 00:04:03 AM) (Source: Google Update) (User: Molly St.Cyr)Molly St.Cyr
Description: Network Request Error.
Error: 0x80072ee7. Http status code: 0.
Url=https://tools.google.com/service/update2
Trying config: source=IE, wpad=1, script=.
trying CUP:WinHTTP.
Send request returned 0x80072ee7. Http status code 0.
trying WinHTTP.
Send request returned 0x80072ee7. Http status code 0.
trying CUP:iexplore.
Send request returned 0x80004005. Http status code 0.
Trying config: source=IE, wpad=1, script=.
trying CUP:WinHTTP.
Send request returned 0x80072ee7. Http status code 0.
trying WinHTTP.
Send request returned 0x80072ee7. Http status code 0.
trying CUP:iexplore.
Send request returned 0x80004005. Http status code 0.

Error: (11/03/2011 00:03:44 AM) (Source: JavaQuickStarterService) (User: )
Description: Unable to create JQS API server: socket() failed (Socket error 10050)

Error: (11/02/2011 11:17:18 PM) (Source: Google Update) (User: Molly St.Cyr)Molly St.Cyr
Description: Network Request Error.
Error: 0x80072ee7. Http status code: 0.
Url=https://tools.google.com/service/update2
Trying config: source=IE, wpad=1, script=.
trying CUP:WinHTTP.
Send request returned 0x80072ee7. Http status code 0.
trying WinHTTP.
Send request returned 0x80072ee7. Http status code 0.
trying CUP:iexplore.
Send request returned 0x80004005. Http status code 0.
Trying config: source=IE, wpad=1, script=.
trying CUP:WinHTTP.
Send request returned 0x80072ee7. Http status code 0.
trying WinHTTP.
Send request returned 0x80072ee7. Http status code 0.
trying CUP:iexplore.
Send request returned 0x80004005. Http status code 0.

Error: (11/02/2011 11:04:29 PM) (Source: Google Update) (User: Molly St.Cyr)Molly St.Cyr
Description: Network Request Error.
Error: 0x80072ee7. Http status code: 0.
Url=https://tools.google.com/service/update2
Trying config: source=IE, wpad=1, script=.
trying CUP:WinHTTP.
Send request returned 0x80072ee7. Http status code 0.
trying WinHTTP.
Send request returned 0x80072ee7. Http status code 0.
trying CUP:iexplore.
Send request returned 0x80004005. Http status code 0.
Trying config: source=IE, wpad=1, script=.
trying CUP:WinHTTP.
Send request returned 0x80072ee7. Http status code 0.
trying WinHTTP.
Send request returned 0x80072ee7. Http status code 0.
trying CUP:iexplore.
Send request returned 0x80004005. Http status code 0.

Error: (11/02/2011 11:04:11 PM) (Source: JavaQuickStarterService) (User: )
Description: Unable to create JQS API server: socket() failed (Socket error 10050)

Error: (11/02/2011 10:55:55 PM) (Source: Google Update) (User: Molly St.Cyr)Molly St.Cyr
Description: Network Request Error.
Error: 0x80072ee7. Http status code: 0.
Url=https://tools.google.com/service/update2
Trying config: source=IE, wpad=1, script=.
trying CUP:WinHTTP.
Send request returned 0x80072ee7. Http status code 0.
trying WinHTTP.
Send request returned 0x80072ee7. Http status code 0.
trying CUP:iexplore.
Send request returned 0x80004005. Http status code 0.
Trying config: source=IE, wpad=1, script=.
trying CUP:WinHTTP.
Send request returned 0x80072ee7. Http status code 0.
trying WinHTTP.
Send request returned 0x80072ee7. Http status code 0.
trying CUP:iexplore.
Send request returned 0x80004005. Http status code 0.

Error: (11/02/2011 10:55:36 PM) (Source: JavaQuickStarterService) (User: )
Description: Unable to create JQS API server: socket() failed (Socket error 10050)

Error: (11/02/2011 01:10:58 AM) (Source: Google Update) (User: Molly St.Cyr)Molly St.Cyr
Description: Network Request Error.
Error: 0x80072ee7. Http status code: 0.
Url=https://tools.google.com/service/update2
Trying config: source=IE, wpad=1, script=.
trying CUP:WinHTTP.
Send request returned 0x80072ee7. Http status code 0.
trying WinHTTP.
Send request returned 0x80072ee7. Http status code 0.
trying CUP:iexplore.
Send request returned 0x80004005. Http status code 0.
Trying config: source=IE, wpad=1, script=.
trying CUP:WinHTTP.
Send request returned 0x80072ee7. Http status code 0.
trying WinHTTP.
Send request returned 0x80072ee7. Http status code 0.
trying CUP:iexplore.
Send request returned 0x80004005. Http status code 0.


System errors:
=============
Error: (11/03/2011 11:01:20 AM) (Source: Service Control Manager) (User: )
Description: The Network Location Awareness (NLA) service depends on the following nonexistent service: Afd

Error: (11/03/2011 11:00:47 AM) (Source: Service Control Manager) (User: )
Description: The Network Location Awareness (NLA) service depends on the following nonexistent service: Afd

Error: (11/03/2011 11:00:37 AM) (Source: Service Control Manager) (User: )
Description: The Automatic Updates service terminated with the following error:
%%2147952450

Error: (11/03/2011 11:00:37 AM) (Source: Service Control Manager) (User: )
Description: The Windows Firewall/Internet Connection Sharing (ICS) service terminated with the following error:
%%10050

Error: (11/03/2011 11:00:37 AM) (Source: Service Control Manager) (User: )
Description: The IPSEC Services service terminated with the following error:
%%10050

Error: (11/03/2011 11:00:37 AM) (Source: Service Control Manager) (User: )
Description: The helpsvc service failed to start due to the following error:
%%2

Error: (11/03/2011 11:00:37 AM) (Source: Service Control Manager) (User: )
Description: The TCP/IP NetBIOS Helper service depends on the following nonexistent service: Afd

Error: (11/03/2011 11:00:37 AM) (Source: Service Control Manager) (User: )
Description: The DHCP Client service depends on the following nonexistent service: Afd

Error: (11/03/2011 00:08:48 AM) (Source: Service Control Manager) (User: )
Description: The Network Location Awareness (NLA) service depends on the following nonexistent service: Afd

Error: (11/03/2011 00:04:26 AM) (Source: Service Control Manager) (User: )
Description: The Network Location Awareness (NLA) service depends on the following nonexistent service: Afd


Microsoft Office Sessions:
=========================
Error: (11/03/2011 11:00:45 AM) (Source: Google Update)(User: Molly St.Cyr)Molly St.Cyr
Description: Network Request Error.
Error: 0x80072ee7. Http status code: 0.
Url=https://tools.google.com/service/update2
Trying config: source=IE, wpad=1, script=.
trying CUP:WinHTTP.
Send request returned 0x80072ee7. Http status code 0.
trying WinHTTP.
Send request returned 0x80072ee7. Http status code 0.
trying CUP:iexplore.
Send request returned 0x80004005. Http status code 0.
Trying config: source=IE, wpad=1, script=.
trying CUP:WinHTTP.
Send request returned 0x80072ee7. Http status code 0.
trying WinHTTP.
Send request returned 0x80072ee7. Http status code 0.
trying CUP:iexplore.
Send request returned 0x80004005. Http status code 0.

Error: (11/03/2011 11:00:29 AM) (Source: JavaQuickStarterService)(User: )
Description: Unable to create JQS API server: socket() failed (Socket error 10050)

Error: (11/03/2011 00:04:03 AM) (Source: Google Update)(User: Molly St.Cyr)Molly St.Cyr
Description: Network Request Error.
Error: 0x80072ee7. Http status code: 0.
Url=https://tools.google.com/service/update2
Trying config: source=IE, wpad=1, script=.
trying CUP:WinHTTP.
Send request returned 0x80072ee7. Http status code 0.
trying WinHTTP.
Send request returned 0x80072ee7. Http status code 0.
trying CUP:iexplore.
Send request returned 0x80004005. Http status code 0.
Trying config: source=IE, wpad=1, script=.
trying CUP:WinHTTP.
Send request returned 0x80072ee7. Http status code 0.
trying WinHTTP.
Send request returned 0x80072ee7. Http status code 0.
trying CUP:iexplore.
Send request returned 0x80004005. Http status code 0.

Error: (11/03/2011 00:03:44 AM) (Source: JavaQuickStarterService)(User: )
Description: Unable to create JQS API server: socket() failed (Socket error 10050)

Error: (11/02/2011 11:17:18 PM) (Source: Google Update)(User: Molly St.Cyr)Molly St.Cyr
Description: Network Request Error.
Error: 0x80072ee7. Http status code: 0.
Url=https://tools.google.com/service/update2
Trying config: source=IE, wpad=1, script=.
trying CUP:WinHTTP.
Send request returned 0x80072ee7. Http status code 0.
trying WinHTTP.
Send request returned 0x80072ee7. Http status code 0.
trying CUP:iexplore.
Send request returned 0x80004005. Http status code 0.
Trying config: source=IE, wpad=1, script=.
trying CUP:WinHTTP.
Send request returned 0x80072ee7. Http status code 0.
trying WinHTTP.
Send request returned 0x80072ee7. Http status code 0.
trying CUP:iexplore.
Send request returned 0x80004005. Http status code 0.

