|
|
|
|||||||
| Notices |
 |
|
|
Thread Tools | Display Modes |
12-04-2008, 11:59 AM
|
#1 |
|
Newbie
Join Date: Mar 2008
Location: Melbourne
Age: 15
Posts: 18
Thanks: 1
Thanked 0 Times in 0 Posts
Rep Power: 0
  |
Help to remove Trojan.Win32.Delf.bon -C:\Program Files\Internet Explorer\svchost.exe
Can anyone help me with this problem im having... my internet security has detected a new threat but i cant disinfect it... im not sure what to do...
It says : Running module contains Trojan program and cannot be disinfected. Trojan Program: Trojan.Win32.Delf.bon Running module: C:\Program Files\ Internet Explorer\svchost.exe... Ive checked numerous virus/trojan/malware and such sites but it says virus not found.. therefore i assume its a new one... does anyone know how to get rid of it.. Btw im using windows vista ultimate... and my internet security is Kaspersky Internet Security (7.0.1.325) it is up to date and everything is fine... please help!!  My computer specs: P35C-DS3R, Intel C2D E6850, 2gb OCZ 800mhz ram, 500Gb 7200rpm WD HDD, Gecube ATI HD2600XT, Vista Ultimate with SP1, Kaspersky (7.0.1.325). If u need to know anything else do not hesitate to ask... my mobile is ******** or email/talk to me at xxassassinx.14@hotmail.com thankyou or just leave a mzg  thankyou Last edited by stuartbe; 21-11-2008 at 11:52 PM. Reason: Removed Mobile Number - Stuartbe |
|
|
|
12-04-2008, 12:45 PM
|
#2 |
|
Founder
 
Join Date: Nov 2005
Location: The Last City Zion!
Posts: 2,684
Thanks: 228
Thanked 230 Times in 191 Posts
Rep Power: 53
 |
Re: HELP!!! - Please help to remove Trojan.Win32.Delf.bon
Hi,
We need to manually remove the file 'C:\Program Files\ Internet Explorer\svchost.exe' and it's associated registry entries. Can you download Hijackthis, run it and post the log file here. http://www.merijn.org/files/HiJackThis_v2.exe
__________________
  Want to ask a question? Try This! A guide on how to post a question, reply to a post etc. Last edited by Strider; 12-04-2008 at 12:52 PM. |
|
|
|
|
12-04-2008, 12:53 PM
|
#3 | ||
|
Founder
Join Date: Nov 2005
Location: The Last City Zion!
Posts: 2,684
Thanks: 228
Thanked 230 Times in 191 Posts
Rep Power: 53
|
Re: HELP!!! - Please help to remove Trojan.Win32.Delf.bon
On a second thought, you can give a quick try to manually remove this virus. Please follow the below instructions:
1. Reboot your computer, Keep pressing F8 to enter safe mode. 2. Login as any Admin user and delete the file: Quote:
Quote:
HKCU : HKEY_CURRENT_USER 4. Reboot in normal mode. |
||
|
|
|
|
12-04-2008, 12:59 PM
|
#4 |
|
Newbie
Join Date: Mar 2008
Location: Melbourne
Age: 15
Posts: 18
Thanks: 1
Thanked 0 Times in 0 Posts
Rep Power: 0
|
Re: Help to remove Trojan.Win32.Delf.bon -C:\Program Files\Internet Explorer\svchost.exe
here is the log file.... i tried your second method however the svchost file doesnt seem to exist i cannot find it.... My net is really slowing down... its 1500kbps plan but its like dial up....
Log File: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 4:22:41 PM, on 12/04/2008 Platform: Windows Vista SP1 (WinNT 6.00.1905) MSIE: Internet Explorer v7.00 (7.00.6001.18000) Boot mode: Normal Running processes: C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe C:\Program Files\Windows Live\Messenger\msnmsgr.exe C:\Windows\system32\taskeng.exe C:\Program Files\Internet Explorer\IEUser.exe C:\Program Files\Windows Media Player\wmplayer.exe C:\Program Files\Windows Media Player\WMPNSCFG.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe C:\Windows\system32\SearchFilterHost.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchgateway.net/search R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchgateway.net/search R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchgateway.net/search-...ORID%3A11&q=%s R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O1 - Hosts: ::1 localhost O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: BrowserConnector Object - {0D84AC30-5186-4CD9-8FD8-4A1382D5F0F3} - C:\Windows\system32\tuiole.dll O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file) O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll (file missing) O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O2 - BHO: TransactionProtector BHO - {C1656CCA-D2EA-4A32-94AE-AE0B180E6449} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.d ll O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file) O3 - Toolbar: Transaction Protector - {E7620C98-FCCC-40E5-92EC-C7685D2E1E40} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.d ll O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" O4 - HKLM\..\Run: [DownloadAccelerator] "C:\Program Files\DAP\DAP.EXE" /STARTUP O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE O4 - HKLM\..\Run: [LiveUpdate] C:\Program Files\Byteswarm\LiveUpdate\LiveUpdate.exe O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user') O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll O13 - Gopher Prefix: O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Plugin Control) - http://appldnld.apple.com.edgesuite....x/qtplugin.cab O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://signin3.valueactive.com/Regi...18/flashax.cab O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll O20 - AppInit_DLLs: C:\Windows\system32\updd.dll O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing) O23 - Service: Window Net Dns (MyDNS) - Unknown owner - C:\Program Files\Internet Explorer\svchost.exe O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe O23 - Service: PnkBstrB - Unknown owner - C:\Windows\system32\PnkBstrB.exe O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe -- End of file - 8192 bytes |
|
|
|
|
12-04-2008, 01:22 PM
|
#5 | |||
|
Founder
Join Date: Nov 2005
Location: The Last City Zion!
