[Windows Defender, Firewall, Update disabled]

Oh no you're off again.

I JUST turned on the computer (turned it off since my last posts), and my internet is once again, not working.

It's stuck on "identifying..." and the proxy issue.

My last 2 log posts WERE posted from the infected system.

[Windows Defender, Firewall, Update disabled]

Shoot!

I forgot to add the FFS.txt file to my previous post - my mistake.

Here it is:

Farbar Service Scanner Version: 10-12-2012

Ran by Allan (administrator) on 19-12-2012 at 14:13:08

Running from "C:\Users\Allan\Desktop"

Windows 7 Ultimate Service Pack 1 (X64)

Boot Mode: Normal

****************************************************************

Internet Services:

============

Connection Status:

==============

Localhost is accessible.

LAN connected.

Google IP is accessible.

Google.com is accessible.

Yahoo IP is accessible.

Yahoo.com is accessible.

Windows Firewall:

=============

Firewall Disabled Policy:

==================

System Restore:

============

System Restore Disabled Policy:

========================

Action Center:

============

Windows Update:

============

Windows Autoupdate Disabled Policy:

============================

Windows Defender:

==============

WinDefend Service is not running. Checking service configuration:

The start type of WinDefend service is set to Demand. The default start type is Auto.

The ImagePath of WinDefend service is OK.

The ServiceDll of WinDefend service is OK.

Windows Defender Disabled Policy:

==========================

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]

"DisableAntiSpyware"=DWORD:1

Other Services:

==============

File Check:

========

C:\Windows\System32\nsisvc.dll => MD5 is legit

C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit

C:\Windows\System32\dhcpcore.dll => MD5 is legit

C:\Windows\System32\drivers\afd.sys

[2012-06-05 18:11] - [2012-12-19 13:52] - 0022368 ____A (AVG Technologies CZ, s.r.o. ) 42B7E1AA0C7EC54652A50585793F1885

ATTENTION!=====> C:\Windows\System32\drivers\afd.sys IS INFECTED AND SHOULD BE REPLACED.

C:\Windows\System32\drivers\tdx.sys => MD5 is legit

C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit

C:\Windows\System32\dnsrslvr.dll => MD5 is legit

C:\Windows\System32\mpssvc.dll => MD5 is legit

C:\Windows\System32\bfe.dll => MD5 is legit

C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit

C:\Windows\System32\SDRSVC.dll => MD5 is legit

C:\Windows\System32\vssvc.exe => MD5 is legit

C:\Windows\System32\wscsvc.dll => MD5 is legit

C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit

C:\Windows\System32\wuaueng.dll => MD5 is legit

C:\Windows\System32\qmgr.dll => MD5 is legit

C:\Windows\System32\es.dll => MD5 is legit

C:\Windows\System32\cryptsvc.dll => MD5 is legit

C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit

C:\Windows\System32\ipnathlp.dll => MD5 is legit

C:\Windows\System32\iphlpsvc.dll => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\System32\rpcss.dll => MD5 is legit

**** End of log ****

FSS.txt

[Windows Defender, Firewall, Update disabled]

Wow!

Thank you Kevin!

My internet is finally up and working again.

ComboFix is quite a useful tool - I need to visit the MalwareBytes Forums more often.

Below is my newest ComboFix log (after doing what you instructed), but I have added an attachment of the log if reading is difficult on the reply post.

I'm getting a message saying my post is too long with the log directly copied onto my reply, so my only option is an attachment - sorry.

P.S. I realize that we live on opposite sides of the world, so immediate replies is not very possible due to time zone differences, but I'm thankful of you for taking your time to assist me.

Regards,

Victor

ComboFix.txt

[Windows Defender, Firewall, Update disabled]

Here is a "copy and paste" of the log.

SystemLook 30.07.11 by jpshortstuff

Log created at 02:36 on 19/12/2012 by Allan

Administrator - Elevation successful

========== filefind ==========

Searching for "afd.sys"

C:\Windows\System32\drivers\AFD.SYS --a---- 22368 bytes [02:11 06/06/2012] [03:49 19/12/2012] 42B7E1AA0C7EC54652A50585793F1885

C:\Windows\winsxs\amd64_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7600.16385_none_33dd3439781e25f7\afd.sys --a---- 500224 bytes [23:21 13/07/2009] [23:21 13/07/2009] B9384E03479D2506BC924C16A3DB87BC

