Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows ICS will not start after infection by Win 2012 virus


  • Please log in to reply
56 replies to this topic

#1 hatevirusesmore

hatevirusesmore

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:04:27 AM

Posted 02 January 2012 - 10:47 PM

Hello, I was infected by the Windows 2012 Security virus and though I think I have removed that virus after many scans and doing a restore to an earlier date (I have Windows XP SP3 Home) I can not get out to the internet (I am using a different computer now) because ICS will not start. I have tried many diffent "fixes" described on the net, but none have worked. I hope that you can help me out.

BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,735 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:02:27 AM

Posted 03 January 2012 - 12:17 AM

Welcome aboard Posted Image

Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#3 hatevirusesmore

hatevirusesmore
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:04:27 AM

Posted 04 January 2012 - 02:08 PM

OK, thanks. I will do so and report back.
Update to original post is:
I talked to my local PC tech and they suggested that I turn Restore off and rerun malwarebytes in safe mode because it seems to keep finding virus files in my restore directories, doing that now and will do the fss scan right after.

Edited by hatevirusesmore, 04 January 2012 - 02:09 PM.


#4 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,735 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:02:27 AM

Posted 04 January 2012 - 03:44 PM

Turning system restore off is usually not a good idea.
It's better to have some (even infected) restore point than none.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#5 hatevirusesmore

hatevirusesmore
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:04:27 AM

Posted 04 January 2012 - 03:53 PM

I considered that, but it was not allowing me to restore at all (I tried) so I thought that maybe the virus corupted the files. I hope that I do not live to regret it. By the way, thanks for helping me with this.

Here is the out put of fss:

Log out put deleted and put into new post because I ran it in safe mode.

Thanks
Carl

Edited by hatevirusesmore, 04 January 2012 - 04:41 PM.


#6 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:07:27 PM

Posted 04 January 2012 - 04:08 PM

I talked to my local PC tech and they suggested that I turn Restore off and rerun malwarebytes in safe mode because it seems to keep finding virus files in my restore directories,

Hi -
Just a quick add during your help from Broni,
Please tell your PC tech that Malwarebytes in safe mode is never ideal. It will never remove all of the infections, as some directories are not loaded in safe mode. You may require (after Broni is finished) to download a better Temp File cleaner, or tell your PC tech to clear out temp files using the Windows installed methods.

Thank You -

#7 hatevirusesmore

hatevirusesmore
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:04:27 AM

Posted 04 January 2012 - 04:40 PM

Well I just realized that I ran the FSS.exe in safe mode so reran in regular mode in case that is different. I will try to erase my previous post if I can so as not to duplicate effort.

Here is the new output of FSS:

Farbar Service Scanner
Ran by Carl (administrator) on 04-01-2012 at 16:38:35
Microsoft Windows XP Home Edition Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============
Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

afd Service is not running. Checking service configuration:
The start type of afd service is OK.
The ImagePath of afd service is OK.


Connection Status:
==============
Localhost is accessible.
There is no connection to network.
Attempt to access Google IP returned error: Google IP is unreachable
Attempt to access Yahoo IP returend error: Yahoo IP is unreachable


Windows Firewall:
=============
sharedaccess Service is not running. Checking service configuration:
The start type of sharedaccess service is OK.
The ImagePath of sharedaccess service is OK.
The ServiceDll of sharedaccess service is OK.


Firewall Disabled Policy:
==================


System Restore:
============
Srservice Service is not running. Checking service configuration:
The start type of Srservice service is OK.
The ImagePath of Srservice service is OK.
The ServiceDll of Srservice: "C:\WINDOWS\system32\srsvc.dll".

sr Service is not running. Checking service configuration:
The start type of sr service is set to Disabled. The default start type is Boot.
The ImagePath of sr: "\SystemRoot\system32\DRIVERS\sr.sys".


System Restore Disabled Policy:
========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR"=DWORD:1


Security Center:
============

Windows Update:
===========
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is OK.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv: "C:\WINDOWS\system32\wuauserv.dll".

BITS Service is not running. Checking service configuration:
The start type of BITS service is OK.
The ImagePath of BITS service is OK.
The ServiceDll of BITS: "C:\WINDOWS\system32\qmgr.dll".


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
Attention! C:\WINDOWS\system32\Drivers\afd.sys is missing.
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
Gpc(6) IPSec(4) NetBT(5) PSched(7) Tcpip(3) tcpipBM(10) VBoxNetFlt(9)
0x0A000000040000000100000002000000030000000A0000000800000005000000060000000700000009000000
IpSec Tag value is correct.

**** End of log ****

Thanks
Carl

#8 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,735 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:02:27 AM

Posted 04 January 2012 - 05:42 PM

We have several issues there, but let's start with missing afd.sys file.
Let's see if we can find a replacement.

