Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Wireless/dsl Internet connection failed after virus attack


  • Please log in to reply
51 replies to this topic

#1 Derek Nevero

Derek Nevero

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:07:36 PM

Posted 26 July 2012 - 09:54 AM

I'm running a laptop with XP media center edit. 2002, service pack 3

I got a virus that took over, I was able to locate and delete it, but now when I try to connect to the internet I get the error: Problem with Winsock Provider Catalog.

I've tried to reset the settings for the TCP/IP protocol and restart and that didn't work.

I ran Farbar Service Scanner Version: 22-07-2012

and got these results, If someone can point me in the right direction I'd really appreciate it:


Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============
Dnscache Service is not running. Checking service configuration:
The start type of Dnscache service is OK.
The ImagePath of Dnscache service is OK.
The ServiceDll of Dnscache service is OK.

Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

afd Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open afd registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open afd registry key. The service key does not exist.

Tcpip Service is not running. Checking service configuration:
The start type of Tcpip service is OK.
The ImagePath of Tcpip service is OK.

IpSec Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open IpSec registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open IpSec registry key. The service key does not exist.


Connection Status:
==============
Attempt to access Local Host IP returned error: Localhost is blocked: Other errors
There is no connection to network.
Attempt to access Google IP returned error: Other errors
Attempt to access Google.com returned error: Other errors
Attempt to access Yahoo IP returned error: Other errors
Attempt to access Yahoo.com returned error: Other errors


Windows Firewall:
=============
sharedaccess Service is not running. Checking service configuration:
The start type of sharedaccess service is OK.
The ImagePath of sharedaccess service is OK.
The ServiceDll of sharedaccess service is OK.


Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall"=DWORD:0


System Restore:
============
Srservice Service is not running. Checking service configuration:
The start type of Srservice service is OK.
The ImagePath of Srservice service is OK.
The ServiceDll of Srservice: "C:\WINDOWS\system32\srsvc.dll".


System Restore Disabled Policy:
========================


Security Center:
============
wscsvc Service is not running. Checking service configuration:
The start type of wscsvc service is OK.
The ImagePath of wscsvc service is OK.
The ServiceDll of wscsvc service is OK.


Windows Update:
============
wuauserv Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open wuauserv registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open wuauserv registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open wuauserv registry key. The service key does not exist.

BITS Service is not running. Checking service configuration:
The start type of BITS service is set to Demand. The default start type is Auto.
The ImagePath of BITS service is OK.
The ServiceDll of BITS: "C:\WINDOWS\system32\qmgr.dll".

cryptsvc Service is not running. Checking service configuration:
The start type of cryptsvc service is OK.
The ImagePath of cryptsvc service is OK.
The ServiceDll of cryptsvc service is OK.


Windows Autoupdate Disabled Policy:
============================


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit

ATTENTION!=====> C:\WINDOWS\system32\Drivers\afd.sys FILE IS MISSING AND SHOULD BE RESTORED.

C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys
[2006-01-13 06:28] - [2012-07-26 09:35] - 0361600 ____A (Microsoft Corporation) A29E1209F925A0E9B330E11DA5FC7BAB


ATTENTION!=====> C:\WINDOWS\system32\Drivers\ipsec.sys FILE IS MISSING AND SHOULD BE RESTORED.

C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
Gpc(6) NetBT(5) PSched(7) SYMTDI(9) Tcpip(3)
0x09000000040000000100000002000000030000000900000008000000050000000600000007000000
ATTENTION!=====> IpSec Tag value should be 4. ATTENTION!=====> IpSec Tag value is missing and it should be 4.

**** End of log ****

Edited by hamluis, 30 July 2012 - 09:23 AM.
Moved from XP to Am I Infected - Hamluis.


BC AdBot (Login to Remove)

 


#2 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:07:36 PM

Posted 26 July 2012 - 09:58 AM

Launch FSS again and type

afd.sys;ipsec.sys


in search BOX

Click on search files

Post the generated log

Edited by narenxp, 26 July 2012 - 09:58 AM.


#3 Derek Nevero

Derek Nevero
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:07:36 PM

Posted 26 July 2012 - 10:20 AM

Launch FSS again and type

afd.sys;ipsec.sys


in search BOX

Click on search files

Post the generated log


Here is what I got:
Farbar Service Scanner Version: 22-07-2012
Ran by User (administrator) on 26-07-2012 at 11:07:09
Microsoft Windows XP Professional Service Pack 3 (X86)

************************************************
======== Search: "afd.sys;ipsec.sys" =========

C:\WINDOWS\system32\dllcache\afd.sys
[2004-08-10 11:00] - [2011-08-17 09:49] - 0138496 ____A (Microsoft Corporation) 1E44BC1E83D8FD2305F8D452DB109CF9

C:\WINDOWS\ServicePackFiles\i386\afd.sys
[2008-09-04 10:23] - [2008-04-13 15:19] - 0138112 ____C (Microsoft Corporation) 322D0E36693D6E24A2398BEE62A268CD

C:\WINDOWS\ServicePackFiles\i386\ipsec.sys
[2008-09-04 10:26] - [2008-04-13 15:19] - 0075264 ____C (Microsoft Corporation) 23C74D75E36E7158768DD63D92789A91

C:\WINDOWS\$NtServicePackUninstall$\afd.sys
[2008-09-19 09:36] - [2008-06-20 06:44] - 0138368 ___HC (Microsoft Corporation) 944CA435BFCFC82CC1ED9E3A7D731AA9

C:\WINDOWS\$NtServicePackUninstall$\ipsec.sys
[2008-09-19 09:36] - [2004-08-10 11:00] - 0074752 ___HC (Microsoft Corporation) 64537AA5C003A6AFEEE1DF819062D0D1

C:\WINDOWS\$hf_mig$\KB956803\SP3QFE\afd.sys
[2009-09-28 14:23] - [2008-08-14 06:34] - 0138496 ___AC (Microsoft Corporation) 4D43E74F2A1239D53929B82600F1971C

C:\WINDOWS\$hf_mig$\KB951748\SP3QFE\afd.sys
[2008-06-20 07:48] - [2008-06-20 07:48] - 0138496 ___AC (Microsoft Corporation) D6EE6014241D034E63C49A50CB2B442A

C:\WINDOWS\$hf_mig$\KB951748\SP3GDR\afd.sys
[2008-06-20 07:40] - [2008-06-20 07:40] - 0138496 ___AC (Microsoft Corporation) E3049B90FE06F3F740B7CFDA44995E2C

C:\WINDOWS\$hf_mig$\KB951748\SP2QFE\afd.sys
[2008-06-20 06:44] - [2008-06-20 06:44] - 0138368 ___AC (Microsoft Corporation) D99DDFFB33DEACDCF20717CB520379F6

C:\WINDOWS\$hf_mig$\KB2592799\SP3QFE\afd.sys
[2011-10-13 22:07] - [2011-08-17 09:41] - 0138496 ____A (Microsoft Corporation) F6B7B1ECD7B41736BDB6FF4B092BCB79

C:\WINDOWS\$hf_mig$\KB2509553\SP3QFE\afd.sys
[2008-10-16 11:07] - [2008-10-16 11:07] - 0138496 ____A (Microsoft Corporation) 38D7B715504DA4741DF35E3594FE2099

C:\WINDOWS\$hf_mig$\KB2503665\SP3QFE\afd.sys
[2011-06-22 22:51] - [2011-02-16 09:25] - 0138496 ____A (Microsoft Corporation) 8D499B1276012EB907E7A9E0F4D8FDA4

====== End Of Search ======

#4 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:07:36 PM

Posted 26 July 2012 - 10:44 AM

Copy both these files

C:\WINDOWS\ServicePackFiles\i386\afd.sys & C:\WINDOWS\ServicePackFiles\i386\ipsec.sys

to C:\windows\system32\drivers folder

Create a restore point before trying this

Download

afd
ipsec
wuauserv

Launch them,click YES

Restart the PC,post the new FSS log

Edited by narenxp, 26 July 2012 - 10:51 AM.


