Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Homeland Security Ransomware Removed but No Network Access


  • This topic is locked This topic is locked
15 replies to this topic

#1 jknick9

jknick9

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:07:01 PM

Posted 30 November 2013 - 05:04 PM

I used the bootable AV USB Hitman Pro to remove the Homeland Security Ransomware from my Acer aspire 5733Z Laptop. Now my network get stucks with the never ending spinner and an 'Identifying' status. The ipconfig says I have a 169.254 address and no default gateway. My ancillary function driver for winsock, and the HTTP drivers had exclamation points and a notice that said they were partially missing or corrupt. I uninstalled and restarted and now they seem to be gone from the device manager altogether. I have tried running sfc /scannow, I've tried the chkdsk /r, i've tried all the /refresh /renew cmd prompts I could find as well; to no avail. Nothing seems to be correcting the issue. I even set a static ip that did nothing, same response of identifying. I have had some help from other members on here and they've sent me to this forum so now i'm attaching the dds logs as instructed. Hopefully kind soul can help me resolve this! thank you. 

dds: 

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64 
Internet Explorer: 10.0.9200.16720  BrowserJavaVersion: 10.6.2
Run by Shawnn at 16:36:27 on 2013-11-30
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.3767.2710 [GMT -5:00]
.
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files (x86)\Google\Update\1.3.21.165\GoogleCrashHandler.exe
C:\Program Files (x86)\Google\Update\1.3.21.165\GoogleCrashHandler64.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Users\Shawnn\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe
C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com/?ilc=1
uSearch Bar = hxxp://www.google.com
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://acer.msn.com
uSearchAssistant = hxxp://www.google.com
mWinlogon: Userinit = userinit.exe,
BHO: PodcastBHO Class: {65134FDF-F8A5-4B3D-91D9-CDF273CFD578} - C:\Program Files (x86)\Common Files\doubleTwist\IEPodcastPlugin.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
uRun: [Google Update] "C:\Users\Shawnn\AppData\Local\Google\Update\GoogleUpdate.exe" /c
uRun: [Google Update] "C:\Users\Shawnn\AppData\Local\Google\Update\GoogleUpdate.exe" /c
uRun: [iCloudServices] C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe
uRun: [ApplePhotoStreams] C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
dRunOnce: [IsMyWinLockerReboot] msiexec.exe /qn /x{voidguid}
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~4\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - C:\PROGRA~2\MICROS~4\Office14\ONBttnIE.dll/105
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
DPF: {ADACAA8F-3595-47FE-9C31-9C7471B9BEC7} - hxxp://rubyslive.dipmap.com/cab/OCXChecker_8198.cab
DPF: {FEC048AB-277A-460C-BF50-1A4193AEF148} - hxxp://rubyslive.dipmap.com/cab/DownloadCenter_8200.cab
TCP: NameServer = 209.18.47.61 209.18.47.62
TCP: Interfaces\{0ABC6124-EAEF-486D-989C-F78F213140DF} : DHCPNameServer = 192.168.169.1
TCP: Interfaces\{0ABC6124-EAEF-486D-989C-F78F213140DF}\16474777966696 : DHCPNameServer = 192.168.5.1
TCP: Interfaces\{0ABC6124-EAEF-486D-989C-F78F213140DF}\34550502F402A4F45402D20264255454 : DHCPNameServer = 10.128.128.128
TCP: Interfaces\{0ABC6124-EAEF-486D-989C-F78F213140DF}\3547165766370234F66666565602D20264255454 : DHCPNameServer = 10.128.128.128
TCP: Interfaces\{0ABC6124-EAEF-486D-989C-F78F213140DF}\441697370294E6E60213 : DHCPNameServer = 192.168.5.1
TCP: Interfaces\{0ABC6124-EAEF-486D-989C-F78F213140DF}\C696E6B6379737 : DHCPNameServer = 97.64.209.36 97.64.168.13
TCP: Interfaces\{AFD64105-13BC-4DC3-8B78-28086303CF9E} : DHCPNameServer = 209.18.47.61 209.18.47.62
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SSODL: WebCheck - <orphaned>
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\30.0.1599.101\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL
x64-TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
x64-Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
x64-Notify: igfxcui - igfxdev.dll
x64-SSODL: WebCheck - <orphaned>
.
============= SERVICES / DRIVERS ===============
.
R2 iPodDrv;iPodDrv;C:\Windows\System32\drivers\iPodDrv.sys [2011-7-27 14952]
R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-9-1 363344]
R3 ETD;ELAN PS/2 Port Input Device;C:\Windows\System32\drivers\ETD.sys [2011-8-1 142632]
R3 HECIx64;Intel® Management Engine Interface;C:\Windows\System32\drivers\HECIx64.sys [2011-8-1 56344]
R3 Impcd;Impcd;C:\Windows\System32\drivers\Impcd.sys [2011-8-1 158976]
R3 k57nd60a;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;C:\Windows\System32\drivers\k57nd60a.sys [2011-1-17 412712]
