Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.win32.delf


  • Please log in to reply
13 replies to this topic

#1 andymirasol

andymirasol

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:02:34 AM

Posted 13 June 2008 - 07:56 AM

Hi i have just run kaspersky online scanner and i have found some threats on my computer, how do i get rid of them please?

C:\Program Files\SuperLogix\Super Utilities\SuperMenuHook.dll :Trojan.Win32.Delf.cmv
C:\Windows\system32\baksm.dat :Trojan.Win32.Delf.ceh
C:\Windows\system32\baksm.dll :Trojan.Win32.Delf.ceh
C:\Windows\system32\supermenuhook.dll :Trojan.Win32.Delf.ceh

Thanks.Andrew.

BC AdBot (Login to Remove)

 


#2 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:09:34 PM

Posted 13 June 2008 - 08:08 AM

that's an older establish program from a trusted web site

if you downloaded froma P2P source it may be malware

http://virusscan.jotti.org/

http://www.virustotal.com/

both of these services are good for submitting files for analysis

Show Hidden Folders/Files
  • Open My Computer.
  • Go to Tools > Folder Options.
  • Select the View tab.
  • Scroll down to Hidden files and folders.
  • Select Show hidden files and folders.
  • Uncheck (untick) Hide extensions of known file types.
  • Uncheck (untick) Hide protected operating system files (Recommended).
  • Click Yes when prompted.
  • Click OK.
  • Close My Computer.

Chewy

No. Try not. Do... or do not. There is no try.

#3 andymirasol

andymirasol
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:02:34 AM

Posted 13 June 2008 - 08:33 AM

hi, i submitted them to virustotal and it says theyre trojans :thumbsup:
It was downloaded from p2p source

#4 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:09:34 PM

Posted 13 June 2008 - 08:41 AM

http://fileinfo.prevx.com/QQbbdc15877155-B.../BAKSM.DLL.html

please read this and compare file sizes

with files like this, that are quite powerful you can expect certain programs to detect them as malware

Since you are using the program illegally, a good test would be to use add/remove to uninstall the program, if it uninstalls those "infected" files then they weren't trojans
Chewy

No. Try not. Do... or do not. There is no try.

#5 andymirasol

andymirasol
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:02:34 AM

Posted 13 June 2008 - 09:00 AM

Hi i removed the program and the file supermenuhook.dll & superutil.exe are still there!
and after the program finished removing,a window popped up saying there was a new startup program,change registry etc which was my outpost firewall,asking if it was a trusted service?

#6 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:09:34 PM

Posted 13 June 2008 - 09:18 AM

too many security programs can cause a lot of problems with windows and each other, do you have any symptoms of malware/infection?

what kind(s) of resident protection do you have running?

http://www.bleepingcomputer.com/files/smitfraudfix.php

please download

http://siri.geekstogo.com/SmitfraudFix.php

would you run a smitfraud scan in normal mode

Use:
Search:
Double-click SmitfraudFix.exe
Select 1 and hit Enter to create a report of the infected files. The report can be found at the root of the system drive, usually at C:\rapport.txt

Edited by DaChew, 13 June 2008 - 09:19 AM.

Chewy

No. Try not. Do... or do not. There is no try.

#7 andymirasol

andymirasol
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:02:34 AM

Posted 13 June 2008 - 09:36 AM

hi , yes my computer seems to be alot slower,i am running agnitum outpost security suite
this is the report from smitfraud;
SmitFraudFix v2.324

Scan done at 16:32:39.31, 13/06/2008
Run from C:\Downloads\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\PSIService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Movistar\Escritorio movistar\EMMSN.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\cmd.exe

hosts


C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32


C:\WINDOWS\system32\LogFiles


C:\Documents and Settings\Andy


C:\Documents and Settings\Andy\Application Data


Start Menu


C:\DOCUME~1\Andy\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components



IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="c:\\progra~1\\agnitum\\outpos~1\\wl_hook.dll"
"LoadAppInit_DLLs"=dword:00000001


Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"System"=""


