[Closed]Search redirect, Ping.exe, Rootkit.Gen2

[Bobbye]

Let's try this:

Click on Start> Run> type in cmd > Enter
At the Command prompt, type in the following:

net start AFD

Then enter.

If that doesn't start it: Please download sUBs' SvcQuery.exe and save to your desktop.

• Double click the file to Open
• A window will open. When prompted to provide a service name, type in the following:
  AFD
• Press Enter
• The tool will create a log. Please leave that in your next reply.

=============================
That failing: Please download Farbar Service Scanner

• Check Include all files option
• Press the Scan button
• Log named FSS.txy will be created in the same directory as the tool
• Please paste the log into your next reply

===============================
New Holiday Notice! I will not be working on the threads Sat. Dec. 31 or Sunday Jan. 1 I will begin with the oldest threads first on Monday. I will do my best to get you finished or as far along as I can before that.Please do not send a PM during those days.

 

[winxpuser]

Bobbye,

1) I ran 'net start AFD' and received response 'The service name is invalid'

2) I ran SvcQuery and received response 'Service not found'

3) Ran FSS.exe - There was not an option for 'Include all files'. Ran with 'Internet Services' Log is attached.

Looks like AFD is not found, started, or is corrupted.

I ran a file search for AFD and found several AFD.sys and afd.sys files, and a couple msafd.dll files.

There and several files with a bunch of numbers/letters along with 'AFD' embedded in the filename. Two of these files were created at nearly the same time I started having redirect problems (11/21/2011 8:36). Might be a coincidence or unrelated, but I thought it was worth sharing.




Farbar Service Scanner
Ran by Rich (administrator) on 30-12-2011 at 14:10:47
Microsoft Windows XP Home Edition Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============
Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

afd Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to retrieve start type of afd. The value does not exist.
Checking ImagePath: Attention! Unable to retrieve ImagePath of afd. The value does not exist.
Checking LEGACY_afd: Attention! Unable to open LEGACY_afd\0000 registry key. The key does not exist.


Connection Status:
==============
Localhost is accessible.
There is no connection to network.
Attempt to access Google IP returned error: Google IP is unreachable
Attempt to access Yahoo IP returend error: Yahoo IP is unreachable


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys
[2002-08-29 05:00] - [2008-10-16 09:43] - 0138496 ____A (Microsoft Corporation) 7618D5218F2A614672EC61A80D854A37

C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
Gpc(6) IPSec(4) MDC80211(8) NetBT(5) PSched(7) Tcpip(3)
0x09000000040000000100000002000000030000000500000006000000070000000800000009000000

**** End of log ****

 

[Bobbye]

Okay, let'see if we can get the network going:

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

For 64bit: http://jpshortstuff.247fixes.com/SystemLook_x64.exe

• Double-click SystemLook.exe to run it.
• Copy the content of the following codebox into the main textfield:
  

  :filefind
  afd.*

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt
=====================================
If we can find the file, I can replace the missing one. Then we'll try to reset the Services in Safe Mode.
=====================================
In a separate error, I see:
Description = Product: Microsoft Office 2000 Professional -- Error 1706. No valid
source could be found for product Microsoft Office 2000 Professional. The Windows
installer cannot continue.

Do you know anything about that?

 

[Bobbye]

I hate to lose you after all our hard work. I'm closing old threads now. Did you want to continue and try to resolve this?

 

[winxpuser]

Bobbye - Please leave thread open. I have not had chance to run SystemnLook.

As far as the entry for Office, I do have Office installed and it runs fine (has for several years). Looks like the error 1706 in the log below occured the same day and time I started having issues with search engine redirects. I do not recall trying to start Office after the redirect issues appeared.

 

[Bobbye]

Okay! Let me know when you have run it.

 

[winxpuser]

Bobbye,

Here is system look log.

SystemLook 30.07.11 by jpshortstuff
Log created at 13:28 on 28/01/2012 by Rich
Administrator - Elevation successful

========== filefind ==========

Searching for "afd.*"
C:\I386\AFD.SYS --a---- 131968 bytes [00:54 23/09/2004] [10:00 29/08/2002] 51B1872B62D1C335BAC53313913C8D5B
C:\WINDOWS\$hf_mig$\KB2509553\SP3QFE\afd.sys --a---- 138496 bytes [15:07 16/10/2008] [15:07 16/10/2008] 38D7B715504DA4741DF35E3594FE2099
C:\WINDOWS\$NtServicePackUninstall$\afd.sys -----c- 138496 bytes [18:27 29/08/2009] [06:14 04/08/2004] 5AC495F4CB807B2B98AD2AD591E6D92E
C:\WINDOWS\ServicePackFiles\i386\afd.sys ------- 138112 bytes [06:14 04/08/2004] [19:19 13/04/2008] 322D0E36693D6E24A2398BEE62A268CD
C:\WINDOWS\SoftwareDistribution\Download\ff0686f2f699fa07ed5ad0848fa3055b\sp3gdr\afd.sys --a---- 138496 bytes [14:43 16/10/2008] [14:43 16/10/2008] 7618D5218F2A614672EC61A80D854A37
C:\WINDOWS\SoftwareDistribution\Download\ff0686f2f699fa07ed5ad0848fa3055b\sp3qfe\afd.sys --a---- 138496 bytes [15:07 16/10/2008] [15:07 16/10/2008] 38D7B715504DA4741DF35E3594FE2099
C:\WINDOWS\SYSTEM32\DLLCACHE\afd.sys --a---- 138496 bytes [10:00 29/08/2002] [14:43 16/10/2008] 7618D5218F2A614672EC61A80D854A37
C:\WINDOWS\SYSTEM32\DRIVERS\afd.sys --a---- 138496 bytes [10:00 29/08/2002] [14:43 16/10/2008] 7618D5218F2A614672EC61A80D854A37

-= EOF =-

 

[Bobbye]

Okay, got it all together:

Step 1: do this first:
Using Windows Explorer> Navigate to following folder:
C:\WINDOWS\ServicePackFiles\i386\afd.sys
Find and copy afd.sys file.
Paste the file into C:\Windows\System32\drivers folder.

