Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

AFD - ancillary function driver related issue


  • Please log in to reply
19 replies to this topic

#1 Cronyx

Cronyx

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:55 PM

Posted 13 November 2012 - 04:53 PM

Mod Edit:Moved from Win7 to Am I Infected ~~ boopme



Hey guys, fellow PC tech here. We've been seeing an influx of a specific type of malware damage to Win7 machines lately, usually results in a reinstall. I'm trying to expand my knowledge a little bit on this issue.

After all malware is removed and cleaned up, one issue that remains is AFD service refuses to start. It's not listed under the hidden devices in devmgmt either. Two other things that were broken that I did manage to fix were DHCP and DNScache. I've got reg entries saved from a working machine, from both service pack 0 and 1, and every flavor of Win 7 (honestly haven't checked to see if I'm doubling up on saves, I just haven't had time to examine the differences, if any, between those that came from different versions). FSS was a lot of help there as I'm sure you know. I identified some files that were broken or missing which wasn't a problem as I also had back ups of those on my flash drive.

I've had to fix DHCP, DNScache, and other items in the food chain before, that's old hat and fairly straight forward. But the amount of information on the web regarding AFD is lacking to say the least. When I have time, I've been experimenting on systems that are low priority when they come in with this kind of damage, but anymore, I take a few minutes to look for AFD damage and just advise a clean install because I haven't figured out a way to fix that yet. It seems to be the parent service that many other child services call dependent in the networking hierarchy.

What I'm after:

Say AFD is completely hosed in a system. Asuming I can fix it with SFC /scanfile (and if not, using the backup from my flashdrive), what's required to properly reinstall in the device manager? Ancillary Function Driver for Winsock is missing entirely from device manager, which explains the 1058 error. Its normally in non-plug and play drivers. If anyone had an .INF for it, it seems like it would be pretty straight forward.

Thanks guys. Keep fighting the good fight.


EDIT: I wanted to add that I've already copied the registry structure for AFD from a working computer like I did for DHCP and DNScache, which fixed those problems. The problem doesn't seem to be registry related. It seems to be that the device just isn't there; need to re-add it in device manager.

Edited by boopme, 13 November 2012 - 09:40 PM.


BC AdBot (Login to Remove)

 


#2 InadequateInfirmity

InadequateInfirmity

    I Gots Me A Certified Edumication


  • Banned
  • 5,180 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:55 PM

Posted 13 November 2012 - 05:37 PM

You can try the services repair tool.
http://kb.eset.com/library/ESET/KB%20Team%20Only/Malware/ServicesRepair.exe

All in one repair tool.
http://www.tweaking.com/content/page/windows_repair_all_in_one.html

Edited by boopme, 13 November 2012 - 09:39 PM.


#3 Cronyx

Cronyx
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:55 PM

Posted 13 November 2012 - 06:25 PM

The Tweeking AIO is already in my toolbox ;)
I always run that one as I'm wrapping up.

Gave the ServicesRepair a shot, no dice. AFD still doesn't show up in device manager. FSS shows that DNScache, DHCP, and AFD all have valid registry entries, as well as the files are all valid. The service for DHCP just won't run because it calls AFD as dependent, and AFD wont run because of that 1058 error.

#4 InadequateInfirmity

InadequateInfirmity

    I Gots Me A Certified Edumication


  • Banned
  • 5,180 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:55 PM

Posted 13 November 2012 - 06:37 PM

Please post the Farbar SS log.

#5 Cronyx

Cronyx
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:55 PM

Posted 13 November 2012 - 06:43 PM

Farbar Service Scanner Version: 06-08-2012
Ran by Jeri (administrator) on 13-11-2012 at 17:39:27
Running from "E:\ROOT\Triage\Farbar Service Scanner"
Microsoft Windows 7 Home Premium Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============
Dnscache Service is not running. Checking service configuration:
The start type of Dnscache service is OK.
The ImagePath of Dnscache service is OK.
The ServiceDll of Dnscache service is OK.

Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

afd Service is not running. Checking service configuration:
The start type of afd service is OK.
The ImagePath of afd service is OK.


Connection Status:
==============
Localhost is accessible.
There is no connection to network.
Google IP is accessible.
Attempt to access Google.com returned error: Other errors
Yahoo IP is accessible.
Attempt to access Yahoo.com returned error: Other errors


Other Services:
==============


File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys
[2012-09-12 10:48] - [2012-08-22 12:12] - 1913200 ____A (Microsoft Corporation) F782CAD3CEDBB3F9FFE3BF2775D92DDC

C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit


**** End of log ****

C:\>net start afd
System error 1058 has occurred.

The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.


C:\>

#6 InadequateInfirmity

InadequateInfirmity

    I Gots Me A Certified Edumication


  • Banned
  • 5,180 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:55 PM

Posted 13 November 2012 - 06:49 PM

I have asked another member too look here hang tight.

#7 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:02:55 PM

Posted 13 November 2012 - 09:13 PM

Lets check for malware before fixing the afd issue

Download

TDSSkiller

Launch it.Click on change parameters-Select TDLFS file system

Click on "Scan".Please post the LOG report(log file should be in your C drive)

Do not change the default options on scan results

Download

http://www.bleepingcomputer.com/download/rkill/

Run it and after scan finishes,post the contents of RKILL log located on the desktop here

#8 Cronyx

Cronyx
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:55 PM

Posted 13 November 2012 - 10:22 PM

Thanks for the advice, but I've already run TDSSkiller :P (and combofix, and eset, malwarebytes, super antispyware, hitman, avira boot cd, avg boot cd, kaspersky boot cd, trinity rescue kit's junk file clean up, .net cleanup and reinstall, delete windows update cache and repair windows update, etc etc etc... this machine had a lot of other problems I've already taken care of)

I actually clean about 20 of these a week (average about 5 a day). Virus cleanup is about 90% of what we do at our shop. The rest is hardware related, upgrades, etc. Service calls to install network equipment too. But that being said, it's completely clean of malware; all that's left is the damage the malware left behind.

Edited by Cronyx, 13 November 2012 - 10:26 PM.


#9 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:02:55 PM

Posted 14 November 2012 - 12:03 AM

Please post the logs :)

Together with TDSSkiller and RKILL i would like to see this one

Download

mini toolbox

Checkmark following boxes:

Flush DNS
Report IE Proxy Settings
Reset IE Proxy Settings
Report FF Proxy Settings
Reset FF Proxy Settings
List content of Hosts
List IP configuration
List Winsock Entries
List last 10 Event Viewer log
List Installed Programs
List Users, Partitions and Memory size
List restore points

Click Go and post the result.

Edited by narenxp, 14 November 2012 - 12:04 AM.


#10 Cronyx

Cronyx
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:55 PM

Posted 14 November 2012 - 12:32 AM

Because I've already run all these tools myself over the last two days, any new logs that get spit out by the tools will be "clean" logs, not showing you anything useful. :) I don't have the "dirty" logs anymore having cleaned most of them out. That being said, do you still want them? I just don't want to waste your time, when having read them myself, they don't show anything anymore. (I'm also hesitant to waste time running scans on this machine again that I've already run when the customer paid for a rush service, and I've got five other computers to work on tonight).

I'm 100% confident that the problem is AFD related. The DNScache and DHCP services were also corrupted, but I've manually repaired those, and their registry entries. The only problem I'm having now is getting AFD reinstalled correctly, as it doesn't show up in device manager. Do you know how to reinstall and reconfigure the AFDwinsock driver and associated service?

#11 Cronyx

Cronyx
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:55 PM

Posted 14 November 2012 - 11:59 AM

UPDATE: I fixed it.