Rustock



DNS

Description: WAN (PPP/SLIP) Interface
DNS Server Search Order: 194.179.1.100
DNS Server Search Order: 194.179.1.101

HKLM\SYSTEM\CCS\Services\Tcpip\..\{CEFD770D-871D-497B-B4BC-AE8671448551}: NameServer=194.179.1.100 194.179.1.101
HKLM\SYSTEM\CS2\Services\Tcpip\..\{CEFD770D-871D-497B-B4BC-AE8671448551}: NameServer=194.179.1.100 194.179.1.101


Scanning for wininet.dll infection


End

#8 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:09:34 PM

Posted 13 June 2008 - 10:00 AM

http://www.bleepingcomputer.com/forums/ind...mp;#entry811062

would you run a quick scan with MBAM and post that log, are you in europe?
Chewy

No. Try not. Do... or do not. There is no try.

#9 andymirasol

andymirasol
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:02:34 AM

Posted 13 June 2008 - 10:16 AM

Hi ,yes Chewy, i am in Europe
heres the quick scan results, thanks:


Malwarebytes' Anti-Malware 1.17
Database version: 852

17:15:41 13/06/2008
mbam-log-6-13-2008 (17-15-27).txt

Scan type: Quick Scan
Objects scanned: 57656
Time elapsed: 9 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 10
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{09ab78d4-78e1-4794-ae2e-becb9d51e6a7} (Trojan.FakeAlert) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{96c5bd84-73fb-412b-9820-4ca0a7f80f5e} (Trojan.FakeAlert) -> No action taken.
HKEY_CLASSES_ROOT\Typelib\{57a01f33-385d-466d-8129-b040ffb8d8cc} (Trojan.FakeAlert) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{263900a7-c04d-47e0-bd88-b4a56c5f659d} (Trojan.FakeAlert) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{f0122084-f485-49fc-bd05-fa551a6019cf} (Trojan.FakeAlert) -> No action taken.
HKEY_CLASSES_ROOT\Typelib\{b20daef6-1b9a-4132-80aa-08c668fc5ae5} (Trojan.FakeAlert) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{fdabc61b-fa9b-4128-aa39-52289098698a} (Trojan.FakeAlert) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> No action taken.
HKEY_CLASSES_ROOT\sdrmod.StockBar (Trojan.FakeAlert) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#10 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:09:34 PM

Posted 13 June 2008 - 11:05 AM

I don't like ad-aware or windows defender, they seem ineffective

Spybot S & D without teatimer running is my favorite IE addon

agnitum outpost security suite


did you turn this off?
Let's see if there are any more remnants of vundo left?

http://www.bleepingcomputer.com/forums/ind...st&p=634693

Do a complete clean with ATF but just a quick scan with SAS in safe mode please
Chewy

No. Try not. Do... or do not. There is no try.

#11 andymirasol

andymirasol
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:02:34 AM

Posted 13 June 2008 - 12:21 PM

Hi Chewy heres the results:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/13/2008 at 07:09 PM

Application Version : 4.15.1000

Core Rules Database Version : 3481
Trace Rules Database Version: 1472

Scan type : Quick Scan
Total Scan Time : 00:29:35

Memory items scanned : 175
Memory threats detected : 0
Registry items scanned : 445
Registry threats detected : 0
File items scanned : 8242
File threats detected : 0

#12 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:09:34 PM

Posted 13 June 2008 - 12:34 PM

SAS and MBAM and ATF cleaner are 3 programs I use for regular scans to make sure something hasn't slipped thru.

:thumbsup:

keep an eye on the computer and watch out for P2P infections
Chewy

No. Try not. Do... or do not. There is no try.

#13 andymirasol

andymirasol
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:02:34 AM

Posted 13 June 2008 - 12:43 PM

k,Thanks for all the help Chewy! :thumbsup:

#14 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:09:34 PM

Posted 13 June 2008 - 12:56 PM

You are more than welcome, glad it was so easy
Chewy

No. Try not. Do... or do not. There is no try.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users