Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

USED RKILL NOW DHCP SERVICE & FIREWALL GONE


  • Please log in to reply
14 replies to this topic

#1 newsharbor

newsharbor

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:17 PM

Posted 25 February 2012 - 11:38 PM

Hi BC Guys,
I have a Dell laptop running Vista Home Edition. Recently, about two months ago, I got a really nasty virus on my computer which was version of "Antivirus Protection 2012" (a slightly different version than you have posted in your viruses removal list ( http://www.bleepingcomputer.com/virus-removal/ ). The virus/trojan prevented my installed anti-virus program from running (or killing it). Haven't had time until now to finish with it.

I used RKill and it did effectively stopped the virus/trojan from freezing the anti-virus programs. McAfee was useless, so I subsequently installed and ran Malwarebytes and SuperAnti-spyware. That combination appeared to do a good job of cleaning the virus(es)from my system. However after that my internet connection won't work, several services won't restart, my printer and my firewall won't work. Also, my audio wouldn't work - but I did get that running now (by checking and restarting some audio services).

I went to Network Connections and tried to enable,diagnose, repair (and reset the adapter), -but I keep getting a message "Restart DHCP Client Service", and "Automatically get new IP Settings for network adapter..." no matter what I do, it won't start.


When I checked the services it appears that 1)AFD is missing (in Device Manager/show hidden devices/Non Plug & Play Devices) 2) In Services: DHCP won't "start" - I receive an error message "Windows could not start the DHCP Client services on Local Computer. ERROR 1075: The dependency service does not exist or has been marked for deletion."

I checked on MS website to find a DHCP solution - I've done a scan with sfc /scannow. Nothing improved.

Obviously I'm writing this from another computer because the Dell can't connect with the internet. This computer is running on XP (and connecting to my wireless network just fine). I have also tested another Vista computer on my network at it connects to the internet fine.
I did read your forums postings (Preparation Guide For Malware Removal Tools) DDS, GMER, DEFOGGER, - It's all a little confusing and don't know if I need to run all of them? which sequence?

Thanks,
News!

BC AdBot (Login to Remove)

 


#2 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:07:17 PM

Posted 26 February 2012 - 09:17 PM

Download

FSS

Checkmark all the boxes

Click on "Scan".
Please copy and paste the log to your reply.

#3 newsharbor

newsharbor
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:17 PM

Posted 07 April 2012 - 09:19 PM

Farbar Service Scanner Version: 01-03-2012
Ran by **** on 07-04-2012 at 15:55:12
Running from "F:\FSS"
Microsoft® Windows Vista™ Home Premium (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============
Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

afd Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open afd registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open afd registry key. The service key does not exist.


Connection Status:
==============
Localhost is accessible.
There is no connection to network.
Google IP is accessible.
Yahoo IP is accessible.


Windows Firewall:
=============
mpsdrv Service is not running. Checking service configuration:
The start type of mpsdrv service is OK.
The ImagePath of mpsdrv service is OK.

MpsSvc Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open MpsSvc registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open MpsSvc registry key. The service key does not exist.
Checking ServiceDll: Attention! Unable to open MpsSvc registry key. The service key does not exist.
Checking LEGACY_MpsSvc: Attention! Unable to open LEGACY_MpsSvc\0000 registry key. The key does not exist.

bfe Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open bfe registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open bfe registry key. The service key does not exist.
Checking ServiceDll: Attention! Unable to open bfe registry key. The service key does not exist.
Checking LEGACY_bfe: Attention! Unable to open LEGACY_bfe\0000 registry key. The key does not exist.


Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall"=DWORD:0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall"=DWORD:0


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============
wscsvc Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open wscsvc registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open wscsvc registry key. The service key does not exist.
Checking ServiceDll: Attention! Unable to open wscsvc registry key. The service key does not exist.
Checking LEGACY_wscsvc: Attention! Unable to open LEGACY_wscsvc\0000 registry key. The key does not exist.


Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is OK.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv service is OK.

BITS Service is not running. Checking service configuration:
The start type of BITS service is OK.
The ImagePath of BITS service is OK.
The ServiceDll of BITS service is OK.


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open WinDefend registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open WinDefend registry key. The service key does not exist.
Checking ServiceDll: Attention! Unable to open WinDefend registry key. The service key does not exist.


Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1


File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcsvc.dll => MD5 is legit
Attention! C:\Windows\system32\Drivers\afd.sys is missing.
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys
[2010-05-19 10:21] - [2010-02-18 01:51] - 0818688 ____A (Microsoft Corporation) 2C1F7005AA3B62721BFDB307BD5F5010

C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll
[2010-05-19 10:21] - [2010-02-18 03:55] - 0317440 ____A (Microsoft Corporation) 96B73CC64BD905EA6CC4E44384ABD8C9

C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\wscsvc.dll => MD5 is legit
C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll => MD5 is legit
C:\Windows\system32\qmgr.dll => MD5 is legit
C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll
[2008-07-24 03:03] - [2008-07-24 03:03] - 0265912 ____A (Microsoft Corporation) 0D5AD0E71FF5DDAC5DD2F443B499ABD0

C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit


**** End of log ****

Thanks!

