trojan horse delf.jkh

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
AVG tells me I have trojan horse delf.jkh at
windows\system32\setup_u.exe.   When I remove this with AVG, it
re-instates itself.  Fast as I "heal" it, it comes back.  I've run
Malware, but it doesn't pick up delf.jkh.  I'm in the process of
scanning with SpyBot, but it's still scanning.  

Looking at my Windows\system32 files, the above file does not appear.
I have Windows\system32\setup1.exe, though.  I have hidden files set
to show.

Is there a way to remove this trojan?





--
Tony Cooper - Orlando, Florida

Re: trojan horse delf.jkh

On Mon, 30 Mar 2009 23:06:29 -0400, tony cooper wrote:

Quoted text here. Click to load it

Spybot S&D won't remove this trojan

Quoted text here. Click to load it

Yes.

Preferred practice is to 'flatten' and rebuild a computer that has been
exposed to malware.
http://www.microsoft.com/technet/community/columns/secmgmt/sm0504.mspx
http://technet.microsoft.com/en-au/library/cc512595.aspx
 
Clean Install Windows XP
http://www.elephantboycomputers.com/page2.html#Reinstalling_Windows - What
you will need on-hand
--and--
http://www.michaelstevenstech.com/cleanxpinstall.html
--or-- (even better because its illustrated and more reader friendly)
How Do I Install WindowsXP
http://xphelpandsupport.mvps.org/how_do_i_install_windows_xp.htm

Step-By-Step Windows Vista: Installation
http://www.w-tweaks.com/html/windows_vista_setup__step_by_s.html

It is defenitely advantageous to create an 'image' of the operating system
and create a data/file backup of the affected PC.
The image can then restored to the impacted PC and the user's data/file is
subsequently restored to the operating system.

An experienced and properly prepared user can do that in substantial less
time than scanning with complex and sophisticated AV applications.

Alas, since many users are less prepared and/or lacking the experience;
Scanning with an AV apps. is the only option, unless the user consults a
computer technician.
If you're one of the many less-experienced users, try to go through the
succeeding steps 1-4:

1.Clear the (IE) temporary Internet files and the history cache.
Click 'Start' and then click 'Run'... then type (or copy/paste)
"inetcpl.cpl" (w/out quotation marks) into the box, then click the 'OK'
button.
In Internet Properties panel 'General' tab, under 'Browsing history', click
'Delete...'button, in 'Delete Browsing History' panel, click the 'Delete
all...' button then place a checkmark into the box beside 'Also delete
files and settings stored by add-ons', Click 'Yes' and exit the Internet
Properties panel by clicking the 'OK' button.

2.Clean HDD
Click 'Start' and then click 'Run...' then type (or copy/paste) "cleanmgr"
(w/out quotation marks into the box, then click the 'OK' button. Select
your drive (presumably WinXP (C:) and click OK.
--or--
2a.Delete files using Disk Cleanup (if on Vista)
http://windowshelp.microsoft.com/Windows/en-US/help/1264bc24-72a8-48aa-84e3-a355327139d91033.mspx

3.Download/execute:
Malwarebytes© Corporation - Anti-Malware
http://www.download.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?tag=mncol
--or--
http://majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html
--direct--
http://www.malwarebytes.org/mbam/program/mbam-setup.exe
--and--
SuperAntispyware - Free
http://www.superantispyware.com/superantispywarefreevspro.html
--direct--
http://www.superantispyware.com/downloadfile.html?productid=SUPERANTISPYWAREFREE

Both free versions of MBAM and SAS are on-demand scanners and offer no
'real-time' protection. Keep them installed and use them as
'second-opinion' scanner which is purposely (by design) recommended by
their respective authors.

*--And/Optional--*
Kaspersky® Virus Removal Tool
http://devbuilds.kaspersky-labs.com/devbuilds/AVPTool /
http://www.kaspersky.com/support/viruses/avptool?level=2

--and/optional--
Dr.Web CureIt!® Utility - FREE
http://www.freedrweb.com/cureit /

--and/optional--
a-squared (a²) Free or a-squared (a²) Command Line Scanner
http://www.emsisoft.com/en/software/download /

--and/optional--
BitDefender10 Free Edition (*NOT FOR VISTA*)
http://www.bitdefender.com/site/Downloads/browseEvaluationVersion/1/42 /

