Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

No internet after ZeroAccess infection


  • Please log in to reply
5 replies to this topic

#1 netRAT

netRAT

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:40 PM

Posted 27 November 2011 - 09:42 PM

As far as I can see the infection has now been removed but still I'm unable to establish network connectivity.
Farbar scanner reports the afd service isn't running.

Farbar Log:

Farbar Service Scanner
Ran by Kaye Family (administrator) on 28-11-2011 at 13:29:21
Microsoft Windows XP Service Pack 3 (X86)
********************************************************

Service Check:
==============
Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

afd Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to retrieve start type of afd. The value might not exist.
Checking ImagePath: Attention! Unable to retrieve ImagePath of afd. The value might not exist.


File Check:
===========
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit

Connection Status:
==================
Localhost is accessible.
There is no connection to network.
Attempt to access Google IP returned error: Google IP is unreachable
Attempt to access Yahoo IP returend error: Yahoo IP is unreachable

**** End of log ****


Please help!

Cheers,

NR.

BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,738 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:09:40 PM

Posted 27 November 2011 - 10:58 PM

Welcome aboard Posted Image

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

64-bit users go HERE
  • Double-click SystemLook.exe to run it.
  • Vista\Win 7 users:: Right click on SystemLook.exe, click Run As Administrator
  • Copy the content of the following box and paste it into the main textfield:
    :reg
    HKEY_LOCAL_MACHINE\system\currentcontrolset\services\afd /s
    
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#3 netRAT

netRAT
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:40 PM

Posted 28 November 2011 - 01:36 AM

SystemLook 30.07.11 by jpshortstuff
Log created at 17:35 on 28/11/2011 by Kaye Family
Administrator - Elevation successful

========== reg ==========

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\afd]
(No values found)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\afd\Parameters]
(No values found)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\afd\Enum]
"0"="Root\LEGACY_AFD\0000"
"Count"= 0x0000000001 (1)
"NextInstance"= 0x0000000001 (1)
"INITSTARTFAILED"= 0x0000000001 (1)


-= EOF =-


Thanks!

#4 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,738 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:09:40 PM

Posted 28 November 2011 - 06:34 PM

We need to replace that registry key.

Make sure you create restore point first.

Then ...

Download XP.zip file from here: http://www.smartestcomputing.us.com/files/download/9-registry-network-keys/
Unzip the file.
You'll find three files inside.
Right click on afd.reg file, click "Merge".
Allow registry merge.
Restart computer and see if internet works.

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#5 netRAT

netRAT
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:40 PM

Posted 28 November 2011 - 06:41 PM

Yep!

Seems to be fully operational again!!

Thanks alot for your kind support Broni :)

NR.

#6 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,738 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:09:40 PM

Posted 28 November 2011 - 10:06 PM

Excellent!

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users