Dear All,

I am having the same annoying rootkit as some others and already looked through the other two topics posted here. But my problem is a little bit more complicated :sad: I am running Windows 2003 Server @home for some testing for work and started to have some Problems with crashing afd.sys.
After renaming this file to .old, the following file came up: srosa.sys ALSO crashing my server with a bluescreen....

I can't boot into safe mode either : blue screen.
SafeBootKeyRepair.exe won't work either.

I booted with a BartPE CD and deleted srosa.sys & hldrrr.exe and the folder C:\windows\system32\drivers\download. After another reboot the files were there again :sick:
I checked for SpyBot and the SpybotSD.exe was gone from C:\program files\Spybot - Search & Destroy

The Problem is probably that I can't get into the registry with BartPE either to check for more files....

I am now running a check with azv4 (after updating it first on a running computer).
Any idea's how to solve this problem ???

regards,
Mark

Removed srosa.sys & hldrrr.exe again from within BartPE.
And let the updated avz4 scan: it found nothing special !

I also downloaded mwav.exe on another PC:
mwav.exe & updated it, burned it onto a cd and tried to start it from BartPE: mwavscam.com can't be started there :mad:

Reboot and after logging in there was my srosa.sys bluescreen again ....

Ok, after removing some profiles and adding a new user I could login again and proceed without a bluescreen :D:
Then I removed the virus manually and ran the following:
-mwav.exe which detected nothing but nothing related to the 2 above.
-combofix incl a reboot, which detected some wrong keys
So it seems the virus is gone :bigthumb:
BUUUUT my network connection is not working: I can give it an IP Address but there is no traffic to/from the router possible.... any idea's ???

SpybotSD found some cookies and bre32.dll related to Smitfraud-C -> all removed ! System seems OK now.
But still some services are not starting and I don't have any network access :sad:

Ok, after fiddling with netsh int ip reset & netsh winsock reset my ip stuff is working again....
But loads of services won't start:
DHCP Client
DHCP Server
NETLOGON

All come with around the same error:
a socket operation encountered a dead network

grmpf.... any idea's ??