#4 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:07:17 PM

Posted 07 April 2012 - 11:24 PM

Launch FSS again and type

afd.sys
in search box and click on search files

Post the generated log

good luck

Edited by narenxp, 07 April 2012 - 11:25 PM.


#5 newsharbor

newsharbor
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:17 PM

Posted 08 April 2012 - 01:04 PM

Thanks:


Farbar Service Scanner Version: 01-03-2012
Ran by ***** on 08-04-2012 at 07:37:09
Microsoft® Windows Vista™ Home Premium (X86)

************************************************
======== Search: "afd.sys" =========

C:\Windows\SoftwareDistribution\Download\a58fa8f1a78b89e6c2a670e288053b8b\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6001.18000_none_d7e842925e6d1f50\afd.sys
[2008-08-30 21:32] - [2008-01-18 19:57] - 0273920 ____A (Microsoft Corporation) 763E172A55177E478CB419F88FD0BA03

====== End Of Search ======

#6 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:07:17 PM

Posted 08 April 2012 - 01:38 PM

To be on safer side before running registry fixes i would suggest you to

Download

http://www.snapfiles.com/get/erunt.html

Install it and backup your registry to C:/Windows/erdnt

Press Windows+R key and type

notepad and click ok

Now copy this script



Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AFD]
"DisplayName"="Ancilliary Function Driver for Winsock"
"Group"="PNP_TDI"
"ImagePath"=hex(2):5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
  74,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,64,00,72,\
  00,69,00,76,00,65,00,72,00,73,00,5c,00,61,00,66,00,64,00,2e,00,73,00,79,00,\
  73,00,00,00
"Description"="Ancilliary Function Driver for Winsock"
"ErrorControl"=dword:00000001
"Start"=dword:00000001
"Type"=dword:00000001
"BootFlags"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AFD\Parameters]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AFD\Enum]
"0"="Root\\LEGACY_AFD\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001


Save the notepad as

Filename:afd.reg
save as:All types

Launch the afd.reg and click YES to add it to registry


Now press WIndows+R key and copy this line

C:\Windows\SoftwareDistribution\Download\a58fa8f1a78b89e6c2a670e288053b8b\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6001.18000_none_d7e842925e6d1f50

Click ok

copy afd.sys from the location and paste it in C:\windows\system32\drivers folder

Restart the PC and post the new FSS log

Edited by narenxp, 08 April 2012 - 01:39 PM.


#7 newsharbor

newsharbor
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:17 PM

Posted 08 April 2012 - 05:36 PM

hello narenxp:

I was okay until I got to this point:


Now press WIndows+R key and copy this line <I COPIED AND PASTED THE LINE BELOW INTO THE "RUN" COMMAND LINE AND RECEIVED AN ERROR>

C:\Windows\SoftwareDistribution\Download\a58fa8f1a78b89e6c2a670e288053b8b\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6001.18000_none_d7e842925e6d1f50

Click ok

copy afd.sys from the location <WHAT LOCATION, PLEASE??> and paste it in C:\windows\system32\drivers folder

Restart the PC and post the new FSS log <SHALL I RESTART PC THEN RUN FSS AGAIN? With all boxes checked>??

thanks;

#8 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:07:17 PM

Posted 08 April 2012 - 05:39 PM

I COPIED AND PASTED THE LINE BELOW INTO THE "RUN" COMMAND LINE AND RECEIVED AN ERROR>

You can manually browse to the specific folder and copy the file and paste it C:\windows\system32\drivers folder

SHALL I RESTART PC THEN RUN FSS AGAIN? With all boxes checked>??

yes

good luck

#9 newsharbor

newsharbor
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:17 PM

Posted 08 April 2012 - 06:14 PM

PERFORMED THE OPERATION AGAIN, AND THIS TIME A NEW WIN EXPLORER WINDOW POPPED UP WITH THE adf.sys FILE LOCATION.
I will complete the remaining instructions and get back in a few minutes (after running FSS again).

#10 newsharbor

newsharbor
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:17 PM

Posted 08 April 2012 - 07:08 PM

2ND FSS scan report: after reg update and replacing revised afd.sys into windows/system32/drivers


Farbar Service Scanner Version: 01-03-2012
Ran by ***** on 08-04-2012 at 13:29:05
Running from "C:\FSS"
Microsoft® Windows Vista™ Home Premium (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
There is no connection to network.
Google IP is accessible.
Yahoo IP is accessible.


