Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


no network: MRGGen/Gen-Sirefef

  • Please log in to reply
2 replies to this topic

#1 jimnsb


  • Members
  • 2 posts
  • Local time:02:23 AM

Posted 09 December 2012 - 12:55 PM

After accidentally (I swear!) clicking on a re-direct I picked up a baddie. Initially it knocked-out my soundcard & codecs; after removing the offender(s) those were restored but my network connection was now gone.

Anti- virus/malware removal logs:
Malwarebytes: HERE
Superantispyware: HERE
AVG: HERE (screencap of virus vault contents)
TDSS: found and removed one root-kit (failed to note name/type and it no longer shows in the prog's history; sorry)

Running Farbar showed that the AFD.sys file & registry entries were missing. I restored the AFD.sys file in system32/drivers and replaced the AFD folder/entries in the registry, but still cannot get a connection.

Here's the current FSS report ...I noticed it no longer lists the missing AFD registry entries, but when I check with RegEdit there is not an AFD folder under CurrentControlSet/Services:

Farbar Service Scanner Version: 09-11-2012
Ran by J (administrator) on 09-12-2012 at 09:40:53
Running from "E:\download\progs\antivirus_security\Farbar"
Microsoft Windows XP Service Pack 3 (X86)
Boot Mode: Normal

Internet Services:

Connection Status:
Attempt to access Local Host IP returned error: Localhost is blocked: Other errors
There is no connection to network.
Attempt to access Google IP returned error. Other errors
Attempt to access Google.com returned error: Other errors
Attempt to access Yahoo IP returned error. Other errors
Attempt to access Yahoo.com returned error: Other errors

Windows Firewall:
sharedaccess Service is not running. Checking service configuration:
The start type of sharedaccess service is OK.
The ImagePath of sharedaccess service is OK.
The ServiceDll of sharedaccess service is OK.

Firewall Disabled Policy:

System Restore:

System Restore Disabled Policy:

Security Center:

Windows Update:

Windows Autoupdate Disabled Policy:

File Check:
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
Gpc(3) IPSec(5) kl2(9) NetBT(6) PSched(7) Tcpip(4)

**** End of log ****

My next step was to try ComboFix, but after seeing (and heeding!) the numerous warnings I decided getting some expert help would be wise.


BC AdBot (Login to Remove)


#2 Broni


    The Coolest BC Computer

  • BC Advisor
  • 42,772 posts
  • Gender:Male
  • Location:Daly City, CA
  • Local time:11:23 PM

Posted 10 December 2012 - 08:04 PM

Welcome aboard Posted Image

ZeroAccess rootkit requires elevated help.

Please follow the instructions in ==>This Guide<== starting at Step 6. If you cannot complete a step, skip it and continue.

Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<== Please include a description of your computer issues, what you have done to resolve them, and a link to this topic.

If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.

It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE


#3 jimnsb

  • Topic Starter

  • Members
  • 2 posts
  • Local time:02:23 AM

Posted 12 December 2012 - 08:24 PM

Thanks B ...after posting I realized it had been 5+ years since I built that system, and a fresh install of the OS was seriously past-due. Made backups of the important stuff, swapped the original 320gb HD with a new WD Black 1tb, then installed XP-Pro using an SP3 slipstream disk I made a couple years ago.

Earlier today I put that original HD in an external enclosure to grab all the odds-and-ends that hadn't already been backed up. Afterwards I installed the drive in an old test-rig system, and at this moment I'm 'writing zeros' to it with a boot-CD version of Partition Wizard (link).


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users