afd.sys cant remove from quarantine

Hello! I got a problem here, i got alot of windows\system32\drivers in my quarantine, if i right click on them i cant click on the “restore”. its just grey there. I really need to restore afd.sys even if its infected because i lost my internetconnection when that file went in to the quarantine. Its listed as a Win:32:sirefef-JQ [Trj] virus, what can i do to solve this problem, i just need my internet back and i can deal with the virus later, im on a friends computer now. please help

is that wireless connection only…or wired also ?

i dont got wireless on my computer. The problem is that i cant restore files from the quarantine

OK…Essexboy is notified and will help you when he arrive

if able to, follow this guide and attach the logs
http://forum.avast.com/index.php?topic=53253.0

ok, thanks, noo i cant since i got no internet connection, im not 100% sure but im pretty sure its the afd.sys file from system32 drives that is messing it up, i really need to restore that file :confused:

you can download the tools on a clean computer…put them on a USB stick and move over

Ive been running those things and sent logs to a tech support, im dealing with the system check virus atm, but the only problem i wish to be solved here is how to restore the files from the quarantine in my avast program

it is possible that you may have to replace that file…
anyway wait for Essexboys advice…he is the malware removal expert here. Should be here in an hour or so

okidoki 8)

OK two programmes to run - the first to locate a spare copy of afd.sys and the second to look at the registry entries for the net

Download OTL to your Desktop

[*]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
[*]Select All Users
[*]Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%*.exe
/md5start
consrv.dll
explorer.exe
winlogon.exe
Userinit.exe
afd.*
/md5stop
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
C:\Windows\assembly\tmp\U*.* /s
C:\Program Files\Common Files\ComObjects*.* /s
%Temp%\smtmp\1*.*
%Temp%\smtmp\2*.*
%Temp%\smtmp\3*.*
%Temp%\smtmp\4*.*
CREATERESTOREPOINT

[*]Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
[*]Post both logs

THEN

run farbar service scanner

http://i1224.photobucket.com/albums/ee362/Essexboy3/Farbar/fss.jpg

Tick “All” options.
Press “Scan”.
It will create a log (FSS.txt) in the same directory the tool is run.

Please copy and paste the log to your reply.

have to split the otl logs into 5 to not get stopped by the 10000 limit. is it ok if i attach them like this??

if to big…upload to www.mediafire.com and post the download link here

ok, here is the farbar atleast:

Farbar Service Scanner Version: 08-02-2012
Ran by Simon (administrator) on 09-02-2012 at 22:54:32
Running from “C:\Users\Simon\Desktop”
Microsoft Windows 7 Ultimate Service Pack 1 (X86)
Boot Mode: Normal


Internet Services:

Dnscache Service is not running. Checking service configuration:
The start type of Dnscache service is OK.
The ImagePath of Dnscache service is OK.
The ServiceDll of Dnscache service is OK.

Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

tdx Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open tdx registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open tdx registry key. The service key does not exist.

afd Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open afd registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open afd registry key. The service key does not exist.

Connection Status:

Localhost is accessible.
There is no connection to network.
Google IP is accessible.
Yahoo IP is accessible.

Windows Firewall:

mpsdrv Service is not running. Checking service configuration:
The start type of mpsdrv service is OK.
The ImagePath of mpsdrv service is OK.

MpsSvc Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to retrieve start type of MpsSvc. The value does not exist.
Checking ImagePath: Attention! Unable to retrieve ImagePath of MpsSvc. The value does not exist.
Unable to retrieve ServiceDll of MpsSvc. The value does not exist.

bfe Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open bfe registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open bfe registry key. The service key does not exist.
Checking ServiceDll: Attention! Unable to open bfe registry key. The service key does not exist.

Firewall Disabled Policy:

System Restore:

System Restore Disabled Policy:

Security Center:

wscsvc Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open wscsvc registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open wscsvc registry key. The service key does not exist.
Checking ServiceDll: Attention! Unable to open wscsvc registry key. The service key does not exist.

Windows Update:

wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is OK.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv service is OK.

BITS Service is not running. Checking service configuration:
The start type of BITS service is set to Demand. The default start type is Auto.
The ImagePath of BITS service is OK.
The ServiceDll of BITS service is OK.

File Check:

C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcore.dll => MD5 is legit
Attention! C:\Windows\system32\Drivers\afd.sys is missing.
Attention! C:\Windows\system32\Drivers\tdx.sys is missing.
C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\wscsvc.dll => MD5 is legit
C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll => MD5 is legit
C:\Windows\system32\qmgr.dll => MD5 is legit
C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit

**** End of log ****

OK file replacement first

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following



:Files
ipconfig /flushdns /c
C:\Windows\System32\drivers\afd.sys|C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7600.16385_none_d7be98b5bfc0b4c1\afd.sys /replace


:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

http://www.mediafire.com/?u6u51hpuh18f8lc
http://www.mediafire.com/?9d6z2ses2i9efja

Ok here is the OTL quickscan, after i did the run fix: http://www.mediafire.com/?28qrwr9riaeuo8d

Do you have net access ?

run farbar service scanner

http://i1224.photobucket.com/albums/ee362/Essexboy3/Farbar/fss.jpg

Tick “All” options.
Press “Scan”.
It will create a log (FSS.txt) in the same directory the tool is run.

Please copy and paste the log to your reply.