AFinding and Wserving

Hi everyone,

The symptoms are, wierd noises (sounds like a machine) following random music and website sounds. (sounds like rock music)

I have managed to link it to "Trojan-Downloader.Win32.Delf.gru", i have tried Norton, Spybot, ATF cleaner, and manually deleting the below names from system 32 folder and ending the process. I have tried ending with hi-jack this in safe mode. I have also managed to block internet access to the files via Norton fire wall (not sure how long it will last or if it renames itself)

ndt2.sys
INDT2.sys
WServing.exe
Perfs.exe
AFinding.exe

Whatever i do it always comes back after a re-start. I'm not sure if there is something in the registary or a hidden file somewhere generating these files again once i delete them. This is what i am asking help in please.

The cause i am lead to beleive is this yahoo widget "650-world-time" and probably the person is seeing me type this right now.

Regards, MiniMark

 

Hi,

Thanks for the reply and the help, the Malwarebyte program has removed it and i have restarted numerous times and it has not come back. Attached is the malware log which shows the problems. Hopefully people won't fall for the same mistake i did.

MiniMark

P.S Is it possible to find out what the trojan has done e.g got my passwords or seen confidential files? Or would of it just used my internet to play random music?

 

Hi Minimark,
It is possible that MalwareBytes was able to remove the infection, but it is our experience that malware often comes with randomly named files attached to it which are not easily identified by a single scanning program. That's why Chaslang put together a set of scans which pick up a number of different kinds of information. In order for him to help you adequately, he would need to see the rest of the requested scans, which would be SuperAntispyware, Combofix and MGlogs.zip. Without those he won't be able to give you the best information.
abri