I hope I'm in the right forum! I'm trying to clean a laptop running Windows XP pro, it's infected with Wserving/Afinding.exe. I found some instructions on how to clean this, starting with running ComboFix (which we've used in the past). I downloaded the latest version and ran it AFTER disabling antivirus, firewall and spyware scanners.

Now ComboFix has frozen after "Completed Stage_4". It's been sitting like this for over half an hour. I don't want to do anything to it until I check here. So far it says it's removed the following:

C:\Windows\Hosts
C:\windows\system32\routing.exe
C:\windows\system32\Indt2.sys
C:\windows\system32\comsa32.sys
C:\windows\system32\afinding.exe
C:\windows\system32\Wserving.exe

From looking on this forum in regards to this infection (too late), I realize now that I screwed up by running ComboFix right away... but is it OK to use Task Manager or force ComboFix to close? And if so, what do I do next?

Thanks!

Update: (additional info) - I tried to open Task Manager, got to the Windows Security box, then no response when I tried to use mouse or keyboard. HDD is not active. It's now been sitting like this for over 15 min. I'm going to try hard boot, then run HijackThis if possible and post the log in a different thread.

Hi,

That's the problem with using ComboFix without supervision. Please use it only when it's said by a trained helper.

If you've closed ComboFix, do this:

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

• Make sure you are connected to the Internet.
• Double-click on Download_mbam-setup.exe to install the application.
• When the installation begins, follow the prompts and do not make any changes to default settings.
• When installation has finished, make sure you leave both of these checked:
  • Update Malwarebytes' Anti-Malware
  • Launch Malwarebytes' Anti-Malware
• Then click Finish.
• MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
• On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
• If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
• The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
• When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
• Click OK to close the message box and continue with the removal process.
• Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
• Make sure that everything is checked, and click Remove Selected.
• When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
• The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
• Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

I had been running a Kaspersky online scan just before I read your post. It was getting to a certain file and then freezing. I aborted the scan, then installed and ran Mbam. While Mbam was running, Symantec Antivirus virus quarantine messages popped up several times. After I ran Mbam I opened Symantec and purged all items successfully from quarantine. Mbam also has files in quarantine but I haven't deleted them yet.

Here's the Mbam log - I also kept a log from Kaspersky but won't post it unless asked:

Malwarebytes' Anti-Malware 1.20
Database version: 935
Windows 5.1.2600 Service Pack 2

13:07:13 2008-07-09
mbam-log-7-9-2008 (13-07-13).txt

Scan type: Quick Scan
Objects scanned: 72004
Time elapsed: 14 minute(s), 45 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
C:\WINDOWS\system32\perfs.exe (Trojan.Downloader) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AFinding (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Routing (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WServing (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\perfmons (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\perfmons (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\perfmons (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\hosts (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\comsa32.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\perfs.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

Hi, yes please post the logfile of Kaspersky too.
Do you still have problems?

I don't know yet if there are still problems - this is a user's laptop and the only symptom he was reporting was slow performance and repeated Symantec AV virus detected warnings. I'm running another Symantec scan to see if it picks up anything.

Here's the Kaspersky from before I ran Mbam:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Wednesday, July 9, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, July 09, 2008 15:38:05
Records in database: 932467
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
I:\
S:\
V:\
W:\

Scan statistics:
Files scanned: 34422
Threat name: 11
Infected objects: 13
Suspicious objects: 0
Duration of the scan: 00:31:44