Don't lock the thread or anything, I'm going to write detailed instructions, as well as upload the clean registry settings needed for the fix, when I get home after work tonight. Note that this is the fix for any AFD issue preventing the PC from obtaining an IP address due to DHCP service failing to start.

#12 John Zupancic

John Zupancic

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:55 PM

Posted 15 November 2012 - 11:45 AM

Cronyx, I have the same problem. Can you post the fix?

Thanks!

John -Z-

#13 Cronyx

Cronyx
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:55 PM

Posted 15 November 2012 - 01:55 PM

I will John, sorry I didn't last night, I was very busy and tired when I got home. I will tonight for sure, and maybe before tonight if I get time. I'm at the shop right now. This guy's forgotten his password for gmail even though his phone and windows live mail are both logged into it, and all his account recovery answers are BS. FFS...

#14 Cronyx

Cronyx
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:55 PM

Posted 16 November 2012 - 12:24 AM

Alright, so there's three services that can become corrupted some how due to this virus. They are:
DNScache
DHCP
AFD

AFD stands for Ancillary Function Driver for Winsock. When everything's working properly, it should show up in the device manager under non-plug and play devices, when you set device manager to view all.
When it is not working, the other two services will fail to load. This is bad. DNS, or Domain Name Service, is how IP addresses are resolved from domain names. And DHCP is how your computer gets an IP address handed to it from up the food chain, instead of having to manually enter one and hope it doesn't collide. Some of the symptoms are a lack of an IP address, or that your default gateway is 255.255.0.0, instead of 255.255.255.0, so basically a C class instead of D class.

First thing to try is sfc /scanfile %windir%\system32\drivers\afd.sys

Hopefully, if damaged, this will fix it. If not, you'll need to grab this file from an other working Win 7 machine. It wont let you replace it while in use, so boot to a TRK cd and run midnight commander or something.

Once you've got that file back in place, you're still not done, because most likely all the settings for it have been nuked from the registry.

I have the correct, clean, registry entries for all three services, but I'm not sure where to upload them. This forum doesn't seem to have an upload feature. I absolutely love it when I find a solution that perfectly describes my problem on a forum thread from 2003, and the user has linked the fix to some geocities page that now 404's. I refuse to do that to someone 5 years from now. :P

So someone, suggest a way I can link this in a somewhat future proof sense, and I'll be happy to continue my post tomorrow! :)


EDIT: This will do for now.

Posted Image

Download that image jpg, rename the extention to .rar and extract with winrar (or whatever you like, winzip etc). Merge the .reg files it contains, and you should be fixed. ONLY FOR WINDOWS 7.
If these instructions were somehow unclear, no, you are not crazy, I really did hide files inside a jpeg of Charlie Sheen. WINNING!

If you're reading this in the future, and that link is dead, here's the reg entries it contained. Export them from a working Win 7 machine.

File contents:

..\AFD\
HKLM.SYSTEM.CurrentControlSet.Control.SafeBoot.Network.AFD.reg
HKLM.SYSTEM.CurrentControlSet.Enum.Root.LEGACY_AFD.reg
HKLM.SYSTEM.CurrentControlSet.services.AFD.reg
HKLM.SYSTEM.Setup.AllowStart.AFD.reg

4 Files


..\DHCP\
HKLM.SYSTEM.CurrentControlSet.services.Dhcp.reg

1 Files


..\DNScache\
HKLM.SYSTEM.CurrentControlSet.services.Dnscache.reg

1 Files

Hope this helps!

Edited by Cronyx, 16 November 2012 - 09:21 AM.


#15 John Zupancic

John Zupancic

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:55 PM

Posted 16 November 2012 - 07:33 AM

Cronyx, THANK YOU THANK YOU!!!

I exported the reg keys you listed from a working Windows 7 system.
Had to reset the permissions on a few of the registry keys before I could import them.

Once the keys were all successfully imported, I rebooted and network connectivity has been restored!!!

Thanks again for the help.

John -Z-




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users