Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HELP! I've been infected with Win32.Delf.uc!


  • This topic is locked This topic is locked
10 replies to this topic

#1 ifatkid

ifatkid

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:12:25 PM

Posted 18 January 2009 - 12:26 AM

Today, while attempting to open Mozilla Firefox, I received a message stating an error had occured.

Also, when opening the task manager, I received another error message. I had to restart my computer to fix this.

So I ran Spybot SD, ran a check, and Win32.Delf.uc that Spybot SD claims to be a Trojan. I'm sure that after deleting this it would come back after a startup.

I have no idea how this occured, can anyone here please help me?

Thank you.

BC AdBot (Login to Remove)

 


#2 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:01:25 PM

Posted 18 January 2009 - 09:50 AM

http://www.bleepingcomputer.com/forums/ind...t&p=1097365

Would you run MBAM, pay special attention to directions regarding teatimer
Chewy

No. Try not. Do... or do not. There is no try.

#3 ifatkid

ifatkid
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:12:25 PM

Posted 18 January 2009 - 04:25 PM

Thank you for the prompt reply.

Well I found Teatimer unchecked on my SpyBot SD nor a Teatimer on the startup, so I downloaded MBAM and here is what I got.

Malwarebytes' Anti-Malware 1.33
Database version: 1666
Windows 5.1.2600 Service Pack 3

1/18/2009 1:23:43 PM
mbam-log-2009-01-18 (13-23-43).txt

Scan type: Quick Scan
Objects scanned: 48380
Time elapsed: 3 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 13

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\restore (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\restore (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\restore (Rootkit.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\drivers\mrxdavv.sys (Rootkit.Agent.H) -> Delete on reboot.
C:\WINDOWS\Temp\VRRA43.tmp (Trojan.Inject) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\VRRD.tmp (Trojan.Inject) -> Quarantined and deleted successfully.
C:\Documents and Settings\Huang Han Lin\Local Settings\Temporary Internet Files\Content.IE5\A1IJIBEL\0032[1].exe (Trojan.Inject) -> Quarantined and deleted successfully.
C:\Documents and Settings\Huang Han Lin\Local Settings\Temporary Internet Files\Content.IE5\A1IJIBEL\abb[1].txt (Trojan.Inject) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kwave.sys (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\a9k.bin (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\A.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\E.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BN4.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BN5.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BN6.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\restore.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

#4 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:01:25 PM

Posted 18 January 2009 - 05:29 PM

let's try atfcleaner and SAS next

follow these directions exactly


http://www.bleepingcomputer.com/forums/ind...t&p=1096738

I am refering this thread to an expert
Chewy

No. Try not. Do... or do not. There is no try.

#5 ifatkid

ifatkid
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:12:25 PM

Posted 18 January 2009 - 05:41 PM

Ok, well then shall I wait for an expert to review my log first?

#6 ifatkid

ifatkid
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:12:25 PM

Posted 18 January 2009 - 08:13 PM

Ok, I followed the directions and got this scan.

THank you to whoever reviews this.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/18/2009 at 05:09 PM

Application Version : 4.24.1004

Core Rules Database Version : 3714
Trace Rules Database Version: 1689

Scan type : Complete Scan
Total Scan Time : 01:21:55

Memory items scanned : 161
Memory threats detected : 0
Registry items scanned : 4616
Registry threats detected : 12
File items scanned : 43716
File threats detected : 27

Rootkit.Dopper/ETH
HKLM\System\ControlSet001\Services\ethqyhle
C:\WINDOWS\SYSTEM32\DRIVERS\ETHQYHLE.SYS
HKLM\System\ControlSet001\Enum\Root\LEGACY_ethqyhle
HKLM\System\ControlSet003\Services\ethqyhle
HKLM\System\ControlSet003\Enum\Root\LEGACY_ethqyhle
HKLM\System\CurrentControlSet\Services\ethqyhle
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_ethqyhle

Rootkit.Agent/Haxdoor
HKLM\System\ControlSet001\Services\surrd
C:\WINDOWS\SYSTEM32\SURRD.SYS
HKLM\System\ControlSet001\Enum\Root\LEGACY_surrd
HKLM\System\ControlSet003\Services\surrd
HKLM\System\ControlSet003\Enum\Root\LEGACY_surrd
HKLM\System\CurrentControlSet\Services\surrd
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_surrd
C:\SYSTEM VOLUME INFORMATION\_RESTORE{1AE7C0EF-F45C-4C63-8899-2D0D10168862}\RP24\A0007833.SYS