Error: (11/02/2011 11:04:29 PM) (Source: Google Update)(User: Molly St.Cyr)Molly St.Cyr
Description: Network Request Error.
Error: 0x80072ee7. Http status code: 0.
Url=https://tools.google.com/service/update2
Trying config: source=IE, wpad=1, script=.
trying CUP:WinHTTP.
Send request returned 0x80072ee7. Http status code 0.
trying WinHTTP.
Send request returned 0x80072ee7. Http status code 0.
trying CUP:iexplore.
Send request returned 0x80004005. Http status code 0.
Trying config: source=IE, wpad=1, script=.
trying CUP:WinHTTP.
Send request returned 0x80072ee7. Http status code 0.
trying WinHTTP.
Send request returned 0x80072ee7. Http status code 0.
trying CUP:iexplore.
Send request returned 0x80004005. Http status code 0.

Error: (11/02/2011 11:04:11 PM) (Source: JavaQuickStarterService)(User: )
Description: Unable to create JQS API server: socket() failed (Socket error 10050)

Error: (11/02/2011 10:55:55 PM) (Source: Google Update)(User: Molly St.Cyr)Molly St.Cyr
Description: Network Request Error.
Error: 0x80072ee7. Http status code: 0.
Url=https://tools.google.com/service/update2
Trying config: source=IE, wpad=1, script=.
trying CUP:WinHTTP.
Send request returned 0x80072ee7. Http status code 0.
trying WinHTTP.
Send request returned 0x80072ee7. Http status code 0.
trying CUP:iexplore.
Send request returned 0x80004005. Http status code 0.
Trying config: source=IE, wpad=1, script=.
trying CUP:WinHTTP.
Send request returned 0x80072ee7. Http status code 0.
trying WinHTTP.
Send request returned 0x80072ee7. Http status code 0.
trying CUP:iexplore.
Send request returned 0x80004005. Http status code 0.

Error: (11/02/2011 10:55:36 PM) (Source: JavaQuickStarterService)(User: )
Description: Unable to create JQS API server: socket() failed (Socket error 10050)

Error: (11/02/2011 01:10:58 AM) (Source: Google Update)(User: Molly St.Cyr)Molly St.Cyr
Description: Network Request Error.
Error: 0x80072ee7. Http status code: 0.
Url=https://tools.google.com/service/update2
Trying config: source=IE, wpad=1, script=.
trying CUP:WinHTTP.
Send request returned 0x80072ee7. Http status code 0.
trying WinHTTP.
Send request returned 0x80072ee7. Http status code 0.
trying CUP:iexplore.
Send request returned 0x80004005. Http status code 0.
Trying config: source=IE, wpad=1, script=.
trying CUP:WinHTTP.
Send request returned 0x80072ee7. Http status code 0.
trying WinHTTP.
Send request returned 0x80072ee7. Http status code 0.
trying CUP:iexplore.
Send request returned 0x80004005. Http status code 0.


========================= Memory info: ===================================

Percentage of memory in use: 59%
Total physical RAM: 1014.36 MB
Available physical RAM: 411.08 MB
Total Pagefile: 1117.68 MB
Available Pagefile: 519.63 MB
Total Virtual: 2047.88 MB
Available Virtual: 2004.34 MB

========================= Partitions: =====================================

1 Drive c: (OS) (Fixed) (Total:7.12 GB) (Free:0.81 GB) NTFS
2 Drive d: () (Removable) (Total:0.12 GB) (Free:0.11 GB) FAT

========================= Users: ========================================

User accounts for \\D32K5JC1

Administrator Guest HelpAssistant
Molly St.Cyr SUPPORT_388945a0


**** End of log ****

Hello, have you looked at your Local Area Connection Properties?

Start Button

Control Panel

Network and Internet Connections

Network Connections

Highlight the LAN that you are using right-click

Select properties

Highlight TCP/IP click properties

Now see if everything is set to receive IP and DNS server addresses automatically

Everything there is set exactly the same as it is on this computer (that is connected)

Have you tried IPCONFIG /flushdns from a command propt.
Then try IPCONFIG /registerdns

I think this problem may be related to the afd service not running.

To check if there's some kind of problem with the service.

At the command prompt, type net start afd then press Enter.

Post back the message it gives you.

Aha! This might be the right track. I am not sure how to fix this though.

