PDA

View Full Version : Worm Delf.cxx (variants) Removal


shortedge
2007-06-09, 18:19
Hi! This is my first thread here. I had been looking around for help regarding the removal of a certain malware when by chance I happened to find a thread in this forums (someone named syoti) that sounds similar to my case. So here I am humbly asking for your expert help so that I can finally rest my case.

Yes it does sound like "a friend inserted his usbdrive" and the rest is history. Well to expand the details, my avg free edition was able to detect multiple worms named delf.cxx (variants. lots of them) and I locked them up in the virus vault but then I wasn't sure if that is enough. Although I do not experience any symptoms, the unusual thing is that I also have that autorun.inf in my drives that was stated from the other thread (http://forums.spybot.info/showthread.php?t=13832). Also, everytime I insert my usb flashdrive into this laptop I'm using, it shows a suspicious "run program" at autoplay. And when I double click the usb drive letter to open in,instead of opening in the same window, it opens in a new one. Beforehand it doesn't do that. Folder options are set to open in new window. I tried to format it, and it goes back to normal. But when I test it a few minutes later, the usb drive would again open in a new window, which arouses my suspicion that perhaps the laptop is the source of whatever that is.

What I did was to run a full system scan using avg. I also did finish the spybot search in safe mode which turned out nothing.

Here's my hjt 1.99.1 log.

Logfile of HijackThis v1.99.1
Scan saved at 12:16:36 AM, on 6/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\wamp\wampmanager.exe
C:\Program Files\Grisoft\AVG Free\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\svchost.exe
c:\wamp\apache2\bin\httpd.exe
c:\wamp\mysql\bin\mysqld-nt.exe
C:\wamp\apache2\bin\httpd.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Grisoft\AVG Free\avgvv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?.home=ytie
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/?.home=ytie
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?.home=ytie
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: WampServer.lnk = C:\wamp\wampmanager.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1178631474631
O17 - HKLM\System\CCS\Services\Tcpip\..\{A417490D-E062-4CFC-B484-27C9FC88AAA9}: NameServer = 58.69.254.70 58.69.254.134
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: wampapache - Unknown owner - c:\wamp\apache2\bin\httpd.exe" -k runservice (file missing)
O23 - Service: wampmysqld - Unknown owner - c:\wamp\mysql\bin\mysqld-nt.exe


Also, I've read the guides and I'll be posting later a log from the Kaspersky Online Scanner which I've just finished.
shortedge
2007-06-09, 18:22
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, June 09, 2007 11:21:06 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 9/06/2007
Kaspersky Anti-Virus database records: 341652
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 30510
Number of viruses found: 1
Number of infected objects: 2 / 0
Number of suspicious objects: 0
Duration of the scan process: 00:38:23

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\fraubau\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\fraubau\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\fraubau\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\fraubau\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\fraubau\Local Settings\History\History.IE5\MSHist012007060920070610\index.dat Object is locked skipped
C:\Documents and Settings\fraubau\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\fraubau\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\fraubau\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{269E701A-81DF-472B-A816-6EA9F2912A4B}\RP28\A0003315.DLL Object is locked skipped
C:\System Volume Information\_restore{269E701A-81DF-472B-A816-6EA9F2912A4B}\RP28\A0003316.exe Object is locked skipped
C:\System Volume Information\_restore{269E701A-81DF-472B-A816-6EA9F2912A4B}\RP28\A0003317.dll Object is locked skipped
C:\System Volume Information\_restore{269E701A-81DF-472B-A816-6EA9F2912A4B}\RP28\A0003318.dll Object is locked skipped
C:\System Volume Information\_restore{269E701A-81DF-472B-A816-6EA9F2912A4B}\RP28\A0003319.dll Object is locked skipped
C:\System Volume Information\_restore{269E701A-81DF-472B-A816-6EA9F2912A4B}\RP28\A0003364.exe Object is locked skipped
C:\System Volume Information\_restore{269E701A-81DF-472B-A816-6EA9F2912A4B}\RP28\A0003424.exe Object is locked skipped
C:\System Volume Information\_restore{269E701A-81DF-472B-A816-6EA9F2912A4B}\RP28\A0003425.dll Object is locked skipped
C:\System Volume Information\_restore{269E701A-81DF-472B-A816-6EA9F2912A4B}\RP28\A0003426.dll Object is locked skipped
C:\System Volume Information\_restore{269E701A-81DF-472B-A816-6EA9F2912A4B}\RP28\A0003427.dll Object is locked skipped
C:\System Volume Information\_restore{269E701A-81DF-472B-A816-6EA9F2912A4B}\RP28\change.log Object is locked skipped
C:\wamp\logs\access.log Object is locked skipped
C:\wamp\logs\apache_error.log Object is locked skipped
C:\wamp\logs\mysql_error.log Object is locked skipped
C:\wamp\mysql\data\ibdata1 Object is locked skipped
C:\wamp\mysql\data\ib_logfile0 Object is locked skipped
C:\wamp\mysql\data\ib_logfile1 Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\dnscon70.dll Infected: Virus.Win32.AutoRun.k skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\SR1000R.DLL Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\ib10 Object is locked skipped
C:\WINDOWS\Temp\ib2 Object is locked skipped
C:\WINDOWS\Temp\ib3 Object is locked skipped
C:\WINDOWS\Temp\ib4 Object is locked skipped
C:\WINDOWS\Temp\ib9 Object is locked skipped
C:\WINDOWS\Temp\_ISTMPI.DIR\autorun.inf Infected: Virus.Win32.AutoRun.k skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{269E701A-81DF-472B-A816-6EA9F2912A4B}\RP28\change.log Object is locked skipped

Scan process completed.

I hope you could help me on this one. Thanks! :p: