Yes, I see afd.sys.vir, beneath afd.sys and afd.sys.org.

OK

highlight / select the afd.sys.vir and on the right hand side click copy  and GMER will allow you to save it as what ever name and where ever like say the desktop.

create a copy of it say on your desktop.

Then upload it to virustotal https://www.virustotal.com/

I will be away for a couple of hours

The most recent GMER scan results are attached. Do I need to send you the results from the virustotal scan?

just hint about GMER: if you want to delete something, first kill it in memory (unload) and after that delete the file. this will possibly prevent execution of loaded infection and prevent it from to save or to infect another location.

I see you have Process explorer tool. can you update it (http://technet.microsoft.com/en-us/sysinternals/bb896653) open it and try to find (via Win key + F)  afd.sys.vir by typing afd.sys.vir?

---

Niko233 wrote:

just hint about GMER: if you want to delete something, first kill it in memory (unload) and after that delete the file. this will possibly prevent execution of loaded infection and prevent it from to save or to infect another location.

 

I see you have Process explorer tool. can you update it (http://technet.microsoft.com/en-us/sysinternals/bb896653) open it and try to find (via Win key + F)  afd.sys.vir by typing afd.sys.vir?

---

Don't do the above,   You want the guy to install Kaspersky and have Norton and all the other programs. Some just make me angry when they are screwing things up.

I have created a screenshot of copying a file in GMER

You use the files tab, to go and find the file like my previous message by going into the Drivers folder,  I have done a screenshot where I have done this but with atapi.sys instead as I don't have a file named afd.sys.vir.

When in the Drivers folder on the right hand side find afd.sys.vir and select click on it carefully to just select that file it will highlight in blue.

Then on the right hand side click the COPY button (see it in screenshot.) Instuctions continue below screenshot

When you click COPY  a dialog save box pops up  so you can select where the copy is to be saved and the name.

I saved atapi.sys (in this example) as to saved in the location Desktop and the file name to be saved as atapi.sys.vir.

After that it states that it was successful.

Now after the file is saved on the desktop I can send it to Virustotal or anywhere else.

You may have to wait for the image to be approved before you are able to see it by the time you read this post.

We do have a theory on what has happened with these to files and it's due to the conflicts you had.

Quads

Thanks for the detailed instructions, but I had already succesfully copied the file and scanned it at virustotal. I meant to ask how you wanted me to send you the results of the scan, given that they appear on a webpage and that one can only upload text attachments on this forum.

You can just copy and paste the web address of the scan results web address http....................................

I did it back at this message http://community.norton.com/t5/Norton-Internet-Security-Norton/Help-with-ZeroAccess-Sirefef-infectio...

Quads

Now just so you know, Norton is also not working correctly, but we will fix that later without all the conflicts or leftovers.  Also GMER log shows that zeroaccess is dead.  YAY.

Next,

You may want to make sure that you can see the screenshot below first to make sure what you are doing.

We will start with what should be the easier of the 2 files  afd.sys.org

Make sure you DON"T select afd.sys

With GMER  go into the Drivers folder and find in the list afd.sys.org and select it.Double check it's the right file selected  (instructions carry on below screenshot)

This time click on the right hand side DELETE,    GMER asks basically are you sure??    click Yes

You can see that in the screenshot above I created a file called atapi.sys.vir to just show the dialog.

After deleting the file close GMER, then start GMER again, and go into the drivers folder to see if afd.sys.org is really gone.

Quads