R3 MBAMProtector;MBAMProtector;C:\Windows\System32\drivers\mbam.sys [2011-12-4 24152]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 Andbus;LGE Android Platform Composite USB Device;C:\Windows\System32\drivers\lgandbus64.sys [2010-12-7 19456]
S3 AndDiag;LGE Android Platform USB Serial Port;C:\Windows\System32\drivers\lganddiag64.sys [2010-12-7 27648]
S3 AndGps;LGE Android Platform USB GPS NMEA Port;C:\Windows\System32\drivers\lgandgps64.sys [2010-12-7 27136]
S3 ANDModem;LGE Android Platform USB Modem;C:\Windows\System32\drivers\lgandmodem64.sys [2010-12-7 34304]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\Windows\System32\drivers\RtsUStor.sys [2011-8-1 243712]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2010-11-20 59392]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2010-11-20 31232]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2012-12-13 54784]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2012-12-5 1255736]
S4 DsiWMIService;Dritek WMI Service;C:\Program Files (x86)\Launch Manager\dsiwmis.exe [2011-8-1 353360]
S4 ePowerSvc;Acer ePower Service;C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe [2011-8-16 872552]
S4 GamesAppService;GamesAppService;C:\Program Files (x86)\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072]
S4 GREGService;GREGService;C:\Program Files (x86)\Acer\Registration\GREGsvc.exe [2011-1-17 29696]
S4 IAStorDataMgrSvc;Intel® Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2011-8-1 13336]
S4 Live Updater Service;Live Updater Service;C:\Program Files\Acer\Acer Updater\UpdaterService.exe [2011-8-1 244624]
S4 NTI IScheduleSvc;NTI IScheduleSvc;C:\Program Files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe [2011-4-23 256832]
S4 TeamViewer7;TeamViewer 7;C:\Program Files (x86)\TeamViewer\Version7\TeamViewer_Service.exe [2012-9-1 2735528]
S4 UNS;Intel® Management & Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2011-8-1 2320920]
S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]
.
=============== Created Last 30 ================
.
2013-11-29 22:28:57 -------- d-----w- C:\Program Files (x86)\ESET
2013-11-28 01:45:44 -------- d-----w- C:\ProgramData\Kaspersky Lab
2013-11-27 03:01:29 -------- d-----w- C:\Program Files (x86)\DLLSuite
2013-11-27 02:27:26 -------- d-----w- C:\Windows\System32\catroot2
2013-11-27 02:12:03 -------- d-----w- C:\Windows\System32\wbem\repository
2013-11-26 17:36:29 -------- d-----w- C:\Windows\System32\wbem\repository.003
2013-11-26 16:57:23 -------- d-----w- C:\Windows\System32\wbem\repository.002
2013-11-26 16:56:14 -------- d-----w- C:\Windows\SysWow64\wbem\Performance
2013-11-25 23:04:54 -------- d-----w- C:\Program Files\HitmanPro
2013-11-25 23:04:28 -------- d-----w- C:\ProgramData\HitmanPro
2013-11-25 22:42:22 -------- d-----w- C:\Windows\ERUNT
2013-11-25 22:16:13 -------- d-----w- C:\AdwCleaner
2013-11-25 21:48:35 -------- d-----w- C:\FRST
2013-11-25 21:02:49 38224 ----a-w- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
2013-11-23 22:59:31 10280728 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{469E16E7-76DE-4E3A-AFED-C52448B5AC35}\mpengine.dll
2013-11-22 15:27:32 -------- d-----w- C:\9365fcd6e6e74ac5397b7464
2013-11-19 04:31:32 497152 ----a-w- C:\Windows\System32\drivers\afd.sys
2013-11-18 16:45:53 61024 ----atw- C:\ProgramData\j61lf9dt.pss
.
==================== Find3M  ====================
.
2013-10-10 13:49:15 692616 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2013-10-10 13:49:14 71048 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2013-09-22 23:28:06 1767936 ----a-w- C:\Windows\SysWow64\wininet.dll
2013-09-22 23:27:53 14335488 ----a-w- C:\Windows\SysWow64\mshtml(58).dll
2013-09-22 23:27:49 2876928 ----a-w- C:\Windows\SysWow64\jscript9.dll
2013-09-22 23:27:48 61440 ----a-w- C:\Windows\SysWow64\iesetup.dll
2013-09-22 23:27:48 109056 ----a-w- C:\Windows\SysWow64\iesysprep.dll
2013-09-22 22:55:10 2241024 ----a-w- C:\Windows\System32\wininet.dll
2013-09-22 22:54:51 3959296 ----a-w- C:\Windows\System32\jscript9.dll
2013-09-22 22:54:50 67072 ----a-w- C:\Windows\System32\iesetup.dll
2013-09-22 22:54:50 136704 ----a-w- C:\Windows\System32\iesysprep.dll
2013-09-21 03:38:39 2706432 ----a-w- C:\Windows\System32\mshtml.tlb
2013-09-21 03:30:24 2706432 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2013-09-21 02:48:36 89600 ----a-w- C:\Windows\System32\RegisterIEPKEYs.exe
2013-09-21 02:39:47 71680 ----a-w- C:\Windows\SysWow64\RegisterIEPKEYs.exe
2013-09-14 01:10:19 497152 ----a-w- C:\Windows\System32\drivers\afd(51).sys
2013-09-08 02:30:37 1903552 ----a-w- C:\Windows\System32\drivers\tcpip.sys
2013-09-08 02:27:14 327168 ----a-w- C:\Windows\System32\mswsock.dll
2013-09-08 02:03:58 231424 ----a-w- C:\Windows\SysWow64\mswsock.dll
2013-09-03 18:35:10 278800 ----a-w- C:\Windows\System32\MpSigStub.exe
2011-01-18 08:53:32 2994688 ----a-w- C:\Program Files\openofficeorg33.msi
2011-01-18 08:52:10 475016 ----a-w- C:\Program Files\setup.exe
.
============= FINISH: 16:52:48.95 ===============
 