#5 Derek Nevero

Derek Nevero
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:07:36 PM

Posted 26 July 2012 - 10:47 AM

Thanks, Will do after lunch!

Edited by hamluis, 26 July 2012 - 03:17 PM.
Removed unnecessary quote - Hamluis.


#6 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:07:36 PM

Posted 26 July 2012 - 10:48 AM

:thumbup2:

#7 Derek Nevero

Derek Nevero
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:07:36 PM

Posted 26 July 2012 - 01:42 PM

Ok, I copied (not cut and pasted) those two files to the system32\drivers folder (so they are also still in the windows\servicepackfile\i386... folder)

Results of rescan:
****************************************************************

Internet Services:
============
Dnscache Service is not running. Checking service configuration:
The start type of Dnscache service is OK.
The ImagePath of Dnscache service is OK.
The ServiceDll of Dnscache service is OK.

Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

afd Service is not running. Checking service configuration:
The start type of afd service is OK.
The ImagePath of afd service is OK.

Tcpip Service is not running. Checking service configuration:
The start type of Tcpip service is OK.
The ImagePath of Tcpip service is OK.


Connection Status:
==============
Attempt to access Local Host IP returned error: Localhost is blocked: Other errors
There is no connection to network.
Attempt to access Google IP returned error: Other errors
Attempt to access Google.com returned error: Other errors
Attempt to access Yahoo IP returned error: Other errors
Attempt to access Yahoo.com returned error: Other errors


Windows Firewall:
=============
sharedaccess Service is not running. Checking service configuration:
The start type of sharedaccess service is OK.
The ImagePath of sharedaccess service is OK.
The ServiceDll of sharedaccess service is OK.


Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall"=DWORD:0


System Restore:
============
Srservice Service is not running. Checking service configuration:
The start type of Srservice service is OK.
The ImagePath of Srservice service is OK.
The ServiceDll of Srservice: "C:\WINDOWS\system32\srsvc.dll".


System Restore Disabled Policy:
========================


Security Center:
============
wscsvc Service is not running. Checking service configuration:
The start type of wscsvc service is OK.
The ImagePath of wscsvc service is OK.
The ServiceDll of wscsvc service is OK.


Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is OK.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv: "C:\WINDOWS\system32\wuauserv.dll".

BITS Service is not running. Checking service configuration:
The start type of BITS service is set to Demand. The default start type is Auto.
The ImagePath of BITS service is OK.
The ServiceDll of BITS: "C:\WINDOWS\system32\qmgr.dll".


Windows Autoupdate Disabled Policy:
============================


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys
[2006-01-13 06:28] - [2012-07-26 09:35] - 0361600 ____A (Microsoft Corporation) A29E1209F925A0E9B330E11DA5FC7BAB

C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
Gpc(6) IPSec(5) NetBT(5) PSched(7) SYMTDI(9) Tcpip(3)
0x09000000040000000100000002000000030000000900000008000000050000000600000007000000
ATTENTION!=====> IpSec Tag value should be 4.

**** End of log ****

#8 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:07:36 PM

Posted 26 July 2012 - 01:43 PM

Download

Winsock fix

Launch it ,Click on FIX

Restart your PC after it gets completed

Check your browser.If that doesnt work try this


PLEASE create a restore point before trying this

Please copy the entire contents of the codebox below into Notepad:


REGEDIT4

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Winsock]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2]





Open a notepad ,copy the script,save it as

Filename:winsock.reg
save as type:All files


Launch it and click YES to add it to registry

After that, Reboot your computer.

