I removed a virus via MSE and afterwards have lost the ability to connect to the internet. This is a windows 7 professional 32 bit laptop. Staticly i can set the ip address and dns server and can ping the DG and the DNS server. I can also ping google by IP address. However cannot reach the website through IP address. I have tried winsock resets along with reinstallation of network adapter drivers. Even have done a system restore to a month back but so far none have worked. I have been scouring the web for the last 4 hours looking for a solution to fix the problem but have yet to find anything. Also i have uninstalled all antivirus software aside from MBAM. I hope that I can find a solution through this community.
mflexnet
0
Newbie Poster
Recommended Answers
Jump to PostI hope that I can find a solution through this community.
We can try :)
-- Do you have any logs from the malware removal process? If so, please post them.
Jump to PostIt looks like you are on the right track.
I'd like to see the other logs I requested because, if the rootkitted malware is still active, it'll just reinfect another driver and you'll be back at square one.
This malware infects a random driver (from a small predetermined …
All 5 Replies
PhilliePhan
171
Central Scrutinizer
Team Colleague
I hope that I can find a solution through this community.
We can try :)
-- Do you have any logs from the malware removal process? If so, please post them.
-- Please download and run Farbar Service Scanner
Check all the boxes and hit scan. It should produce a log. Please post the FSS.txt for us.
-- Please follow the steps in the linky below to obtain the GMER scanlogs and the DDS Logs:
I or another volunteer will try to check back as time permits.
-- 'Course, if you have issues connecting the ill machine, you'll need a flash drive to transfer the tools and scanlogs....
Cheers :)
PP
mflexnet
0
Newbie Poster
fss log here.
Farbar Service Scanner
Ran by jmartinez (administrator) on 13-01-2012 at 15:35:47
Microsoft Windows 7 Professional Service Pack 1 (X86)
Boot Mode: Normal
****************************************************************
Internet Services:
============
afd Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open afd registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open afd registry key. The service key does not exist.
Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.
Windows Firewall:
=============
Firewall Disabled Policy:
==================
System Restore:
============
VSS Service is not running. Checking service configuration:
The start type of VSS service is OK.
The ImagePath of VSS service is OK.
System Restore Disabled Policy:
========================
Security Center:
============
wscsvc Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open wscsvc registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open wscsvc registry key. The service key does not exist.
Checking ServiceDll: Attention! Unable to open wscsvc registry key. The service key does not exist.
Windows Update:
===========
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is OK.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv service is OK.
BITS Service is not running. Checking service configuration:
The start type of BITS service is OK.
The ImagePath of BITS service is OK.
The ServiceDll of BITS service is OK.
File Check:
========
C:\windows\system32\nsisvc.dll => MD5 is legit
C:\windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\windows\system32\dhcpcore.dll => MD5 is legit
Attention! C:\windows\system32\Drivers\afd.sys is missing.
C:\windows\system32\Drivers\tdx.sys => MD5 is legit
C:\windows\system32\Drivers\tcpip.sys => MD5 is legit
C:\windows\system32\dnsrslvr.dll => MD5 is legit
C:\windows\system32\mpssvc.dll => MD5 is legit
C:\windows\system32\bfe.dll => MD5 is legit
C:\windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\windows\system32\SDRSVC.dll => MD5 is legit
C:\windows\system32\vssvc.exe => MD5 is legit
C:\windows\system32\wscsvc.dll => MD5 is legit
C:\windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\windows\system32\wuaueng.dll => MD5 is legit
C:\windows\system32\qmgr.dll => MD5 is legit
C:\windows\system32\es.dll => MD5 is legit
C:\windows\system32\cryptsvc.dll => MD5 is legit
C:\windows\system32\svchost.exe => MD5 is legit
C:\windows\system32\rpcss.dll => MD5 is legit
**** End of log ****
mflexnet
0
Newbie Poster
nslookup gives an UnKnown cant find XXXX No response from server.
I did run FSS and it kicked out a log file that the machine is missing afd.sys under windows\system32\drivers folder. I have run a search and found other afd.sys files inside the winsxs folder and supposedly. According to http://www.smartestcomputing.us.com/topic/49786-no-internet-connection-after-virusmalware-removal-fix/ I can just replace the missing file. Trying this now.
.
.
.
Well that didn't work either. Windows network diagnostic tool responds with DNS server isn't responding. Yet I can ping the DNS server. Ive tried the reset in explorer and also have tried using firefox.
Just checked services.msc and there are many, many, many services with a
<Failed to Read Description. Error Code: 8>
some in particular: network connections, DNS client
Some show as started however and can be restarted. Earlier today the DNS client wouldn't start at all but with some registry work around by going to HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Services\ DNS and removing the DependOnService then rebooting a new one was created and DNS client service finally started.
PhilliePhan
171
Central Scrutinizer
Team Colleague
It looks like you are on the right track.
I'd like to see the other logs I requested because, if the rootkitted malware is still active, it'll just reinfect another driver and you'll be back at square one.
This malware infects a random driver (from a small predetermined pool) and cleaning attempts bork the internet connection because they do not replace the infected driver, nor do they address the registry damage.
-- Did you back up the registry before hacking it? If not, I suggest you do so with a tool such as ERUNT.
Anyhoo, please post the logs and we'll go from there.
Cheers :)
PP
mflexnet
0
Newbie Poster
Just for closure. Wound up just doing an hp recovery after backing up profile with windows easy transfer. Everything is back to normal.
Be a part of the DaniWeb community
We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.