Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Backdoor.win32.delf.lhl


  • Please log in to reply
10 replies to this topic

#1 glink

glink

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:43 PM

Posted 06 September 2008 - 12:45 PM

ZoneAlarm has been finding this virus/trojan (Backdoor.Win32.Delf.lhl) all week. It keeps quarantining some instances, renaming others, and one version that shows up in the memory is selected for "delete on reboot."

I have also run Malwarebytes, ATF Cleaner, SuperAntiSpyware, and DrWeb.

Malwarebytes and SuperAntiSpyware both found different things on their first scan, but subsequent scans are not picking up anything.

ZoneAlarm is still showing the Backdoor.Win32.Delf.lhl.

Have also run Malwarebytes and ZoneAlarm in safeboot with system restore turned off.

Any help would be appreciated.

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,567 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:43 PM

Posted 06 September 2008 - 04:17 PM

Hello would you please post the scan logs from both,Malwarebytes and SuperAntiSpyware here for reviwing,thanks.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 glink

glink
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:43 PM

Posted 06 September 2008 - 11:44 PM

1st Malwarebytes scan

Malwarebytes' Anti-Malware 1.26
Database version: 1110
Windows 5.1.2600 Service Pack 2

9/3/2008 8:24:37 PM
mbam-log-2008-09-03 (20-24-37).txt

Scan type: Full Scan (C:\|)
Objects scanned: 19621
Time elapsed: 15 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e8249e69-a809-4544-832f-64eb65747a92} (Trojan.Zlob) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


2nd Malwarebytes scan

Malwarebytes' Anti-Malware 1.26
Database version: 1110
Windows 5.1.2600 Service Pack 2

9/4/2008 6:10:50 AM
mbam-log-2008-09-04 (06-10-50).txt

Scan type: Full Scan (C:\|)
Objects scanned: 145965
Time elapsed: 2 hour(s), 9 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Online Add-on (Trojan.Zlob) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\*.securewebinfo.com (Trojan.Zlob) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\Video Add-on (Trojan.Zlob) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\Greg\Favorites\Online Security Test.url (Rogue.Link) -> Quarantined and deleted successfully.


SuperAnti Spyware Scan

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 09/05/2008 at 05:18 PM

Application Version : 4.21.1004

Core Rules Database Version : 3557
Trace Rules Database Version: 1545

Scan type : Complete Scan
Total Scan Time : 03:12:59

Memory items scanned : 343
Memory threats detected : 0
Registry items scanned : 5636
Registry threats detected : 5
File items scanned : 93752
File threats detected : 0

Adware.IST/ISTBar (Slotch Bar)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/ISTactivex.dll
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/ISTactivex.dll#.Owner
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/ISTactivex.dll#{EF86873F-04C2-4A95-A373-5703C08EFC7B}
HKU\S-1-5-21-3546182925-1260423466-4040101017-1005\Software\Microsoft\Internet Explorer\Main#BandRest [ Never ]
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main#BandRest [ Never ]


Thanks for taking a look.

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,567 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:43 PM

Posted 09 September 2008 - 08:39 PM

Ok ,sorry for the delay in responding. How is the PC runnig now?
Please update the Malwarebytes progrm it's needed. Then rescan and post that new log.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 eduardo_905

eduardo_905

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:01:43 PM

Posted 11 September 2008 - 07:00 PM

I have the same problem. I have Kaspersky Anti-virus 7.0 everytime a restar the PC this trojan appeared. What can i do?

#6 glink

glink
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:43 PM

Posted 16 September 2008 - 01:23 PM

Sorry, I was on a business trip. I ran MBAM again last night and it showed no infections. However, during the scan ZoneAlarm picked up the virus multiple times. It seems whenever the "infected" area is scanned by another program, ZoneAlarm picks it up.

Here are the MBAM results:

Malwarebytes' Anti-Malware 1.28
Database version: 1155
Windows 5.1.2600 Service Pack 2

9/16/2008 6:29:17 AM
mbam-log-2008-09-16 (06-29-16).txt

Scan type: Full Scan (C:\|J:\|)
Objects scanned: 156795
Time elapsed: 3 hour(s), 53 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,567 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:43 PM

Posted 16 September 2008 - 02:25 PM

Where is ZA showing it is located when found?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 glink

glink
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:43 PM

Posted 16 September 2008 - 03:27 PM

There is one version that is usually found in the memory under:

C:\documen~1\greg\locals~1\temp\74cbf117.nbp (the filename changing each time. Usually marked by ZA to delete on reboot.)

Have tried deleting manually, but it says it is use. When attempting to delete (or upon scan such as MBAM) it will usually generate a file in

C:\Documents and Settings\Greg\Local Settings\Temp\74CBF35F.nbf (filename is different each time. ZA usually successfully renames or quarantines these files.)

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,567 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:43 PM

Posted 16 September 2008 - 03:45 PM

OK ,Did you run the ZA scan from safe mode, as that should make it inactive and kill it,m.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 glink

glink
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:43 PM

Posted 17 September 2008 - 02:51 AM

Ran ZA in safe mode and nothing showed up. However, I had done that a few weeks ago, and it showed up again in normal mode. I am now running scan again in normal mode and one infection has popped up already. This is usually the one in the memory that gets marked to delete on reboot. The scan is not yet done running.

It seems like it loads into memory somehow. There is one file in the C:\documen~1\greg\locals~1\temp\ that did not want to be deleted while I was in safe mode. It said it was in use by another program. I keep having the feeling that it hides in some svchost.exe process.

Ideas for next steps?

#11 glink

glink
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:43 PM

Posted 18 September 2008 - 01:03 AM

On a friends recommendation, I tried the Free AVG anti-virus program. It also found the Backdoor, but named it a bit differently, but in addition it also found a program with the same Trojan named. It was Vasilios Freeware-Instant Memory Cleaner (http://www.vasileios.gr/freesoft/inst_mem_clean.htm) . I have had it loaded for several months, but this Trojan just surfaced at the end of August. I am not sure if it was "infected" the whole time, or just recently. Could this have been a false positive?

I removed the program, rebooted, and was able to remove all temp files that were previously "in use". Then ran AVG and ZA and neither found an infection.

I think this solves my problem, unless you have other recommendations.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users