Windows Firewall:
=============
mpsdrv Service is not running. Checking service configuration:
The start type of mpsdrv service is OK.
The ImagePath of mpsdrv service is OK.

MpsSvc Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open MpsSvc registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open MpsSvc registry key. The service key does not exist.
Checking ServiceDll: Attention! Unable to open MpsSvc registry key. The service key does not exist.
Checking LEGACY_MpsSvc: Attention! Unable to open LEGACY_MpsSvc\0000 registry key. The key does not exist.

bfe Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open bfe registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open bfe registry key. The service key does not exist.
Checking ServiceDll: Attention! Unable to open bfe registry key. The service key does not exist.
Checking LEGACY_bfe: Attention! Unable to open LEGACY_bfe\0000 registry key. The key does not exist.


Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall"=DWORD:0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall"=DWORD:0


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============
wscsvc Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open wscsvc registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open wscsvc registry key. The service key does not exist.
Checking ServiceDll: Attention! Unable to open wscsvc registry key. The service key does not exist.
Checking LEGACY_wscsvc: Attention! Unable to open LEGACY_wscsvc\0000 registry key. The key does not exist.


Windows Update:
============

Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open WinDefend registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open WinDefend registry key. The service key does not exist.
Checking ServiceDll: Attention! Unable to open WinDefend registry key. The service key does not exist.


Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1


File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcsvc.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys
[2012-04-08 13:15] - [2008-01-18 19:57] - 0273920 ____A (Microsoft Corporation) 763E172A55177E478CB419F88FD0BA03

C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys
[2010-05-19 10:21] - [2010-02-18 01:51] - 0818688 ____A (Microsoft Corporation) 2C1F7005AA3B62721BFDB307BD5F5010

C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll
[2010-05-19 10:21] - [2010-02-18 03:55] - 0317440 ____A (Microsoft Corporation) 96B73CC64BD905EA6CC4E44384ABD8C9

C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\wscsvc.dll => MD5 is legit
C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll => MD5 is legit
C:\Windows\system32\qmgr.dll => MD5 is legit
C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll
[2008-07-24 03:03] - [2008-07-24 03:03] - 0265912 ____A (Microsoft Corporation) 0D5AD0E71FF5DDAC5DD2F443B499ABD0

C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit


**** End of log ****

#11 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:07:17 PM

Posted 08 April 2012 - 07:14 PM

Click on start button and type

cmd right click-Run as administrator

Run the following commands


netsh i i r r
netsh winsock reset
ipconfig /registerdns
ipconfig /flushdns
ipconfig /release
ipconfig /renew


Restart the PC

Download

mini toolbox

Checkmark following boxes:

Flush DNS
Report IE Proxy Settings
Reset IE Proxy Settings
Report FF Proxy Settings
Reset FF Proxy Settings
List content of Hosts
List IP configuration
List Winsock Entries
List last 10 Event Viewer log
List Installed Programs
List Users, Partitions and Memory size

Click Go and post the result.

#12 newsharbor

newsharbor
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:17 PM

Posted 08 April 2012 - 07:42 PM

Hi narenxp,
Before I do this, my network is now working. However, my Mcafee (firewall & antivirus) is not. I still have Avast (firewall & antivirus) & Malwarebytes as a backup.

Should I still run your net commands if my network is working?
Thanks.


#13 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:07:17 PM

Posted 08 April 2012 - 07:54 PM

:thumbsup:

You can ignore it lets fix firewall issues

To be on safer side before running registry fixes i would suggest you to

Download

http://www.snapfiles.com/get/erunt.html

Install it and backup your registry to C:/Windows/erdnt

Now Download the registry files

http://www.mediafire.com/?317ea53a883288d

http://www.mediafire.com/?z6aw8j7997qa7j9

http://www.mediafire.com/?uo36rkbqarxd618

http://www.mediafire.com/?vujckeuo1repw9v

Download these files

Launch them one by one,click YES when you get a prompt


If it opens as a notepad,right click on them

Click on OPEN WITH

Click on BROWSE

navigate to C:/WINDOWS and select REGEDIT and click ok

Now you should get a UAC prompt,click YES

Restart your PC

Now,press windows+R key and type

regedit and click ok

go to

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BFE

Right click on it-permissions

Click on ADD and type

Everyone and click ok

Now Click on Everyone

Below you have permission for users

Select full control and click ok


Now,press Windows+R key and type

services.msc and click ok

start base filtering engine service and then windows firewall service

Post the new FSS log

Good luck

Edited by narenxp, 08 April 2012 - 07:57 PM.


#14 newsharbor

newsharbor
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:17 PM

Posted 09 April 2012 - 03:03 AM

THANK YOU! Narenxp!
Just saw your last response! have to go for a few hours. I will follow your instructions and be back with you tomorrow!
:cool:

#15 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:07:17 PM

Posted 09 April 2012 - 09:05 AM

:thumbup2:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users