Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware Problem


  • Please log in to reply
2 replies to this topic

#1 johnnyringomd

johnnyringomd

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:25 AM

Posted 07 December 2011 - 01:04 PM

I have the Windows 7 o.s. and caught what Symantec labels as a Trojan in afd.sys. I can no longer get on the Internet. According to Norton, this site has a fix. How would I get that fix. Thank you very much.




I am having same issue, AVG antivirus says Infection: Trojan Horse Hider.omk in File: C:\Windows\System32\Drivers\afd.sys

Here is the text from FSS

Ran by Johnny Ringo (administrator) on 07-12-2011 at 12:54:45
Windows 7 Ultimate Service Pack 1 (X86)
********************************************************

Service Check:
==============

File Check:
===========
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcore.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys
[2011-06-16 13:23] - [2011-04-24 21:18] - 0338944 ____A () 1616764A462881635079267345E754B3

C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\system32\dnsrslvr.dll => MD5 is legit

Connection Status:
==================
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.

**** End of log ****

Any help would be appreciated!

Edited by hamluis, 08 December 2011 - 06:36 AM.
Spllit from different topic, PM sent new OP..


BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,679 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:08:25 AM

Posted 07 December 2011 - 07:58 PM

What about internet connection itself?
Did you take any action regarding file indicated by AVG?

Open Windows Explorer. Go Tools>Folder Options>View tab, put a checkmark next to Show hidden files, and folders.
Upload following files to http://www.virustotal.com/ for security check:
- C:\Windows\System32\Drivers\afd.sys
If the file is listed as already analyzed, click on Reanalyse file now button.
Post scan results.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#3 johnnyringomd

johnnyringomd
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:25 AM

Posted 07 December 2011 - 11:36 PM

Internet connection intact with slower speed. What I'm noticing at this point is repeated threat boxes open from AVG giving me the only option to "ignore threat". When I do full scan, AVG does not give me option to remove file b/c it is in "white-listed" folder. There are multiple other threats that are identified at those times as well which AVG quarantines. I should mention I downloaded malware bytes which identified multiple threats that were undetected by AVG, all of which were cleaned (I can post log if it would help), however the Trojan Horse Hider.omk was not identified by Malware Bytes. Scan results as follows: (sorry for the lengthy post, Im unable to condense the text b/c it's pretty late here and I have early meeting.)



Antivirus

Version

Last Update

Result



AhnLab-V3

2011.12.08.00

2011.12.08

Packed/Win32.Katusha



AntiVir

7.11.19.20

2011.12.07

TR/Rootkit.Gen2



Antiy-AVL

2.0.3.7

2011.12.08

Packed/Win32.Katusha.gen



Avast

6.0.1289.0

2011.12.07

Win32:Aluroot [Rtk]