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,578 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:01 PM

Posted 01 December 2013 - 10:21 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Download this tool using a good computer and copy the file to the Desktop of the problem computer.

Please download MiniToolBox to Desktop and run it.

Check mark the following boxes:

  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List last 10 Event Viewer log
  • List content of Hosts
  • List IP Configuration
  • List Winsock Entries
  • Click Go and copy/paste the log (Result.txt) into your next post.
  • Note: When using "Reset FF Proxy Settings" option Firefox should be closed.


#3 jknick9

jknick9
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:07:01 PM

Posted 01 December 2013 - 03:32 PM

MiniToolBox by Farbar  Version: 13-07-2013
Ran by Shawnn (administrator) on 01-12-2013 at 15:29:57
Running from "F:\"
Microsoft Windows 7 Home Premium  Service Pack 1 (X64)
Boot Mode: Normal
***************************************************************************
 
========================= Flush DNS: ===================================
 
Windows IP Configuration
 
Successfully flushed the DNS Resolver Cache.
 
========================= IE Proxy Settings: ============================== 
 
Proxy is not enabled.
No Proxy Server is set.
 
"Reset IE Proxy Settings": IE Proxy Settings were reset.
========================= Hosts content: =================================
 
 
 
 
127.0.0.1       localhost
 
========================= IP Configuration: ================================
 
Broadcom NetLink ™ Ethernet = Local Area Connection (Connected)
Atheros AR5B95 Wireless Network Adapter = Wireless Network Connection 2 (Media disconnected)
Microsoft Virtual WiFi Miniport Adapter = Wireless Network Connection (Media disconnected)
 
 
# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4
 
reset
 
 
popd
# End of IPv4 configuration
 
 
 
Windows IP Configuration
 
   Host Name . . . . . . . . . . . . : Shawnn-PC
   Primary Dns Suffix  . . . . . . . : 
   Node Type . . . . . . . . . . . . : Peer-Peer
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : columbus.rr.com
 
Wireless LAN adapter Wireless Network Connection:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Microsoft Virtual WiFi Miniport Adapter
   Physical Address. . . . . . . . . : E2-F8-DA-68-56-96
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
 
Wireless LAN adapter Wireless Network Connection 2:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : Belkin
   Description . . . . . . . . . . . : Atheros AR5B95 Wireless Network Adapter
   Physical Address. . . . . . . . . : C0-F8-DA-68-56-96
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
 
Ethernet adapter Local Area Connection:
 
   Connection-specific DNS Suffix  . : columbus.rr.com
   Description . . . . . . . . . . . : Broadcom NetLink ™ Ethernet
   Physical Address. . . . . . . . . : B8-70-F4-E2-1E-0C
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::fdc2:3d98:a1cb:1013%11(Preferred) 
   Autoconfiguration IPv4 Address. . : 169.254.16.19(Preferred) 
   Subnet Mask . . . . . . . . . . . : 255.255.0.0
   Default Gateway . . . . . . . . . : 
   DNS Servers . . . . . . . . . . . : 209.18.47.61
                                       209.18.47.62
   NetBIOS over Tcpip. . . . . . . . : Enabled
 
Tunnel adapter isatap.Belkin:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
 
Tunnel adapter Teredo Tunneling Pseudo-Interface:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
 
Tunnel adapter isatap.columbus.rr.com:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : columbus.rr.com
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
 
Tunnel adapter isatap.{1635143F-CCF8-44CB-A4E6-9C3568ACE920}:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #3
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
Server:  UnKnown
Address:  209.18.47.61
 
Ping request could not find host google.com. Please check the name and try again.
Server:  UnKnown
Address:  209.18.47.61
 
Ping request could not find host yahoo.com. Please check the name and try again.
 
Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
 
Ping statistics for 127.0.0.1:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms
===========================================================================
Interface List
 14...e2 f8 da 68 56 96 ......Microsoft Virtual WiFi Miniport Adapter
 12...c0 f8 da 68 56 96 ......Atheros AR5B95 Wireless Network Adapter
 11...b8 70 f4 e2 1e 0c ......Broadcom NetLink ™ Ethernet
  1...........................Software Loopback Interface 1
 17...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
 13...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
 18...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
 16...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
===========================================================================
 
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      169.254.0.0      255.255.0.0         On-link     169.254.16.19    276
    169.254.16.19  255.255.255.255         On-link     169.254.16.19    276
  169.254.255.255  255.255.255.255         On-link     169.254.16.19    276
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link     169.254.16.19    276
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link     169.254.16.19    276
===========================================================================
Persistent Routes:
  None
 
IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
  1    306 ::1/128                  On-link
 11    276 fe80::/64                On-link
 11    276 fe80::fdc2:3d98:a1cb:1013/128
                                    On-link
  1    306 ff00::/8                 On-link
 11    276 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None
========================= Winsock entries =====================================
 
Catalog5 01 C:\Windows\SysWOW64\NLAapi.dll [52224] (Microsoft Corporation)
Catalog5 02 C:\Windows\SysWOW64\napinsp.dll [52224] (Microsoft Corporation)
Catalog5 03 C:\Windows\SysWOW64\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog5 04 C:\Windows\SysWOW64\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog5 05 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog5 06 C:\Windows\SysWOW64\winrnr.dll [20992] (Microsoft Corporation)
Catalog5 07 C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [145280] (Microsoft Corp.)
Catalog5 08 C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [145280] (Microsoft Corp.)
Catalog5 09 C:\Program Files (x86)\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
Catalog9 01 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 02 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 03 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 04 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 05 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 06 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 07 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 08 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 09 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 10 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
x64-Catalog5 01 C:\Windows\System32\NLAapi.dll [70656] (Microsoft Corporation)
x64-Catalog5 02 C:\Windows\System32\napinsp.dll [68096] (Microsoft Corporation)
x64-Catalog5 03 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
x64-Catalog5 04 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
x64-Catalog5 05 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog5 06 C:\Windows\System32\winrnr.dll [28672] (Microsoft Corporation)
x64-Catalog5 07 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [171392] (Microsoft Corp.)
x64-Catalog5 08 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [171392] (Microsoft Corp.)
x64-Catalog5 09 C:\Program Files\Bonjour\mdnsNSP.dll [132968] (Apple Inc.)
x64-Catalog9 01 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 02 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 03 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 04 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 05 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 06 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 07 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 08 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 09 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 10 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
 
========================= Event log errors: ===============================
 
Application errors:
==================
Error: (11/30/2013 04:35:59 PM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest1".Error in manifest or policy file "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest2" on line C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest3.
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest.
Component 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifest.
 
Error: (11/30/2013 04:25:10 PM) (Source: Office Software Protection Platform Service) (User: )
Description: Acquisition of Rights Account Certificate failed. hr=0x80072EE7
 
Error: (11/30/2013 04:25:10 PM) (Source: Office Software Protection Platform Service) (User: )
Description: License acquisition failure details. 
hr=0x80072EE7
 
Error: (11/30/2013 01:23:35 PM) (Source: Schedule) (User: )
Description: Schedule error: 10050Initialize call failed, bailing out
 
Error: (11/29/2013 11:10:05 PM) (Source: Schedule) (User: )
Description: Schedule error: 10050Initialize call failed, bailing out
 
Error: (11/29/2013 10:42:19 PM) (Source: Schedule) (User: )
Description: Schedule error: 10050Initialize call failed, bailing out
 
Error: (11/29/2013 10:39:13 PM) (Source: Schedule) (User: )
Description: Schedule error: 10050Initialize call failed, bailing out
 
Error: (11/29/2013 05:55:11 PM) (Source: Schedule) (User: )
Description: Schedule error: 10050Initialize call failed, bailing out
 
Error: (11/29/2013 05:28:54 PM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest1".Error in manifest or policy file "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest2" on line C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest3.
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest.
Component 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifest.
 