File name / Threat name / Threats count
C:\WINDOWS\system32\Nobicyt.exe/C:\WINDOWS\system32\Nobicyt.exe Infected: Trojan-Downloader.Win32.Delf.jxi 1
C:\WINDOWS\system32\perfs.exe/C:\WINDOWS\system32\perfs.exe Infected: Trojan.Win32.Agent.tps 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01280000.VBN Infected: Trojan.Win32.Agent.suv 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\074C0000.VBN Infected: Trojan.Win32.Agent.suv 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\086C0000.VBN Infected: Trojan-Downloader.Win32.Delf.jte 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\086C0001.VBN Infected: Trojan.Win32.Delf.dbc 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08BC0000.VBN Infected: Trojan-Downloader.Win32.Delf.jqx 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08BC0001.VBN Infected: Trojan.Win32.Agent.sus 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08BC0002.VBN Infected: Trojan-Downloader.Win32.Delf.jqv 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08BC0003.VBN Infected: not-a-virus:AdWare.Win32.AlexaBar.ai 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09280000.VBN Infected: Trojan.Win32.Agent.suv 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09280001.VBN Infected: Trojan.Win32.DNSChanger.ewt 1
C:\Documents and Settings\Helpdesk\Local Settings\Temp\Av-test.txt Infected: EICAR-Test-File 1

The scan was stopped by the user.

Hi,

Delete all the items in the virus vault of Norton.

Then make a scan indeed with Symantec again. If there are items found, please tell me the filepath(s) exactly.

No items were found when I ran a full Symantec scan of the C drive. I checked its Quarantine and Backup folders after the scan. (This is Symantec Corporate so it doesn't have a Norton folder) All the bugs I'd seen before were in the Backup folder, so I deleted them. Quarantine was empty.

User has picked up his laptop (was in a hurry), but he will be sure to let us know if he gets more virus pop-ups. I also gave him a little "crash" course on not downloading crap, and tweaked his IE security settings for now.

That's nice to hear. I don't think he will complain, because everything looks clean again.

If you want to read some securitytips: http://users.telenet.be/bluepatchy/miekiem...prevention.html

Update: Same virus is back. Here's the alert message from Symantec Antivirus Corporate:

Scan type: Auto-Protect Scan

Event: Threat Found!

Threat: Trojan Horse

File: C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP2\A0001026.exe

Location: Quarantine

Computer: PBRENER

User: SYSTEM

Action taken: Quarantine succeeded : Access denied

Date found: 2008-07-10 12:06

Next steps? I'm thinking turn off System Restore, boot into Safe Mode, then run Mbam again - unless you have other suggestions?

Thanks!

No, System Restore isn't needed.

Do this:
Go to Start > Run. Type: combofix /u
This will restart ComboFix, and uninstall it.

Scan again with your AV. Is there still anything left?

Will take a while as the user hasn't given me his laptop yet. I'll update when I've tried that.

Thanks again!

All right.

Still haven't got the laptop from the user, he's one of those busy upper management types. But he just sent me an email advising that he's still getting the bursts of music that are caused by this virus... so I think maybe it will take more than a combofix uninstall to get rid of this.

Your thoughts?

combofix /u

creates a new restore point and deletes the old ones, not something I would do just yet

http://www.bleepingcomputer.com/forums/ind...mp;#entry839950

run these programs in this order, exactly as specified and have the computer disconnected from the internet

If MBAM does not show a clean scan after running those three steps, then run SDFix

http://www.bleepingcomputer.com/forums/topic131299.html

All programs updated!

MBAM in normal mode, then ATF and SAS from safe mode

Reboot and rerun MBAM, if anything shows then reboot into safe mode and run SDFix

All this without reconnecting to the internet

Indeed, do what DaChew tells to do. There's a depper infection prsent then I thought.

I got the laptop and followed Chewy's instructions. On the second MBAM scan I found two more items, one was called "Trojan.Agent". It's in C:\windows\system32\comsa32.sys
I deleted the file in MBAM, then booted into safe mode and ran SDFix. The report it created on reboot into normal mode seemed to show nothing more was found.

I ran one more MBAM scan in normal mode just to be sure. It found Trojan.Agent again in the same location.

The laptop hasn't been connected to the internet/network all day. I've been installing all programs and updates using a USB key.

Any thoughts on what I should do next?

