Deleted afd.sys and 2 reg keys

I deleted afd.sys and two reg keys using superantispyware.

HKLM\System\CurrentControlSet\Services\AFD
C:\WINDOWS\SYSTEM32\DRIVERS\AFD.SYS
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_AFD

Lost all network connectivity.
Found afd.sys in dllcache folder and copied to system32/drivers but need to recreate keys. Have Farbar service scanner log file if that helps.
Also getting windows firewall errors...service won't start.

 

Greetings, jrd47, and welcome to MajorGeeks...

What's your operating system version and Service Pack #?

 

Operating System Information
Windows XP Professional 32-bit, Service Pack 3 (Build 5.01.2600)

 

Hi my friend , you can go to
Start
Run mmc devmgmt.msc
Ok

Is there any ? in there ?
What is your antivirus ?
You must upload minidumps file from this location

C:\Windows\Minidump\Minidump.dmp.

attaching them

http://forums.majorgeeks.com/showthread.php?t=86880

even you should give the information of your machine

http://majorgeeks.com/download4181.html

from the left side you must opt for
menu
Summary ( wait 30 seconds until report is generated )
you have to select
Report from bar menu
from sub menu Quick Report
Plain Text
opting for Desktop as saving location , follow this

http://forums.majorgeeks.com/showthread.php?t=86880

attaching your report , i found this topic :wave

http://forums.majorgeeks.com/showthread.php?t=250004

 

Sorry but Everest hangs on directx and will not finish report.
Maybe info from System Information would do?
Device manager is clean - no question marks.
AV is Microsoft Security Essentials
Superantispyware is used as well
BTW my ethernet and my wireless connections both connect to the router but fail to get IP address

 

I was going to attempt to copy those registry keys and send them to you, but I do not have a Windows XP machine available - someone else with XP may be able to do this.

Don't know if that would work or not, but I think it may be worth a try.

And, don't convert the minidump file in any way - just grab a couple of the most recent files, zip and attach them in their raw format.

 

Paste the content of the following code box into notepad, then save to somewhere convenient as All Files (*.*) - AFDfix.reg

Code:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AFD]
"DisplayName"="AFD"
"Description"="AFD Networking Support Environment"
"Group"="TDI"
"ImagePath"="\\SystemRoot\\System32\\drivers\\afd.sys"
"Start"=dword:00000001
"Type"=dword:00000001
"ErrorControl"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AFD\Parameters]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AFD\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
  00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
  00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
  05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
  20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
  00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
  00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AFD\Enum]

Set a system restore point first, then double click and allow the merge.
Upon rebooting, the HKLM\System\CurrentControlSet\Enum\Root\LEGACY_AFD key will be automatically created.

 

Wow! AFDfix.reg worked! I'm back online! Both deleted keys were created.
Many thanks for your help in solving this.

Now to figure out if what Superantispyware detected is still there.
Trojan.Agent/Gen-Sirefef was detected by it but MSE said system32 files and folders were clean.

Again, Thank You!

 

An interesting glitch occurred after the successful fix.
I updated MSE and scanned the system32 directory and got a clean scan.
Updated Superantispyware free edition and quick scanned to see if it would again find the malware. (Trojan.Agent/Gen-Sirefef) The scan stopped progressing after a few seconds. Ctl-alt-del could not stop the applicaton saying the system had it locked. It did not report it as "not responding". I did a restart from the start button that proceeded normally. Upon reboot the network was again unavailable. I found the afd.sys file missing again and the HKLM\System\CurrentControlSet\Services\AFD key gone. The other key remained. A found new hardware message came up which the system could not driver. A yellow ? unknown device - Device manager days it's Device Instance ID is ROOT\LEGACY_SASKUTIL\0000
There is a key in HKLM\CurrentControlSet\ENUM\ROOT of that same name.
A couple of the parameters have values. I'll delete it after a few days.

I uninstalled Superantispyware and re-fixed the problem.
Wierd, eh? I hope this does not recur.
Once again thanks for the support.