After the restart,

Go to Network Connections
Right click on your normal connection icon, and choose Properties
Click the Install button
Choose Protocol then click Add
Click Have disk
In the drop down box, type in: C:\WINDOWS\INF and click OK
In the next dialog, click Internet Protocol (TCP/IP) then click OK
Click Close to leave the properties box

After that, restart your computer and see if you can browse now.

#9 Derek Nevero

Derek Nevero
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:07:36 PM

Posted 26 July 2012 - 02:49 PM

Download

Winsock fix

Launch it ,Click on FIX

Restart your PC after it gets completed

Check your browser.If that doesnt work try this


PLEASE create a restore point before trying this

Please copy the entire contents of the codebox below into Notepad:


REGEDIT4

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Winsock]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2]





Open a notepad ,copy the script,save it as

Filename:winsock.reg
save as type:All files


Launch it and click YES to add it to registry

After that, Reboot your computer.

After the restart,

Go to Network Connections
Right click on your normal connection icon, and choose Properties
Click the Install button
Choose Protocol then click Add
Click Have disk
In the drop down box, type in: C:\WINDOWS\INF and click OK
In the next dialog, click Internet Protocol (TCP/IP) then click OK
Click Close to leave the properties box

After that, restart your computer and see if you can browse now.


Winsock Fix did not seem to work, performed 2nd option and wireless status is now "acquiring network address" and the tray icon is searching, which it wasn't doing before.
I may need to re-register my laptop's IP with ITS here at work as all this resetting/reconfig. may have wiped out the address they have on file-is that possible?

#10 Derek Nevero

Derek Nevero
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:07:36 PM

Posted 26 July 2012 - 02:57 PM

When I go to choose a wireless network, it says cannot config. the wireless connection. I hit refresh, same thing. what's weird it that when I click on wifi status in the bottom tray it shows the network name and excellent strength, but zero packets sent/received.

#11 Derek Nevero

Derek Nevero
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:07:36 PM

Posted 26 July 2012 - 03:00 PM

when I go to wireless network connection status, under support it says address type: Invalid IP address ; IP Address: 0.0.0.0 ; Subnet: 0.0.0.0

#12 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:07:36 PM

Posted 26 July 2012 - 03:49 PM

Press Windows+R key and type

cmd and click ok

Run the following commands


netsh i i r r
netsh winsock reset
ipconfig /registerdns
ipconfig /flushdns
ipconfig /release
ipconfig /renew


Press Windows+R key and type

devmgmt.msc and click ok

Expand network adapters

Right click on your network driver-Uninstall

Restart your PC,allow drivers to get installed on reboot and check your browser

#13 Derek Nevero

Derek Nevero
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:07:36 PM

Posted 27 July 2012 - 07:13 AM

Press Windows+R key and type

cmd and click ok

Run the following commands


netsh i i r r
netsh winsock reset
ipconfig /registerdns
ipconfig /flushdns
ipconfig /release
ipconfig /renew


Press Windows+R key and type

devmgmt.msc and click ok

Expand network adapters

Right click on your network driver-Uninstall

Restart your PC,allow drivers to get installed on reboot and check your browser


Get the following error when running netsh i i r r : "netsh.exe - Entry Point Not Found" "The proceed ure entry point MigrateWinsockConfigureation could not be located in the D.L.L. MSWSOCK.dll.


#14 Derek Nevero

Derek Nevero
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:07:36 PM

Posted 27 July 2012 - 07:18 AM

Once I click OK in that box, the cmd box says: "The following helper DLL cannot be loaded: IFMON.DLL."
"The following command was not found: i i r r."

Edited by Derek Nevero, 27 July 2012 - 07:18 AM.


#15 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:07:36 PM

Posted 27 July 2012 - 09:40 AM

Please post the new FSS log

Download

mini toolbox

Checkmark following boxes:

Flush DNS
Report IE Proxy Settings
Reset IE Proxy Settings
Report FF Proxy Settings
Reset FF Proxy Settings
List content of Hosts
List IP configuration
List Winsock Entries
List last 10 Event Viewer log

Click Go and post the result.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users