Error: (11/29/2013 05:28:45 PM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest1".Error in manifest or policy file "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest2" on line C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest3.
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest.
Component 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifest.
 
 
System errors:
=============
Error: (12/01/2013 03:30:08 PM) (Source: Service Control Manager) (User: )
Description: The HTTP service failed to start due to the following error: 
%%22
 
Error: (12/01/2013 03:29:14 PM) (Source: Service Control Manager) (User: )
Description: The WinHTTP Web Proxy Auto-Discovery Service service depends on the DHCP Client service which failed to start because of the following error: 
%%1068
 
Error: (12/01/2013 03:29:14 PM) (Source: Service Control Manager) (User: )
Description: The DHCP Client service depends on the AFD service which failed to start because of the following error: 
%%577
 
Error: (12/01/2013 03:29:14 PM) (Source: Service Control Manager) (User: )
Description: The AFD service failed to start due to the following error: 
%%577
 
Error: (12/01/2013 03:29:13 PM) (Source: Service Control Manager) (User: )
Description: The WinHTTP Web Proxy Auto-Discovery Service service depends on the DHCP Client service which failed to start because of the following error: 
%%1068
 
Error: (12/01/2013 03:29:13 PM) (Source: Service Control Manager) (User: )
Description: The DHCP Client service depends on the AFD service which failed to start because of the following error: 
%%577
 
Error: (12/01/2013 03:29:13 PM) (Source: Service Control Manager) (User: )
Description: The AFD service failed to start due to the following error: 
%%577
 
Error: (11/30/2013 05:41:16 PM) (Source: Service Control Manager) (User: )
Description: The WinHTTP Web Proxy Auto-Discovery Service service depends on the DHCP Client service which failed to start because of the following error: 
%%1068
 
Error: (11/30/2013 05:41:16 PM) (Source: Service Control Manager) (User: )
Description: The DHCP Client service depends on the AFD service which failed to start because of the following error: 
%%577
 
Error: (11/30/2013 05:41:16 PM) (Source: Service Control Manager) (User: )
Description: The AFD service failed to start due to the following error: 
%%577
 
 
Microsoft Office Sessions:
=========================
Error: (11/30/2013 04:35:59 PM) (Source: SideBySide)(User: )
Description: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifestC:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifestF:\esetsmartinstaller_enu.exe
 
Error: (11/30/2013 04:25:10 PM) (Source: Office Software Protection Platform Service)(User: )
Description: hr=0x80072EE723037f94-d654-4f38-962f-ff5b15348630
 
Error: (11/30/2013 04:25:10 PM) (Source: Office Software Protection Platform Service)(User: )
Description: hr=0x80072EE700010001(0x00000000, 16:25:10:237 - http://go.microsoft.com/fwlink/?LinkID=120750)
00020001(0x00000000, 16:25:10:237)
00030001(0x00000000, 16:25:10:252 - http://go.microsoft.com)
00030002(0x00000000, 16:25:10:252 - 0)
00040001(0x00000000, 16:25:10:252 - http://go.microsoft.com)
00040002(0x00000000, 16:25:10:252 - 1, <NULL>, <NULL>, <NULL>)
00040004(0x80072F94, 16:25:10:252 - <NULL>)
00040006(0x00000000, 16:25:10:252 - 1, http://go.microsoft.com, <NULL>, <local>)
00020005(0x00000000, 16:25:10:252 - 0)
00020007(0x80072EE7, 16:25:10:252)
00010002(0x80072EE7, 16:25:10:252 - <NULL>)
00010003(0x80072EE7, 16:25:10:252)
 
Error: (11/30/2013 01:23:35 PM) (Source: Schedule)(User: )
Description: Schedule error: 10050Initialize call failed, bailing out
 
Error: (11/29/2013 11:10:05 PM) (Source: Schedule)(User: )
Description: Schedule error: 10050Initialize call failed, bailing out
 
Error: (11/29/2013 10:42:19 PM) (Source: Schedule)(User: )
Description: Schedule error: 10050Initialize call failed, bailing out
 
Error: (11/29/2013 10:39:13 PM) (Source: Schedule)(User: )
Description: Schedule error: 10050Initialize call failed, bailing out
 
Error: (11/29/2013 05:55:11 PM) (Source: Schedule)(User: )
Description: Schedule error: 10050Initialize call failed, bailing out
 
Error: (11/29/2013 05:28:54 PM) (Source: SideBySide)(User: )
Description: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifestC:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifestE:\esetsmartinstaller_enu.exe
 
Error: (11/29/2013 05:28:45 PM) (Source: SideBySide)(User: )
Description: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifestC:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifestE:\esetsmartinstaller_enu.exe
 