Microsoft Windows XP [Version 5.1.2600]
© Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Molly St.Cyr>net start afd
The service name is invalid.

More help is available by typing NET HELPMSG 2185.


C:\Documents and Settings\Molly St.Cyr>net helpmsg 2185

The service name is invalid.


EXPLANATION

You tried to start a service that is not configured on this system.

ACTION

Check the spelling of the service name or check the configuration information fo
r the service using the Services option from Server Manager.



C:\Documents and Settings\Molly St.Cyr>

I think we should start by checking your afd.sys file for corruption.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
64-bit users go HERE

• Double-click SystemLook.exe to run it.
  
• Vista\Win 7 users:: Right click on SystemLook.exe, click Run As Administrator
  
• Copy the content of the following box into the main textfield:
  
  

  :filefind
  afd.sys
  

  
  
• Click the Look button to start the scan.
  
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

SystemLook 30.07.11 by jpshortstuff
Log created at 01:19 on 05/11/2011 by Molly St.Cyr
Administrator - Elevation successful

========== filefind ==========

Searching for "afd.sys"
C:\WINDOWS\$hf_mig$\KB2503665\SP3QFE\afd.sys --a--c- 138496 bytes [18:10 19/06/2011] [13:25 16/02/2011] 8D499B1276012EB907E7A9E0F4D8FDA4
C:\WINDOWS\$hf_mig$\KB2509553\SP3QFE\afd.sys --a--c- 138496 bytes [15:07 16/10/2008] [15:07 16/10/2008] 38D7B715504DA4741DF35E3594FE2099
C:\WINDOWS\$hf_mig$\KB951748\SP3QFE\afd.sys --a--c- 138496 bytes [11:48 20/06/2008] [11:48 20/06/2008] D6EE6014241D034E63C49A50CB2B442A
C:\WINDOWS\$hf_mig$\KB956803\SP3QFE\afd.sys --a--c- 138496 bytes [13:31 28/12/2008] [10:34 14/08/2008] 4D43E74F2A1239D53929B82600F1971C
C:\WINDOWS\SoftwareDistribution\Download\ff0686f2f699fa07ed5ad0848fa3055b\sp3gdr\afd.sys --a--c- 138496 bytes [14:43 16/10/2008] [14:43 16/10/2008] 7618D5218F2A614672EC61A80D854A37
C:\WINDOWS\SoftwareDistribution\Download\ff0686f2f699fa07ed5ad0848fa3055b\sp3qfe\afd.sys --a--c- 138496 bytes [15:07 16/10/2008] [15:07 16/10/2008] 38D7B715504DA4741DF35E3594FE2099
C:\WINDOWS\system32\dllcache\afd.sys --a--c- 138496 bytes [20:33 25/04/2008] [13:22 16/02/2011] 355556D9E580915118CD7EF736653A89
C:\WINDOWS\system32\drivers\afd.sys --a--c- 138496 bytes [20:33 25/04/2008] [13:25 16/02/2011] 8D499B1276012EB907E7A9E0F4D8FDA4

-= EOF =-

Hi SeanR,

The MD5 of your afd.sys file is legitimate, so I'm thinking that the malware may have altered the file path in the registry. If this is the case, it can easily be fixed.

Let's check it out.

• Please run SystemLook again.
  
• Copy the content of the following box into the main textfield:
  
  

  :reg
  HKEY_LOCAL_MACHINE\System\CurrentControlset\Services\AFD
  

  
  
• Click the Look button to start the scan.
  
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

This post has been edited by Akashi: 05 November 2011 - 12:39 PM

I suspect that the service has been deleted altogether and may need to be recreated. However, lets see what Systemlook comes back with.

SystemLook 30.07.11 by jpshortstuff
Log created at 15:40 on 05/11/2011 by Molly St.Cyr
Administrator - Elevation successful

========== reg ==========

[HKEY_LOCAL_MACHINE\System\CurrentControlset\Services\AFD]
(No values found)

[HKEY_LOCAL_MACHINE\System\CurrentControlset\Services\AFD\Parameters]

[HKEY_LOCAL_MACHINE\System\CurrentControlset\Services\AFD\Enum]


-= EOF =-

Quote

elise025 was correct. All the values in the AFD Services Key have been deleted.

I am not qualified to continue helping you with this problem.

elise025 will take over this thread from me now.

Thank you

Hi SeanR, can you please upload c:\windows\repair\system (this is a file without extension) at the following link: http://www.bleepingcomputer.com/submit-malware.php?channel=105

Please let me know once uploaded. I will then create a registry script for you to restore the service, which should restore your internet connection.

hmm. I dont seem to have a system (without extension) I have one that is .bak but that's it.