Update: removed Trojan.Agent again using MBAM. Scanned again. Here's the log:

Malwarebytes' Anti-Malware 1.20
Database version: 938
Windows 5.1.2600 Service Pack 2

4:35:21 PM 7/14/2008
mbam-log-7-14-2008 (16-35-21).txt

Scan type: Quick Scan
Objects scanned: 47697
Time elapsed: 3 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Should I run something like DSS to double-check or does this mean the system is finally clean?

Something is fishy here, I suspect something interfered with that rootkit removal, sdfix and mbam should have gotten it.


Do a normal reboot and then run

Download SmitfraudFix (by S!Ri) to your Desktop.
http://siri.urz.free.fr/Fix/SmitfraudFix.exe

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

IMPORTANT: Do NOT run any other options until you are asked to do so!

**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.

I would like to see what's loading at bootup

Here's the Smitfraud log:

SmitFraudFix v2.329

Scan done at 17:19:04.82, Mon 07/14/2008
Run from C:\Documents and Settings\pguay\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Nobicyt.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\HPQ\Shared\hpqwmi.exe
C:\Documents and Settings\pguay\Desktop\SmitfraudFix\Policies.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\pguay


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\pguay\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\pguay\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» 404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!



»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Broadcom 440x 10/100 Integrated Controller - Packet Scheduler Miniport
DNS Server Search Order: 192.168.20.11

Description: Intel® PRO/Wireless 2915ABG Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 192.168.2.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{4BCEE9D6-7D89-4125-B400-EE40E13F5938}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{8424269E-76FA-4B34-986F-4578F2D60005}: DhcpNameServer=192.168.20.11
HKLM\SYSTEM\CS1\Services\Tcpip\..\{4BCEE9D6-7D89-4125-B400-EE40E13F5938}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{8424269E-76FA-4B34-986F-4578F2D60005}: DhcpNameServer=192.168.20.11
HKLM\SYSTEM\CS2\Services\Tcpip\..\{4BCEE9D6-7D89-4125-B400-EE40E13F5938}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{8424269E-76FA-4B34-986F-4578F2D60005}: DhcpNameServer=192.168.20.11
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.20.11
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.20.11
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.20.11


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End


BTW after I rebooted into normal mode and ran MBAM again it found the same item.

A lot of googling shows this rootkit to require tools we don't use here, you qualify definitely for the trained experts in the HJT forum

I was ready to blame norton's for this



That's a newer nasty

http://www.bleepingcomputer.com/forums/topic34773.html

Thanks - I'm taking this laptop home to work on tonight; I had already installed DSS on it and will create a log when I get home.
I've advised the user if I can't get this thing cleaned it's going to be reimaged, he's ok with that if necessary.

Thanks for the help!

MBAM is up to 949, you might update it

That infection probably came out at the first of this month

Updated to 949, this is what came up after I deleted what was found:

Malwarebytes' Anti-Malware 1.20
Database version: 949
Windows 5.1.2600 Service Pack 2

18:44:32 2008-07-14
mbam-log-7-14-2008 (18-44-32).txt

Scan type: Quick Scan
Objects scanned: 48113
Time elapsed: 5 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\hosts (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\comsa32.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\pguay\Local Settings\Application Data\GDIPFONTCACHEV1.DAT (Rogue.SpywareDestructor) -> Quarantined and deleted successfully.
C:\Documents and Settings\dputtock\Local Settings\Application Data\GDIPFONTCACHEV1.DAT (Rogue.SpywareDestructor) -> Quarantined and deleted successfully.

Hi,

A last try:

Download zoek.exe: http://home.hetnet.nl/~stefsmeenk/zoek.exe
Start zoek.exe
Post te logfile that opens.

Your hijackthis log is posted here.

Now that your log is posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the member assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

If after 5 days you still have received no response, then post a link to your HJT log in the thread titled "Haven't Had A Reply In Five Days?".

To avoid confusion, I am closing this topic until you are cleared by the HJT Team. If you still need assistance after your log has been reviewed and you have been cleared, please PM me or another moderator and we will re-open this topic.

Thanks for your cooperation and good luck with your log.