 
CodeIntegrity Errors:
===================================
  Date: 2013-12-01 15:30:28.160
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\afd.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
  Date: 2013-12-01 15:30:28.097
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\afd.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
  Date: 2013-12-01 15:30:28.019
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\afd.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
  Date: 2013-12-01 15:30:27.941
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\afd.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
  Date: 2013-12-01 15:30:11.904
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\afd.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
  Date: 2013-12-01 15:30:11.826
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\afd.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
  Date: 2013-12-01 15:30:11.764
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\afd.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
  Date: 2013-12-01 15:30:11.686
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\afd.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
  Date: 2013-12-01 15:30:11.577
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\afd.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
  Date: 2013-12-01 15:30:11.514
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\afd.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
 
**** End of log ****
 
 
(thank you) :)


#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,578 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:01 PM

Posted 02 December 2013 - 09:06 AM

I need to the the result of this scan.

Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure the following options are checked:
  • Internet Services
  • Windows Firewall
  • System Restore
  • Security Center/Action center
  • Windows Update
  • Windows Defender
Press Scan.
This will create a log (FSS.txt) in the same directory the tool is run.
Please copy and paste the log to your reply.

#5 jknick9

jknick9
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:07:01 PM

Posted 02 December 2013 - 09:39 AM

Farbar Service Scanner Version: 23-11-2013
Ran by Shawnn (administrator) on 02-12-2013 at 09:37:31
Running from "F:\"
Microsoft Windows 7 Home Premium  Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************
 
Internet Services:
============
Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.
 
afd Service is not running. Checking service configuration:
The start type of afd service is OK.
The ImagePath of afd service is OK.
Checking LEGACY_afd: ATTENTION!=====> Unable to open LEGACY_afd\0000 registry key. The key does not exist.
 
 
Connection Status:
==============
Localhost is accessible.
There is no connection to network.
Attempt to access Google IP returned error. 
Attempt to access Google.com returned error: Other errors
Attempt to access Yahoo.com returned error: Other errors
 
 
Windows Firewall:
=============
MpsSvc Service is not running. Checking service configuration:
The start type of MpsSvc service is OK.
The ImagePath of MpsSvc service is OK.
The ServiceDll of MpsSvc service is OK.
 
 
Firewall Disabled Policy: 
==================
"HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" registry key does not exist.
 
 
System Restore:
============
 
System Restore Disabled Policy: 
========================
 
 
Action Center:
============
 
 
Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is OK.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv: "C:\Windows\system32\wuaueng.dll".
 
BITS Service is not running. Checking service configuration:
The start type of BITS service is OK.
The ImagePath of BITS service is OK.
The ServiceDll of BITS service is OK.
 
 
Windows Autoupdate Disabled Policy: 
============================
 
 
Windows Defender:
==============
 
Other Services:
==============
Checking FirewallRules of SharedAccess: ATTENTION!=====> Unable to open "SharedAccess\Defaults\FirewallPolicy\FirewallRules" registry key. The key does not exist.
Checking Start type of PolicyAgent: ATTENTION!=====> Unable to open PolicyAgent registry key. The service key does not exist.
Checking ImagePath of PolicyAgent: ATTENTION!=====> Unable to open PolicyAgent registry key. The service key does not exist.
Checking ServiceDll of PolicyAgent: ATTENTION!=====> Unable to open PolicyAgent registry key. The service key does not exist.
 
Checking Start type of RemoteAccess: ATTENTION!=====> Unable to open RemoteAccess registry key. The service key does not exist.
Checking ImagePath of RemoteAccess: ATTENTION!=====> Unable to open RemoteAccess registry key. The service key does not exist.
Checking ServiceDll of RemoteAccess: ATTENTION!=====> Unable to open RemoteAccess registry key. The service key does not exist.
 
 
 
File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
 
 
**** End of log ****


#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,578 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:01 PM

Posted 02 December 2013 - 02:28 PM

Following steps involve registry editing. Please create new restore point before proceeding!!!
How to:
XP - http://support.microsoft.com/kb/948247
Vista and Seven - http://windows.microsoft.com/en-gb/windows7/create-a-restore-point
Windows 8 - http://www.eightforums.com/tutorials/4690-restore-point-create-windows-8-a.html

Go to this Windows 7 site.
http://download.bleepingcomputer.com/win-services/7/

Download following registry files to your desktops:
AFD.reg
LEGACY_AFD.reg
SharedAccess.reg
PolicyAgent.reg
RemoteAccess.reg


Double click on on each downloaded files and confirm the prompt.
Restart computer normally.
Post new FSS log.

What problem remains?

#7 jknick9

jknick9
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:07:01 PM

Posted 03 December 2013 - 12:12 AM

Hey sorry been traveling all day from ohio to Florida I can do this when I get off tomorrow around 2pm central time. Didn't want to leave a long silence. I Appreciate the help.

