Posted 16 July 2008 - 11:10 PM
My PC (Dell Optiplex GX270 running Windows XP SP2) seems to be severely infected with a rootkit.
Initial symptom was playing random bits of audio, spawning Internet Explorer sessions that went to a website that says it pays clients per visit,
creating random hidden files in the internet explorer temporary files folder.
Next, I found new processes running: afinding.exe, wserving.exe, perfs.exe, and routing.exe.
Plus I found new files in my c:\windows\system32 folder: xfst.sys, xwxfst.sys, sxwand.sys
Despite killing these, they would relaunch after some delay (usually <1 minute), without any apparent trigger.
I ensured my Norton Antivirus defs were up to date, but there's no mention of this "threat" at the Norton/Symantec website, and multiple scans found nothing.
Next, Norton realtime antivirus started occasionally popping up to say it found "Trojan.downloader" and that it failed to quarantine it.
I disconnected from my modem connection, and ran SuperAntiSpyware, AdAware, and SpyBot, but this failed to solve the problem.
Several reboots later, my PC now won't boot to XP at all. It starts, then hangs at the bios startup screen. I cannot load HijackThis, ComboFix, or anything else because I can't get to Windows in the first place.
My initial google search 12 days ago yielded only 4 hits; 2 were from Prevx and said nothing about a removal tool, and 2 from another site that looked untrustworthy.
A search for "afinding.exe" today yields 1,470 hits, so this seems to be new and spreading quickly.
Other posts have suggested that this is a rootkit, which may insert itself into the bios and/or firmware of cards (e.g., video card or drive controller)?
I created a BartPE pseudo-windows-XP startup CD, and now I can at least boot up BartPE and see my hard drive contents.
My plan is to get another hard drive, copy all key files off the hold hard drive using BartPE, and then reformat and reinstall.
I'd sure appreciate any input you can provide. Should I give up and proceed with the reformat approach (and will it work, or will this evil bug still resurrect from some firmware stored in some EEPROM on my motherboard or drive controller card?). Is there any other, better way to back out of the mess I'm in?
Thanks very much, Charley