Please run Farbar Service Scanner.
Type the following in the edit box after "Search:".

afd.sys

Click Search Files button and post the log (FSS.txt) it makes to your reply.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#9 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,735 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:02:27 AM

Posted 04 January 2012 - 05:43 PM

Please tell your PC tech that Malwarebytes in safe mode is never ideal.

Correct :)

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#10 hatevirusesmore

hatevirusesmore
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:04:27 AM

Posted 04 January 2012 - 10:16 PM

Broni
Here is the results of the search:
Farbar Service Scanner
Ran by Carl (administrator) on 04-01-2012 at 21:56:13
Microsoft Windows XP Service Pack 3 (X86)

************************************************
================== Search: "afd.sys" ===================

C:\WINDOWS\system32\dllcache\afd.sys
[2009-03-11 07:52] - [2008-04-14 07:00] - 0138112 ___AC (Microsoft Corporation) 322D0E36693D6E24A2398BEE62A268CD

C:\WINDOWS\$NtUninstallKB956803$\afd.sys
[2009-08-21 13:14] - [2008-04-14 07:00] - 0138112 ____C (Microsoft Corporation) 322D0E36693D6E24A2398BEE62A268CD

C:\WINDOWS\$NtUninstallKB2592799$\afd.sys
[2011-10-13 02:01] - [2011-02-16 08:22] - 0138496 ____C (Microsoft Corporation) 355556D9E580915118CD7EF736653A89

C:\WINDOWS\$NtUninstallKB2509553$\afd.sys
[2011-04-16 02:00] - [2008-08-14 05:04] - 0138496 ____C (Microsoft Corporation) 7E775010EF291DA96AD17CA4B17137D7

C:\WINDOWS\$NtUninstallKB2503665$\afd.sys
[2011-06-28 21:15] - [2008-10-16 09:43] - 0138496 ____C (Microsoft Corporation) 7618D5218F2A614672EC61A80D854A37

C:\WINDOWS\$hf_mig$\KB956803\SP3QFE\afd.sys
[2009-08-21 10:12] - [2008-08-14 05:34] - 0138496 ____A (Microsoft Corporation) 4D43E74F2A1239D53929B82600F1971C

C:\WINDOWS\$hf_mig$\KB951748\SP3QFE\afd.sys
[2008-06-20 06:48] - [2008-06-20 06:48] - 0138496 ____A (Microsoft Corporation) D6EE6014241D034E63C49A50CB2B442A

C:\WINDOWS\$hf_mig$\KB2592799\SP3QFE\afd.sys
[2011-10-12 18:40] - [2011-08-17 08:41] - 0138496 ____A (Microsoft Corporation) F6B7B1ECD7B41736BDB6FF4B092BCB79

C:\WINDOWS\$hf_mig$\KB2509553\SP3QFE\afd.sys
[2008-10-16 10:07] - [2008-10-16 10:07] - 0138496 ____A (Microsoft Corporation) 38D7B715504DA4741DF35E3594FE2099

C:\WINDOWS\$hf_mig$\KB2503665\SP3QFE\afd.sys
[2011-06-25 17:39] - [2011-02-16 08:25] - 0138496 ____A (Microsoft Corporation) 8D499B1276012EB907E7A9E0F4D8FDA4

====== End Of Search ======

Thanks
Carl

#11 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,735 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:02:27 AM

Posted 04 January 2012 - 10:48 PM

Download following batch file: http://www.filedropper.com/fix_3
Double click on it.
Command prompt window will appear briefly.

Restart computer, check on internet connection and post new FSS log.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#12 hatevirusesmore

hatevirusesmore
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:04:27 AM

Posted 05 January 2012 - 09:15 AM

Broni
There seems to be something wrong with the batch file, I keep getting a 0 byte file. If you want I could cut and past the file out of a post and into a batch file.

Thanks
Carl

#13 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,735 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:02:27 AM

Posted 05 January 2012 - 06:37 PM

Let's try one more time: http://www.filedropper.com/fix_5

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#14 Agent24

Agent24

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:04:27 AM

Posted 05 January 2012 - 07:11 PM

Please tell your PC tech that Malwarebytes in safe mode is never ideal.

It's interesting that you say that because I've actually had more success in safe mode than in a normal startup.

I generally run it in safe mode when there is no alternative option, for example when you aren't able to do anything in normal starup or windows won't start.

I guess it depends on the situation really.

#15 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,735 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:02:27 AM

Posted 05 January 2012 - 07:19 PM

MBAM is designed for normal mode.
You run it in safe mode ONLY if it doesn't won't to run in normal mode for whatever reason.
Successful run in safe mode should be followed by another run in normal mode.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users