#8 nasdaq

nasdaq

  • Malware Response Team
  • 39,578 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:01 PM

Posted 03 December 2013 - 09:16 AM

No problems.

#9 jknick9

jknick9
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:07:01 PM

Posted 03 December 2013 - 05:01 PM

the Legacy_AFD couldn't merge the following error popped up: 

 

Cannot import f: legacy_afd.reg error accessing registry. 

 

All the rest merge fine, but upon reboot I still could not connect to the internet. Still stuck in identifying. Here is the new FSS: 

 

Farbar Service Scanner Version: 23-11-2013
Ran by Shawnn (administrator) on 03-12-2013 at 16:57:26
Running from "F:\"
Microsoft Windows 7 Home Premium  Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************
 
Internet Services:
============
Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.
 
afd Service is not running. Checking service configuration:
The start type of afd service is OK.
The ImagePath of afd service is OK.
Checking LEGACY_afd: ATTENTION!=====> Unable to open LEGACY_afd\0000 registry key. The key does not exist.
 
 
Connection Status:
==============
Localhost is accessible.
There is no connection to network.
Attempt to access Google IP returned error. 
Attempt to access Google.com returned error: Other errors
Attempt to access Yahoo.com returned error: Other errors
 
 
Windows Firewall:
=============
 
Firewall Disabled Policy: 
==================
 
 
System Restore:
============
 
System Restore Disabled Policy: 
========================
 
 
Action Center:
============
 
 
Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is OK.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv: "C:\Windows\system32\wuaueng.dll".
 
BITS Service is not running. Checking service configuration:
The start type of BITS service is OK.
The ImagePath of BITS service is OK.
The ServiceDll of BITS service is OK.
 
 
Windows Autoupdate Disabled Policy: 
============================
 
 
Windows Defender:
==============
 
Other Services:
==============
 
 
File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
 
 
**** End of log ****
 
*thanks for being patient with me :)


#10 nasdaq

nasdaq

  • Malware Response Team
  • 39,578 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:01 PM

Posted 04 December 2013 - 08:44 AM


Lets see if afd.sys is present on the hard disk.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2


If your operating system is 64 bit download this tool:
SystemLook_x64.exe
  • Double-click SystemLook.exe
  • to run it.
  • Copy and paste the content
  • of the following bold text into the main textfield:
    :filefind
    afd.sys
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.[/*
  • Note: The log can also be found on your Desktop entitled SystemLook.txt.
    ===

    Following steps involve registry editing. Please create new restore point before proceeding!!!
    How to:
    XP - http://support.microsoft.com/kb/948247
    Vista and Seven - http://windows.microsoft.com/en-gb/windows7/create-a-restore-point
    Windows 8 - http://www.eightforums.com/tutorials/4690-restore-point-create-windows-8-a.html

    Download this program to your desktop.
    Tweaking.com - Windows Repair 1.9.16
    http://www.bleepingcomputer.com/download/windows-repair-all-in-one-portable/


    Extract and launch the Repair_Windows.exe file

    Click on Start repairs tab-click on Start

    check mark following options alone

    Reset Registry Permissions
    Reset File Permissions
    Register System Files
    Repair WMI
    Repair Windows Firewall
    Repair Internet Explorer
    Repair MDAC & MS Jet
    Repair Hosts File
    Remove Policies Set By Infections
    Repair Winsock & DNS Cache
    Remove Temp Files
    Repair Proxy Settings
    Unhide Non System Files
    Repair Windows Updates
    • Checkmark Restart System When Finished option
    • click the Start button
    • System should restart after repair
    Run the AFD.reg file again. Post the log.

    Let me know if the problem persists.


#11 jknick9

jknick9
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:07:01 PM

Posted 04 December 2013 - 12:00 PM

Problem Prevails!:( still cannot connect however the legacy_afd.reg DID successfully merge~ 
 
here is the system look log: 
 
 
 
 
SystemLook 30.07.11 by jpshortstuff
Log created at 10:54 on 04/12/2013 by Shawnn
Administrator - Elevation successful
 