Adware.Tracking Cookie
C:\WINDOWS\system32\config\systemprofile\Cookies\system@2o7[2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@2o7[3].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@account.live[2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@account.live[3].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@adopt.euroclick[2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@advertising[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@advertising[3].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@apmebf[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@apmebf[3].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@atdmt[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@atdmt[2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@bs.serving-sys[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@doubleclick[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@doubleclick[2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@fastclick[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@fastclick[2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@insightexpressai[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@interclick[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@mediaplex[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@msnaccountservices.112.2o7[2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@msnaccountservices.112.2o7[3].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@questionmarket[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@serving-sys[1].txt

Trojan.Dropper/Sys-NV
C:\WINDOWS\SYSTEM32\READER_S.EXE

#7 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:01:25 PM

Posted 19 January 2009 - 07:57 AM

Would you update and run a new scan with MBAM


C:\WINDOWS\system32\drivers\mrxdavv.sys


this is a very nasty infection
Chewy

No. Try not. Do... or do not. There is no try.

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,942 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:25 PM

Posted 19 January 2009 - 09:14 AM

IMPORTANT NOTE: One or more of the identified infections is related to a rootkit component. Rootkits and backdoor Trojans are very dangerous because they use advanced techniques (backdoors) as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge.

If your computer was used for online banking, has credit card information or other sensitive data on it, you should immediately disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. You should change each password by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Although the rootkit has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because this malware has been removed the computer is now secure. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:Should you decide not to follow that advice, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful. Some infections are difficult to remove completely because of their morphing characteristics which allows the malware to regenerate itself. Sometimes there is another hidden piece of malware which has not been detected by your security tools that protects malicious files and registry keys (which have been detected) so they cannot be permanently deleted. Disinfection will probably require the use of more powerful tools than we recommend in this forum. Before that can be done you will need you to create and post a DDS/HijackThis log for further investigation.

Please read the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log". If you cannot complete a step, then skip it and continue with the next. In Step 6 there are instructions for downloading and running DDS which will create a Pseudo HJT Report as part of its log.

When you have done that, post your log in the HijackThis Logs and Malware Removal forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, we would appreciate if you post a link to your log back here so we know that your getting help from the HJT Team.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

If after 5 days you still have received no response, then post a link to your log in the thread titled "Post in this thread when you haven't received an answer in five days.".
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 ifatkid

ifatkid
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:12:25 PM

Posted 19 January 2009 - 02:50 PM

Oh man, I already reformatted just a week ago because of this Trojan Backdoor that my antivirus programs found.

Thank you for your help, I will post a topic and follow your instructions. Though I wonder how I got the same infection twice.

#10 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:01:25 PM

Posted 21 January 2009 - 07:33 AM

2009-01-16 22:36 <DIR> --d----- c:\docume~1\huangh~1\applic~1\LimeWire


:thumbsup:

although it be'd nice to know how I got this virus for future safety.


Though I wonder how I got the same infection twice.


Malware is distributed by putting the installer in illegal P2P packages, people save them and reinfect their machines
Chewy

No. Try not. Do... or do not. There is no try.

#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,942 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:25 PM

Posted 03 February 2009 - 10:35 AM

To expand on what DaChew said...Using any peer-to-peer (P2P) or file sharing program is a security risk which can make your system susceptible to a smörgåsbord of malware infections, remote attacks, and exposure of personal information.

The reason for this is that file sharing relies on its members giving and gaining unfettered access to computers across the P2P network. This practice can make you vulnerable to data and identity theft, system infection and remote access exploit by attackers who can take control of your computer without your knowledge. Even if you change the risky default settings to a safer configuration, downloading files from an anonymous source increases your exposure to infection because the files you are downloading may actually contain a disguised threat. Many malicious worms and Trojans, such as the Storm Worm, target and spread across P2P files sharing networks because of their known vulnerabilities.

Even the safest P2P file sharing programs that do not contain bundled spyware, still expose you to risks because of the very nature of the P2P file sharing process. By default, most P2P file sharing programs are configured to automatically launch at startup. They are also configured to allow other P2P users on the same network open access to a shared directory on your computer. The best way to eliminate these risks is to avoid using P2P applications. Read P2P Software User Advisories, Risks of File-Sharing Technology and P2P file sharing: Anticipate the risks....

Your DDS/Hijackthis log is posted here and you are already getting assistance.

Now that your log is posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the member assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

To avoid confusion, I am closing this topic.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users