--and/optional
Sophos Anti-Virus (SAV32CLI), is a 32 bit free command line scanner used in
an emergency as a disinfection utility for Windows NT, Windows 2000,
Windows XP and Windows 2003.
To use the Sophos command line software follow the steps below:
a) Download SAV32CLI
http://downloads.sophos.com/tools/sav32sfx.exe
--and--
extract the contents by double clicking the file.
b) Add the latest virus identity files (IDE) to the folder; These can be
downloaded here:
http://www.sophos.com/downloads/ide /
c) Read Scanning Options with SAV32CLI.
http://www.sophos.com/support/knowledgebase/article/13252.html
See removing malicious files with SAV32CLI for basic information on virus,
spyware, Trojan and worm removal with SAV32CLI.
http://www.sophos.com/support/knowledgebase/article/13251.html

--and/optional--
David H. Lipman's MULTI_AV.EXE from the URL:
http://www.pctip.ch/ds/28400/28470/Multi_AV.exe
or
http://212.98.39.7/ds/28400/28470/Multi_AV.exe

http://www.pctip.ch/downloads/dl/35905.asp
or
http://212.98.39.7/downloads/dl/35905.asp

http://www.raymond.cc/blog/archives/2008/01/09/scan-your-computer-with-multiple-anti-virus-for-free /

NOTE:
The above mentioned applications are not capable for real-time protection
of your computer; They are on-demand scanners.

Kaspersky® Virus Removal Tool, Dr.Web CureIt!® have no update feature (so
they don't turn into full blown scanners). As soon as your computer is
cleaned you are supposed to remove these tools from your operating system
and revert back to your (updated) resident (real-time) AV application.
Re: Kaspersky® Virus Removal Tool; To uninstall/move this program 'enable
self-defense' must be unchecked!

To scan your computer with the most up-to-date Kaspersky® AVPTool and
Dr.Web CureIT!® virus databases next time you should download new
Kaspersky® AVPTool and Dr.Web CureIt!® packages.

BitDefender10 Free Edition, a-squared Free or a-squared Command Line
Scanner, Sophos Anti-Virus (SAV32CLI) and the free version of Malwarebytes©
and SuperAntispyware have an update feature; You may wish to keep a couple
of them installed in addtion to your resident AV/A-S applications and scan
frequently.

After the software is updated, it is suggested scanning the system in Safe
Mode (this does not apply to MBAM).

"Malwarebytes actually performs better in Normal Mode" says Dustin Cook,
Malwarebytes Researcher of MBAM.

How do you boot to Safe Mode?
By pressing/tabbing F8 (or F5 on some keyboards) continually during
re-boot.

A description of the Safe Mode Boot options in Windows XP
http://support.microsoft.com/default.aspx?scid=315222
Alternatively:
Click Start==>Run... then type (or copy/paste) "msconfig" (without
quotation marks), click OK. Then click onto BOOT.INI tab and 'check'
/SAFEBOOT then OK and click Restart. To go back to Normal Mode, you must
access the System Configuration utility again and click the General tab
then click/check the radio button 'Normal Startup'- load all device drivers
and services'.

Start your computer in safe mode (Vista)
http://windowshelp.microsoft.com/Windows/en-us/help/323ef48f-7b93-4079-a48a-5c58eec904a11033.mspx
http://www.bleepingcomputer.com/tutorials/tutorial61.html

4.Download and execute HiJack This! (HJT)
http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis

Please, do not post HJT logs to this newsgroup.
Fora where you can get expert advice for HiJack This! (HJT) logs.

http://www.thespykiller.co.uk/index.php?board=3.0
http://www.spywarewarrior.com/viewforum.php?f=5
http://forums.tomcoyote.org/index.php?showforum=27
http://www.bleepingcomputer.com/forums/forum22.html
http://www.malwarebytes.org/forums/index.php?showforum=7
http://www.5starsupport.com/ipboard/index.php?showforum=18
http://www.theeldergeek.com/forum/index.php?s=2e9ea4e19d3289dd877ab75a8220bff6&showforum=29

NOTE:
Registration is required in any of the above mentioned fora before posting
a HJT log and read the 'stickies' (instructions/guidelines) for the
respective HJT forum.

Additional references:
Malicious Software Removal Tool
http://www.microsoft.com/security/malwareremove/default.mspx
(Skip: Run an Online Scan of Your PC for Malicious Software).