Step 2: Follow these steps first to edit the Registry:
Create a System Restore Point first: For Win XP

Download the zip file for your OS: XP.zip

• Unzip the file> There will be several files
• Right click on afd.reg file, click "Merge".
• Allow registry merge.
• Reboot the computer> check internet connection
• Run Farbar again and post new FSS log.

------------------------

 

[winxpuser]

Bobbye,

Completed steps above, but still get hung up at 'Acquiring Network Address' when trying to establish a network connection. FSS Log below.

Looks like a couple errors from previous FSS log have been fixed. The only one that was not fixed is LEGACY_afd key.

Looks like we are getting closer!!!

Farbar Service Scanner Version: 18-01-2012 01
Ran by Rich (administrator) on 29-01-2012 at 15:41:27
Microsoft Windows XP Home Edition Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============
Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

afd Service is not running. Checking service configuration:
The start type of afd service is OK.
The ImagePath of afd service is OK.
Checking LEGACY_afd: Attention! Unable to open LEGACY_afd\0000 registry key. The key does not exist.


Connection Status:
==============
Localhost is accessible.
There is no connection to network.
Attempt to access Google IP returned error: Google IP is unreachable
Attempt to access Yahoo IP returend error: Yahoo IP is unreachable


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
Gpc(6) IPSec(4) MDC80211(8) NetBT(5) PSched(7) Tcpip(3)
0x09000000040000000100000002000000030000000500000006000000070000000800000009000000
IpSec Tag value is correct.

**** End of log ****

 

[Bobbye]

Well, there your thread was, buried at the bottom of my email folder! I am so sorry I keep losing you. I took yesterday and today off line to try and get my own things caught up! Didn't make a dent!

Download Windows XP Service Pack 3 - ISO-9660 CD Image File

Insert the CD- this is NOT to boot from.
Run the installation.
You may need minimal updating.

Crossing my fingers- let me know.

 

[winxpuser]

Bobbye,

Is it OK to move this CD Image File to the infected PC using a USB drive and then run it, or does it need to be burned to CD and run from CD?

Thanks!

 

[winxpuser]

Bobbye,

i didn't have any CD's, so I went ahead and copied ISO to infected drive and ran. Installation completed and rebooted.

Network connection is still hung up at acquiring network address.

I ran FSS and got same output as previously related to LEGACY_afd

Checking LEGACY_afd: Attention! Unable to open LEGACY_afd\0000 registry key. The key does not exist.

I found some info online related to this, but don't really understand how to use this info. Thought it might be helpful:

http://stammalammy.blogspot.com/2009/08/learning-more-about-afd-on-xp-than-i.html

 

[Bobbye]

I have some basics for you> going all the way back to Reply #48:

Back to Reply #48:

OTL was showing using 99% CPU and there was no harddrive activity. I decided to stop the OTL process and reboot. Then I ran Quick Scan.
I started Telephony and was unable to connect to the network (hung up at Acquiring Network Address)

1. Is this the actual sequence of what you did?
2. Why did you start the Telephony Service? What Startup Type was it set to before you started it? Do you have it set to Manual (best) or Automatic?
   About Telephony:
   [o]Control telephony devices and IP based voice connections on the local computer and, through the LAN, on servers that are also running the service.
   [o]This service is required for dial-up modem connectivity and to use the Fax service and will be started by default if the Fax service is installed.
   [o]Take note: you may require this service for some direct cable or DSL providers, If Dial-up, cable or DSL internet access no longer functions properly with this service disabled, place it into automatic. If you are connecting via a hardware router or gateway, this service is not needed.
   [o]Default Startup is Manual.
3. What type of connection do you have? Did the connection break when you started the Telephony Service-or-or did you start it to try to connect?
4. Did you check the Dependencies? There are 2 and both should be set to Automatic Startup: RPC- Remote Procedure Call and Plug and Play.
5. Have you spoken to the ISP about this failure to connect?
6. Why do you go to Network Connections to connect-as opposed to-launching the browser or a URL in the Bookmarks or typing a URL in the Address Bar?

Edit: What is this? [2011/11/21 13:58:04 | 002,856,448 | ---- | M] (Корпорация Майкрософт) -- C:\Documents and Settings\Rich\My Documents\qkmz.exe?

 

[winxpuser]

Bobbye -

Don't recalls details of what I did in post 48 - it was so long ago.

I have a cable modem.

I vaguely recall checking this and found that AFD was the problem.

I have not checked with ISP as I am able to connect to network with other computers connected to cable modem. I have eliminated hardware in infected PC as the culprit as I have reinstalled OS on another boot drive and everything is fine.

I have tried connecting by both using network connection and by starting firefox. Neither is successful.

I ithink I am ready to through in the towel on this.

 

[Bobbye]

Don't recalls details of what I did in post 48 - it was so long ago.

Everytime I review a thread, I go back to the beginning. Did it occur to you to pull up Reply #48 like I did?

You don't have to throw in the towel, because I am ending my support. I asked questions pertinent to what was done. It took my time to review and then compose the questions. Yes, it was a while ago, but everything typed is still there,