Jump to content


- - - - -

No Internet connection after virus\malware removal


Some newer type of infection will cause your computer to lose internet connection, disable Windows firewall, Security Center or Windows updates.
When you're sure your computer is really clean again you can try to reestablish those missing features.
Do NOT waste your time and try those fixes if your computer is still infected as the infection will keep messing your fixes back.

In this article: http://www.smartestc...ervice-missing/ I described how to get your Windows firewall working again.

Here we'll focus on bringing your internet connection back.

Start with running following tool....

Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
FSS output will look similar to this one:

Farbar Service Scanner
Ran by Scarlette (administrator) on 24-12-2011 at 04:02:10
Microsoft® Windows Vista™ Home Premium Service Pack 2 (X86)
****************************************************************

Internet Services:
============
Dnscache Service is not running. Checking service configuration:
The start type of Dnscache service is OK.
The ImagePath of Dnscache service is OK.
The ServiceDll of Dnscache service is OK.

afd Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open afd registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open afd registry key. The service key does not exist.
Checking LEGACY_afd: Attention! Unable to open LEGACY_afd registry key. The key does not exist.

Connection Status:
=================
Localhost is blocked.
There is no connection to network.
Google IP is accessible.
Yahoo IP is accessible.


[irrelevant part of FSS log omitted]


File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcsvc.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys => [2009-09-24 06:36] - [2009-04-11 01:28] - 0407552 ____A () 5DE62C6E9108F14F6794060A9BDECAEC
Attention! C:\Windows\system32\Drivers\tdx.sys is missing.
C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll
[2009-09-24 06:36] - [2009-04-11 01:28] - 0407552 ____A (Microsoft Corporation) 5DE62C6E9108F14F6794060A9BDECAEC

C:\Windows\system32\bfe.dll
[2009-09-24 06:35] - [2009-04-11 01:28] - 0334848 ____A (Microsoft Corporation) C789AF0F724FDA5852FB9A7D3A432381

C:\Windows\system32\Drivers\mpsdrv.sys
[2008-01-20 21:24] - [2008-01-20 21:24] - 0064000 ____A (Microsoft Corporation) 22241FEBA9B2DEFA669C8CB0A8DD7D2E

C:\Windows\system32\SDRSVC.dll
[2008-01-20 21:23] - [2008-01-20 21:23] - 0104960 ____A (Microsoft Corporation) 716313D9F6B0529D03F726D5AAF6F191

C:\Windows\system32\vssvc.exe
[2009-09-24 06:35] - [2009-04-11 01:28] - 1055232 ____A (Microsoft Corporation) DB3D19F850C6EB32BDCB9BC0836ACDDB

C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit


What you're looking for are missing/corrupted/infected files and registry keys.
You may see just one or more issues.

First look at the very last section - File Check:
You must see either "MD5 is legit" or "(Microsoft Corporation)" which means the file has a valid MS siganture.
In my example you'll see two lines which you have to take care of:
C:\Windows\system32\Drivers\afd.sys => [2009-09-24 06:36] - [2009-04-11 01:28] - 0407552 ____A () 5DE62C6E9108F14F6794060A9BDECAEC <===== no valid MS signature
Attention! C:\Windows\system32\Drivers\tdx.sys is missing. <===== tdx.sys file is simply missing

Now we have to find replacement for both files.

To do so re-run FSS tool.
Type the following in the edit box after "Search:".
afd.sys
tdx.sys

Click Search Files button.

You can use any of found files as a replacement.
In case of tdx.sys file simply copy any found replacement and paste it to C:\Windows\system32\Drivers folder.
In case of afd.sys you're replacing an existing file so you'll have to restart computer in Safe Mode.
While there rename existing afd.sys file to afd.old and the paste replacement file in C:\Windows\system32\Drivers folder.

Restart computer.
Run FSS again and see if File Check: section looks fine.

====================================================================================================

If so, we'll proceed to Internet Services: section

In my example you'll see two services not running:
- Dnscache Service is not running
- afd Service is not running.

Following steps involve registry editing. Please create new restore point before proceeding!!!
How to:
XP - http://support.microsoft.com/kb/948247
Vista and Seven - http://www.howtogeek...system-restore/



Always start your fixes with the LAST not running service (afd in this case).
Fixing lower service will in most cases fix the upper service (if the upper service, like in my example doesn't list anything as "missing").

afd Service is not running becuase we can see two registry keys missing:
- afd (all regulsr keys are located in HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services)
- LEGACY_afd (all "legacy" keys are located in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root)

To fix afd key...
Download Vista.zip file from here: http://www.smartestc...y-network-keys/
NOTE. Depending on your Windows version you may need to download XP.zip, or Seven.zip
Unzip the file.
You'll find several files inside.
Right click on afd.reg file, click "Merge".
Allow registry merge.

To fix any "legacy" key you'll need some extra steps (different for different Windows version).

Windows XP
Please go to Start=>Run (alternatively use Windows key+R), type regedit and click OK.
Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root
Right-Click Root and select Permissions...
Under Security type while Everyone is selected put a check mark in the box under Allow next to Full Control.
Click Apply and OK.

Windows Vista and Windows 7
Please go to Start=>Run (alternatively use Windows key+R), type regedit and click OK.
Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root
Right-Click Root and select Permissions...
Click Advanced.
Under Owner tab select the entry starting with you user name, example: Farbar(Farbar-PC\Farbar)
Put a check mark next to Replace owner on subcontainers and objects and click Apply and OK.
Under Security type while Everyone is selected put a check mark in the box under Allow next to Full Control.
Click Apply and OK.

Now, in a package you just downloaded from my site you'll find LEGACY_AFD.reg file.
Double click on it confirm the prompt.

All Windows.
Please go back to the the Root key again while Everyone is selected remove check mark in the box under Allow next to Full Control and close the registry.

Restart computer, check on internet connection and run FSS again.
See if everything looks right.

=============================================================================================

Finally you may have some issue in Connection Status: section
In most cases all lines will read "accessible", but sometimes you may see:
Localhost is blocked.
Usually it'll mean TCP/IP stack corruption.

To fix it you want to uninstall/reinstall TCP/IP stack.

Windows XP.
1. Download winsock.zip
Unzip it.
Right click on Winsock.reg, click "Merge".
Allow registry merge.

2. Restart computer.

3. Go to Start ==> Control Panel. Double-click Network Connections. Right-click Local Area Connection, and select Properties.
  • On the General tab, click Install a popup window opens.
  • Select Protocol from the list and then click Add.
  • A new window opens, click Have Disk....
  • In the browse... box type c:\windows\inf
  • Click OK.
  • Select Internet Protocol (TCP/IP), and then click OK.
  • Restart and check the connection.
Windows Vista and Windows 7.
Go Start>Run (Start search in Vista and 7), type in:
cmd
Click OK (in Vista, while holding CTRL, and SHIFT, press Enter).

At Command Prompt, type in:
netsh int ip reset reset.log
Hit Enter.
Type in:
netsh winsock reset catalog
Hit Enter.

Restart computer.

==================================================================================================================
Note 1. If your case is slightly different or you need some extra help feel free to sign up at our forum and we'll try to help you out.

Note 2. The above manual wouldn't happen without a great tool and some advice provided by farbar from http://www.bleepingc...ter.com/forums/

0 Comments