Hello! I got a problem here, i got alot of windows\system32\drivers in my quarantine, if i right click on them i cant click on the “restore”. its just grey there. I really need to restore afd.sys even if its infected because i lost my internetconnection when that file went in to the quarantine. Its listed as a Win:32:sirefef-JQ [Trj] virus, what can i do to solve this problem, i just need my internet back and i can deal with the virus later, im on a friends computer now. please help
is that wireless connection only…or wired also ?
i dont got wireless on my computer. The problem is that i cant restore files from the quarantine
OK…Essexboy is notified and will help you when he arrive
if able to, follow this guide and attach the logs
http://forum.avast.com/index.php?topic=53253.0
ok, thanks, noo i cant since i got no internet connection, im not 100% sure but im pretty sure its the afd.sys file from system32 drives that is messing it up, i really need to restore that file
you can download the tools on a clean computer…put them on a USB stick and move over
Ive been running those things and sent logs to a tech support, im dealing with the system check virus atm, but the only problem i wish to be solved here is how to restore the files from the quarantine in my avast program
it is possible that you may have to replace that file…
anyway wait for Essexboys advice…he is the malware removal expert here. Should be here in an hour or so
okidoki 8)
OK two programmes to run - the first to locate a spare copy of afd.sys and the second to look at the registry entries for the net
Download OTL to your Desktop
[*]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
[*]Select All Users
[*]Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%*.exe
/md5start
consrv.dll
explorer.exe
winlogon.exe
Userinit.exe
afd.*
/md5stop
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
C:\Windows\assembly\tmp\U*.* /s
C:\Program Files\Common Files\ComObjects*.* /s
%Temp%\smtmp\1*.*
%Temp%\smtmp\2*.*
%Temp%\smtmp\3*.*
%Temp%\smtmp\4*.*
CREATERESTOREPOINT
[*]Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
[*]Post both logs
THEN
http://i1224.photobucket.com/albums/ee362/Essexboy3/Farbar/fss.jpg
Tick “All” options.
Press “Scan”.
It will create a log (FSS.txt) in the same directory the tool is run.
Please copy and paste the log to your reply.
have to split the otl logs into 5 to not get stopped by the 10000 limit. is it ok if i attach them like this??
if to big…upload to www.mediafire.com and post the download link here
ok, here is the farbar atleast:
Farbar Service Scanner Version: 08-02-2012
Ran by Simon (administrator) on 09-02-2012 at 22:54:32
Running from “C:\Users\Simon\Desktop”
Microsoft Windows 7 Ultimate Service Pack 1 (X86)
Boot Mode: Normal
Internet Services:
Dnscache Service is not running. Checking service configuration:
The start type of Dnscache service is OK.
The ImagePath of Dnscache service is OK.
The ServiceDll of Dnscache service is OK.
Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.
tdx Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open tdx registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open tdx registry key. The service key does not exist.
afd Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open afd registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open afd registry key. The service key does not exist.
Connection Status:
Localhost is accessible.
There is no connection to network.
Google IP is accessible.
Yahoo IP is accessible.
Windows Firewall:
mpsdrv Service is not running. Checking service configuration:
The start type of mpsdrv service is OK.
The ImagePath of mpsdrv service is OK.
MpsSvc Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to retrieve start type of MpsSvc. The value does not exist.
Checking ImagePath: Attention! Unable to retrieve ImagePath of MpsSvc. The value does not exist.
Unable to retrieve ServiceDll of MpsSvc. The value does not exist.
bfe Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open bfe registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open bfe registry key. The service key does not exist.
Checking ServiceDll: Attention! Unable to open bfe registry key. The service key does not exist.
Firewall Disabled Policy:
System Restore:
System Restore Disabled Policy:
Security Center:
wscsvc Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open wscsvc registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open wscsvc registry key. The service key does not exist.
Checking ServiceDll: Attention! Unable to open wscsvc registry key. The service key does not exist.
Windows Update:
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is OK.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv service is OK.
BITS Service is not running. Checking service configuration:
The start type of BITS service is set to Demand. The default start type is Auto.
The ImagePath of BITS service is OK.
The ServiceDll of BITS service is OK.
File Check:
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcore.dll => MD5 is legit
Attention! C:\Windows\system32\Drivers\afd.sys is missing.
Attention! C:\Windows\system32\Drivers\tdx.sys is missing.
C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\wscsvc.dll => MD5 is legit
C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll => MD5 is legit
C:\Windows\system32\qmgr.dll => MD5 is legit
C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit
**** End of log ****
OK file replacement first
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run
Run OTL
[*]Under the Custom Scans/Fixes box at the bottom, paste in the following
:Files
ipconfig /flushdns /c
C:\Windows\System32\drivers\afd.sys|C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7600.16385_none_d7be98b5bfc0b4c1\afd.sys /replace
:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]
[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
Ok here is the OTL quickscan, after i did the run fix: http://www.mediafire.com/?28qrwr9riaeuo8d
Do you have net access ?
http://i1224.photobucket.com/albums/ee362/Essexboy3/Farbar/fss.jpg
Tick “All” options.
Press “Scan”.
It will create a log (FSS.txt) in the same directory the tool is run.
Please copy and paste the log to your reply.