Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Infected With Afinding/perfs/wserving/routing Rootkit

  • Please log in to reply
1 reply to this topic

#1 ccds


  • Members
  • 1 posts
  • Local time:05:02 PM

Posted 16 July 2008 - 11:10 PM

My PC (Dell Optiplex GX270 running Windows XP SP2) seems to be severely infected with a rootkit.

Initial symptom was playing random bits of audio, spawning Internet Explorer sessions that went to a website that says it pays clients per visit,
creating random hidden files in the internet explorer temporary files folder.

Next, I found new processes running: afinding.exe, wserving.exe, perfs.exe, and routing.exe.
Plus I found new files in my c:\windows\system32 folder: xfst.sys, xwxfst.sys, sxwand.sys

Despite killing these, they would relaunch after some delay (usually <1 minute), without any apparent trigger.
I ensured my Norton Antivirus defs were up to date, but there's no mention of this "threat" at the Norton/Symantec website, and multiple scans found nothing.
Next, Norton realtime antivirus started occasionally popping up to say it found "Trojan.downloader" and that it failed to quarantine it.

I disconnected from my modem connection, and ran SuperAntiSpyware, AdAware, and SpyBot, but this failed to solve the problem.

Several reboots later, my PC now won't boot to XP at all. It starts, then hangs at the bios startup screen. I cannot load HijackThis, ComboFix, or anything else because I can't get to Windows in the first place.

My initial google search 12 days ago yielded only 4 hits; 2 were from Prevx and said nothing about a removal tool, and 2 from another site that looked untrustworthy.
A search for "afinding.exe" today yields 1,470 hits, so this seems to be new and spreading quickly.
Other posts have suggested that this is a rootkit, which may insert itself into the bios and/or firmware of cards (e.g., video card or drive controller)?

I created a BartPE pseudo-windows-XP startup CD, and now I can at least boot up BartPE and see my hard drive contents.
My plan is to get another hard drive, copy all key files off the hold hard drive using BartPE, and then reformat and reinstall.

I'd sure appreciate any input you can provide. Should I give up and proceed with the reformat approach (and will it work, or will this evil bug still resurrect from some firmware stored in some EEPROM on my motherboard or drive controller card?). Is there any other, better way to back out of the mess I'm in?

Thanks very much, Charley

BC AdBot (Login to Remove)


#2 Guest_superbird_*


  • Guests

Posted 17 July 2008 - 06:53 AM

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users