C:\Windows\winsxs\amd64_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7600.16937_none_34154fcd77f3bbda\afd.sys --a---- 499200 bytes [02:11 06/06/2012] [03:59 28/12/2011] DB9D6C6B2CD95A9CA414D045B627422E

C:\Windows\winsxs\amd64_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7600.21115_none_34b263fe91032456\afd.sys --a---- 499200 bytes [02:11 06/06/2012] [04:01 28/12/2011] CCA39961E76B491DDF44B1E90FC8971D

C:\Windows\winsxs\amd64_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7601.17514_none_360e4801750ca991\afd.sys --a---- 499712 bytes [21:57 20/07/2012] [09:23 20/11/2010] D31DC7A16DEA4A9BAF179F3D6FBDB38C

C:\Windows\winsxs\amd64_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7601.17752_none_35e10b89752ee0f5\afd.sys --a---- 498688 bytes [02:11 06/06/2012] [03:59 28/12/2011] 1C7857B62DE5994A75B054A9FD4C3825

C:\Windows\winsxs\amd64_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7601.21887_none_364f3a028e605345\afd.sys --a---- 498176 bytes [02:11 06/06/2012] [04:01 28/12/2011] 36A14FD1A23F57046361733B792CA8DB

-= EOF =-

I have attached the .txt file if it is too hard to read.

SystemLook.txt

[Windows Defender, Firewall, Update disabled]

Ah...oh no..

SORRY I just couldn't help to post another reply - it has become more serious than I thought.

So after what I did in my above post...

After the computer downloaded and installed the updates from Windows Updates, my internet connection stopped working. I'm getting the message,

"Windows could not automatically detect this network's proxy settings"

Looking at the "Network and Sharing Center" it is stuck on "Identifying" for my Network.

[PC]----[THIS icon "Identifying"]------X--------[internet]

I've checked some of the services under service.msc and some of them are off / stopped. Such as:

HDCP Client, DNS Client, Server, TCP/IP Netbios helper, and Workstation.

I can only assume that one of the Windows Update files was a malicous item, and it just damaged my computer even further. Why? It was working prior the installs. I have attempted a System Restore and it had a pop-up saying it has failed.

At this stage, I'm thinking of doing a fresh OS install on this system as a last resort.

Here are the latest dds, attach, FSS and ComboFix files...

attach.txt

dds.txt

FSS.txt

ComboFix.txt

[Windows Defender, Firewall, Update disabled]

Hi Kevin,

Thank you for looking into this for me - I greatly appreciate it.

As requested, I have attached the two .txt files created by FSS and ComboFox.

After running the two programs, it seems to be my Windows is semi-fixed. Windows Firewall seems to be restored to working order. Windows Update is detecting, downloading, AND installing updates.

I'm still getting the pop-up message, as the image I had posted in my initial post, at start-up.

Windows Defender isn't exactly working yet. When I click on it, I get a message saying,

"The program is turned off

If you are using another program that checks for harmful or unwanted software, use the Action Center to check that program's status.

If you would like to use this program, click here to turn it on."

When I click it, I get this message;

" Access is denied. (Error Code: 0x80070005)"

FSS.txt

ComboFix.txt

[Windows Defender, Firewall, Update disabled]

I had posted a report about this back in late October, but I had accidentally posted in the wro ng section, and then I never had the time to repost...until now.

Anyways,

this system that I am trying to diagnose had this problam appear back in October. I had noticed this when the computer had become extremely slow, so I checked Task Manager to see what the possible cause is. I spotted a process / service, name "Bitcoin [something], that was using 60-70%+ of the CPU. I did a bit of searching and discovered that it was a virus / malware.

I immdeiately performed anti-virus & Malwarebytes scans, and sure enough, threat detected. The threat was removed, but it had bits of files remain (i.e. run.dll).

The aftermath that I noticed is that all 'Windows Defender,' 'Windows Update,' and 'Windows Firewall' stopped working. Below are some images to illustrate what is happening

http://imageshack.us/a/img59/2706/img0027wsz.jpg

http://imageshack.us/a/img197/7623/img0028m.jpg

http://imageshack.us/a/img441/9553/img0029cf.jpg

Additionally, upon start-up a pop-up message will appear saying this:

http://imageshack.us/a/img694/889/img0026ba.jpg

I've search for any possible solutions here on the Malwarebytes Forums, and some say some Windows files had be damaged by the virus. So I've gone into my virus-free system and made a copy of the regiestry file, and replaced it on this problematic system. As a result, "Windows Update" is able to download the updates BUT not install them.

I have attached the two requested txt files below.

dds.txt

attach.txt