========== filefind ==========
 
Searching for "afd.sys"
C:\Windows\System32\drivers\afd.sys --a---- 497152 bytes [04:31 19/11/2013] [01:09 28/09/2013] 79059559E89D06E8B80CE2944BE20228
C:\Windows\winsxs\amd64_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7601.17514_none_360e4801750ca991\afd.sys --a---- 499712 bytes [03:24 21/11/2010] [03:24 21/11/2010] D31DC7A16DEA4A9BAF179F3D6FBDB38C
C:\Windows\winsxs\amd64_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7601.17603_none_3618198975057170\afd.sys --a---- 499200 bytes [06:35 01/08/2011] [02:34 25/04/2011] D5B031C308A409A0A576BFF4CF083D30
C:\Windows\winsxs\amd64_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7601.17752_none_35e10b89752ee0f5\afd.sys --a---- 498688 bytes [15:17 15/02/2012] [03:59 28/12/2011] 1C7857B62DE5994A75B054A9FD4C3825
C:\Windows\winsxs\amd64_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7601.18264_none_35d81beb75355772\afd.sys --a---- 497152 bytes [08:51 10/10/2013] [01:10 14/09/2013] 314C17917AC8523EC77A710215012A65
C:\Windows\winsxs\amd64_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7601.18272_none_35cb4b6b753f40b5\afd.sys --a---- 497152 bytes [04:31 19/11/2013] [01:09 28/09/2013] 79059559E89D06E8B80CE2944BE20228
C:\Windows\winsxs\amd64_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7601.21712_none_3695e61e8e2c13d4\afd.sys --a---- 499200 bytes [06:35 01/08/2011] [03:09 25/04/2011] F4AD06143EAC303F55D0E86C40802976
C:\Windows\winsxs\amd64_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7601.21887_none_364f3a028e605345\afd.sys --a---- 498176 bytes [15:17 15/02/2012] [04:01 28/12/2011] 36A14FD1A23F57046361733B792CA8DB
C:\Windows\winsxs\amd64_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7601.22457_none_366f8b668e482477\afd.sys --a---- 496128 bytes [08:51 10/10/2013] [01:11 14/09/2013] 26EF7E0DF4EDCD898EB7A671529410B8
 
-= EOF =-


#12 nasdaq

nasdaq

  • Malware Response Team
  • 39,578 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:01 PM

Posted 04 December 2013 - 02:18 PM

Click the StartBtn.gif button. In the Search box, type Command Prompt, and then, in the list of results, double-click Command Prompt.

at the cursor type:
ipconfig /flushdns <-- (A space between g and / is needed)

repeat with
ipconfig /renew

Then hit Enter, type Exit, hit the Enter key.

You may need to run CMD - Command Prompt on Vista - Windows 7/8 with Elevated Privilege
http://www.mydigitallife.info/2007/02/17/how-to-open-elevated-command-prompt-with-administrator-privileges-in-windows-vista/
===

If that fails, continue.

Launch Notepad, and copy/paste all the blue instructions below to it.
Save in: Desktop
File Name: fixme.reg
Save as Type: All files
Click: Save

Windows Registry Editor Version 5.00

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains]


Then, disconnect from the Internet!
Next,
Back on the Desktop, double-click on the fixme.reg file you just saved and click on Yes when asked to merge the information.

On a Vista or Windows 7 operating system right click on the fixme.reg file and run as Administrator.

Optional if the following programs are in your computer.
Note that since the Domains are deleted SpywareBlaster protection must be re-enabled. Spybot's Immunize feature must be used again, also you have to re-install IE-SpyAd if installed.

Keep me posted.

#13 jknick9

jknick9
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:07:01 PM

Posted 04 December 2013 - 07:09 PM

The result of your first instructions: 

 

Microsoft Windows [Version 6.1.7601]
Copyright © 2009 Microsoft Corporation.  All rights reserved.
 
C:\Users\Shawnn>ipconfig /flushdns
 
Windows IP Configuration
 
Successfully flushed the DNS Resolver Cache.
 
C:\Users\Shawnn>ipconfig /renew
 
Windows IP Configuration
 
No operation can be performed on Wireless Network Connection while it has its me
dia disconnected.
An error occurred while renewing interface Wireless Network Connection 2 : The R
PC server is unavailable.
 
No operation can be performed on Local Area Connection while it has its media di
sconnected.
 
C:\Users\Shawnn>
 
 
I checked connection after ^ and it was still identifying. 
 
I then did your 2nd set of instructions and everything merged beautifully, but I still could not connect. I ran the troubleshooter again, and this time it actually found a problem, whereas before it said it could not help. The Problems found are listed as: 
 
Windows could not automatically detect this network's proxy settings.        Detected      yellow exclamation point
 
 
so we're still just identifying at this point. bugger.


#14 nasdaq

nasdaq

  • Malware Response Team
  • 39,578 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:01 PM

Posted 05 December 2013 - 09:03 AM


This is not my domain I suggest you create a new topic in the Networking forum
http://www.bleepingcomputer.com/forums/forum21.html

Run the Farbar Service Scanner tool one more time and post a fresh lot in that forum.
An expert should be able to help you better than I can.

#15 jknick9

jknick9
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:07:01 PM

Posted 05 December 2013 - 04:23 PM

done. 

 

thanks for all your help!! 






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users