---

Hhar wrote:

Norton internet security found this: afd.sys(Backdoor.Tidserv.l!inf)

It is unable to remove it and linked me to this page

http://securityresponse.symantec.com/security_response/writeup.jsp?docid=2009-120316-3836-99&tabid=3

 

I have tried running the scan in safe mode but norton crashes in an runtime error

whenever i press any of the tabs  in the scan window OR when it finds the: afd.sys(Backdoor.Tidserv.l!inf)

 

I am unsure of what do do next.

 

Im running Vista sp2.

---

Hi Hhar

Welcome to the Norton Community.

I would recommend that you go to www.bleepingcomputer.com to have them remediate this for you. This is a very nasty rootkit which, unless you are very expert with computers, is very difficult to remove. Please ensure you put the name of the virus in the report header at Bleeping Computer.

Here is a link to information on the afd.sys file which is an important Windows File

http://www.file.net/process/afd.sys.html

Ok i will try over there.

The installer I tested last night that infects for one a random Microsoft driver of it's choice, in last nights case "rasacd.sys".

The infected driver is still detected as "Backdoor.Tidserv.l!inf" but the installer or dropper is now detected as  "Backdoor.Tidserv!gen4"

TDSSkiller can't remove this one

Quads

Hey Quads - Lets put it to the test. How does Norton Power Eraser handle it?

http://security.symantec.com/nbrt/npe.asp?lcid=1033&origin=default

"Norton Power Eraser" No,  The files infected belong to Windows so you don't delete or Erase the files for TDL3 / TDL4

So that's no good. I don't need to test to figure that out. That's also why Norton can detect the driver but is not allowed to remove or delete it.

You could test "Norton Power Eraser" to work on the earlier TDL1 /TDL2 as they are files not belonging to Windows, the files are independent, but by now if a PC is infected with only TDL1 or TDL2 not some sort of combination, then Norton should be able to handle them

Quads