How to optimize or reset Internet Explorer
http://support.microsoft.com/kb/936213
Applies to: Windows Internet Explorer in Windows Vista

How to use Reset Internet Explorer Settings (RIES)
http://support.microsoft.com/kb/923737
Read: "What you must know"
Applies to: Windows Internet Explorer for Windows XP and
Windows Internet Explorer 7 in Windows Vista

GMER - is an application that detects and removes rootkits.
http://www.gmer.net/index.php

For additional assistance in relation GMER scan results consult either:
http://www.thespykiller.co.uk/index.php?board=3.0
--or--
http://antirootkit.com/forums/index.php?sid=9e746bb696ac0bb38781ffe4361c3a17

CCleaner - Free
Cleans temporary internet files, cookies, history, recent urls, application
MRUs, etc. ...(*Tune out the registry scanning/fixing option!*)
http://www.ccleaner.com/download/builds/downloading-slim

If Windows Defender is utilized go to Applications, under  Utilities
uncheck "Windows Defender" (so it won't delete the history of WD).
If you wish, click 'Options' button the 'Settings' [check] 'Run CCleaner
when the computer starts'.
--or--
Setup CCleaner to Automatically Run Each Night in Vista or XP
http://www.howtogeek.com/howto/windows-vista/setup-ccleaner-to-automatically-run-each-night-in-vista-or-xp /

Routinely practice Safe-Hex.
http://www.claymania.com/safe-hex.html

Good luck :)

Re: trojan horse delf.jkh

On 03/30/2009 08:06 PM, tony cooper sent:
Quoted text here. Click to load it

Hello Tony:

Try MBAM first.  Please update this thread with your progress.

HTH

Pete
--
1PW  @?6A62?FEH9:DE=6o2@=]4@> [r4o7t]

Re: trojan horse delf.jkh

On 03/30/2009 08:06 PM, tony cooper sent:
Quoted text here. Click to load it

Hello Tony:

Try MBAM first.  Please update this thread with your progress.

HTH

Pete
--
1PW  @?6A62?FEH9:DE=6o2@=]4@> [r4o7t]

Re: trojan horse delf.jkh

wrote:

Quoted text here. Click to load it

I'm not sure what my progress is.  AVG has stopped presenting the
pop-ups saying that I have the trojan horse delf.jkh.  AVG is on, so
something's happened.

I scanned with every anti-virus program I have, and none of them came
up with either delf.jkh or anything in windows\system32\setup_u.exe.
There were a couple of adware bogies, but they always come up.

MBAM located (from the log) "Memory Modules Infected:
(No malicious items detected) Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RkHit
(Rogue.SpywareCease) ->

The problem I continue to have is that I keep getting booted out of
both Firefox and Internet Explorer.  I can get back, and stay in, but
I get that Windows has a problem message often enough for it to be
annoying.  Got the same thing for Skype, and I wasn't even using Skype
at the time.

Right now I'm in a holding pattern.  If Firefox (my primary service)
and IE keep kicking me off, I'll look further into this.  Haven't been
kicked out of Agent yet, or any of the Photoshop or Photography forums
I read.

The one step I've taken is to make sure my wife stops opening
attachments in email.  These are attachments sent with emails from
people she knows, but they are emails that have been forwarded from
people unknown.  You know, the "Oh, I love this poem and you have to
read it" type crap.







--
Tony Cooper - Orlando, Florida

Re: trojan horse delf.jkh

On 03/31/2009 07:42 PM, tony cooper sent:
Quoted text here. Click to load it

Looks like you're system isn't perfectly clean.

Try the freeware version of SAS too:

   <http://www.superantispyware.com/

SAS is also very well regarded in these newsgroups.

Quoted text here. Click to load it

Can you please elaborate on the exact definition of "booted out" and
"kicking me off".  Please be very precise.

Also, is \WINDOWS\System32\setup_u.exe still being recreated?

Quoted text here. Click to load it

Thank you.

Pete
--
1PW  @?6A62?FEH9:DE=6o2@=]4@> [r4o7t]

Re: trojan horse delf.jkh

On 03/30/2009 08:06 PM, tony cooper sent:
Quoted text here. Click to load it

Hello Tony:

Try MBAM first.  Please update this thread with your progress.

HTH

Pete
--
1PW  @?6A62?FEH9:DE=6o2@=]4@> [r4o7t]

Re: trojan horse delf.jkh - Another Impersonation

says...
Quoted text here. Click to load it

--
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
  drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)

Re: trojan horse delf.jkh - Another Impersonation

On 03/31/2009 02:41 PM, Leythos sent:
Quoted text here. Click to load it

Hello Leythos:

1) Hopefully I haven't been imitated so far.

2) I apologize to all for the post flooding.  My send path through Motz
seemed to go down for a bit.  I'm starting to look like those posting
through Microsoft, huh?

I hope all is well with you.

Pete
--
1PW  @?6A62?FEH9:DE=6o2@=]4@> [r4o7t]

Site Timeline