AVG

10.0.0.1190

2011.12.08

Hider.OMK



BitDefender

7.2

2011.12.08

Trojan.Generic.6997527



ByteHero

1.0.0.1

2011.12.07

-



CAT-QuickHeal

12.00

2011.12.07

-



ClamAV

0.97.3.0

2011.12.07

-



Commtouch

5.3.2.6

2011.12.08

W32/FakeAlert.RL2.gen!Eldorado



Comodo

10879

2011.12.08

-



DrWeb

5.0.2.03300

2011.12.08

-



Emsisoft

5.1.0.11

2011.12.08

Trojan.Win32.Hider!IK



eSafe

7.0.17.0

2011.12.08

-



eTrust-Vet

37.0.9612

2011.12.08

-



F-Prot

4.6.5.141

2011.11.29

W32/FakeAlert.RL2.gen!Eldorado



F-Secure

9.0.16440.0

2011.12.08

Trojan.Generic.6997527



Fortinet

4.3.388.0

2011.12.08

-



GData

22

2011.12.08

Trojan.Generic.6997527



Ikarus

T3.1.1.109.0

2011.12.08

Trojan.Win32.Hider



Jiangmin

13.0.900

2011.12.07

-



K7AntiVirus

9.119.5619

2011.12.07

Trojan



Kaspersky

9.0.0.837

2011.12.08

Packed.Win32.Katusha.o



McAfee

5.400.0.1158

2011.12.08

ZeroAccess



McAfee-GW-Edition

2010.1E

2011.12.07

-



Microsoft

1.7903

2011.12.07

TrojanDropper:Win32/Sirefef.B



NOD32

6691

2011.12.07

Win32/Sirefef.DA



Norman

6.07.13

2011.12.07

-



nProtect

2011-12-07.01

2011.12.07

-



Panda

10.0.3.5

2011.12.08

Suspicious file



PCTools

8.0.0.5

2011.12.08

Trojan.ADH



Prevx

3.0

2011.12.08

-



Rising

23.87.02.01

2011.12.07

-



Sophos

4.71.0

2011.12.08

-



SUPERAntiSpyware

4.40.0.1006

2011.12.08

Trojan.Agent/Gen-ZAccess



Symantec

20111.2.0.82

2011.12.08

Trojan.ADH



TheHacker

6.7.0.1.353

2011.12.07

-



TrendMicro

9.500.0.1008

2011.12.08

-



TrendMicro-HouseCall

9.500.0.1008

2011.12.08

-



VBA32

3.12.16.4

2011.12.07

-



VIPRE

11218

2011.12.08

Trojan.Win32.Generic!BT



ViRobot

2011.12.8.4814

2011.12.08

-



VirusBuster

14.1.104.0

2011.12.07

-





Additional information

Show all



MD5 : 1616764a462881635079267345e754b3



SHA1 : 76d57691d9362d5fef8e77748ff60ab835debb6f



SHA256: f69c2a99bd149943fc856a200a4617db39f1ed5b6d1290b03ccc514a16b5420c



ssdeep: 6144:fQxn4q4at87Cqi/zznv4sGA8sxWae6u2Bya/rtU61I+AK3uK6HxjnLJtQodWihh6:O4q4a
tBqWLus4ae6lyap1I+Ayu7Hxjna



File size : 338944 bytes



First seen: 2011-12-08 04:18:55



Last seen : 2011-12-08 04:18:55



TrID:
Win32 Executable Generic (68.0%)
Generic Win/DOS Executable (15.9%)
DOS Executable Generic (15.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)



sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned




PEInfo: PE structure information

[[ basic data ]]
entrypointaddress: 0x3231
timedatestamp....: 0x4ED4CCA1 (Tue Nov 29 12:14:25 2011)
machinetype......: 0x14c (I386)

[[ 5 section(s) ]]
name, viradd, virsiz, rawdsiz, ntropy, md5
.text, 0x1000, 0x328A, 0x3400, 7.67, 8c67c92620e8551b66b1aae434985e34
.rdata, 0x5000, 0x47B1, 0x4800, 7.68, f5f1fa847b2a97969dc9c4a44efd456e
.data, 0xA000, 0xC190, 0x2C00, 7.50, cf21c2565197d7cd0844a55345e839b9
.rsrc, 0x17000, 0x10, 0x200, 0.02, 4e3b2ec5da7200456d338156d854c01b
.reloc, 0x18000, 0x244, 0x400, 4.20, 8cea812d3e3ccede19b88f09cc896fa0

[[ 1 import(s) ]]
ntoskrnl.exe: RtlUpperChar, RtlInitUnicodeString, KeWaitForMultipleObjects, IoDeleteController, IoConnectInterrupt, PoSetPowerState, ExGetSharedWaiterCount, RtlCopyString, RtlEqualUnicodeString, RtlDeleteNoSplay, KeRemoveEntryDeviceQueue, RtlInitAnsiString, ZwDeleteKey, FsRtlDeregisterUncProvider, RtlTimeToSecondsSince1980, IoSetSystemPartition, IoQueueWorkItem, IoGetDriverObjectExtension, RtlEqualString, PoRequestPowerIrp, KeInitializeSemaphore, RtlInitString




ExifTool:
file metadata
CodeSize: 31744
EntryPoint: 0x3231
FileSize: 331 kB
FileType: Win32 DLL
ImageVersion: 0.0
InitializedDataSize: 12800
LinkerVersion: 10.0
MIMEType: application/octet-stream
MachineType: Intel 386 or later, and compatibles
OSVersion: 5.1
PEType: PE32
Subsystem: Native
SubsystemVersion: 5.1
TimeStamp: 2011:11:29 13:14:25+01:00
UninitializedDataSize: 0


VT Community

This file has never been reviewed by any VT Community member. Be the first one to comment on it!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users