Posts: 2,684
Thanks: 228
Thanked 230 Times in 191 Posts
Rep Power: 53
|
Re: Help to remove Trojan.Win32.Delf.bon -C:\Program Files\Internet Explorer\svchost.exe
Quote:
Quote:
You can try the following command to remove the hidden and system attributes of the file. Check it in safe mode. Quote:
In addition to this download Spybot - Search & Destroy and do a scan. http://www.safer-networking.org/en/download/index.html I also recommend installing a Firewall like ZoneAlarm free, in Interactive mode, to keep track of the programs using your internet connection. http://www.zonealarm.com/store/conte...ku_list_za.jsp
__________________
Want to ask a question? Try This! A guide on how to post a question, reply to a post etc. Last edited by Strider; 12-04-2008 at 01:25 PM. |
|||
|
|
|
|
12-04-2008, 01:56 PM
|
#6 |
|
Newbie
Join Date: Mar 2008
Location: Melbourne
Age: 15
Posts: 18
Thanks: 1
Thanked 0 Times in 0 Posts
Rep Power: 0
|
hmm... atm... ive downloaded spybot and scanned it first.... it comes up with 3 problems...
they all are registry changes and all of them are HKEY-USERSS and Spybot mentions that they are all to do with Microsoft Internet Explorer... EDIT: also on spybot it says that the three problems are adware... Company: - Product: ShowBehind Threat: Adware by the way.... wont the zone alarm firewall conflict with my kaspersky firewall or my windows vista firewall im currently using the kaspersky firewall OKAY!! this is getting out of hand.... it seems Spybot found the THREE trojans... all in the same place... it fixed the problems or so i thought... until Kaspersky popped up saying that the location of ShowBehind was password protected... so the three threats are showing on kaspersky still and again on Spybot.... man this is stuffed bad Hey strider... ive tried all those methods including the safe mode one... the file can be found however im still getting the problem from kaspersky saying Trojan Program: Trojan.Win32.Delf.bon Running module: C:\Program Files\Internet Explorer\svchost.exe Last edited by bakuryu; 12-04-2008 at 03:04 PM. |
|
|
|
|
12-04-2008, 03:13 PM
|
#7 |
|
ƒ(ψ)=ΘΊΧφ
 
Join Date: May 2006
Location: India
Age: 22
Posts: 5,032
Thanks: 12
Thanked 392 Times in 362 Posts
Rep Power: 69
 |
Re: Help to remove Trojan.Win32.Delf.bon -C:\Program Files\Internet Explorer\svchost.exe
Download KillBox. browse and select that file, and choose to Delete on reboot.
then perform a reboot. or you can open services.msc, find the service Window Net Dns (MyDNS) and set it to disabled. then stop the service and delete the file. Note down the service name, open command prompt and type : sc delete <service name> And DISABLE system restore and run a scan. And yes, having more firewalls will conflict. Disable the Vista firewall if you use the one from Kaspersky or ZoneAlarm.
__________________
Please don't click here |
|
|
|
|
13-04-2008, 09:17 AM
|
#8 |
|
Newbie
Join Date: Mar 2008
Location: Melbourne
Age: 15
Posts: 18
Thanks: 1
Thanked 0 Times in 0 Posts
Rep Power: 0
|
Re: Help to remove Trojan.Win32.Delf.bon -C:\Program Files\Internet Explorer\svchost.exe
Thanks bakuryu the killbox was effective in eliminating the trojan virus
 |
|
|
|
|
14-04-2008, 01:16 PM
|
#9 |
|
Newbie
Join Date: Mar 2008
Location: Melbourne
Age: 15
Posts: 18
Thanks: 1
Thanked 0 Times in 0 Posts
Rep Power: 0
|
Re: Help to remove Trojan.Win32.Delf.bon -C:\Program Files\Internet Explorer\svchost.exe
well it seems not..... the nxt day when i turned on the computer... my internet security did another scan as usual and it detected the trojan again... same one as usual.... is there no possible way to get rid of this...
|
|
|
|
|
14-04-2008, 10:02 PM
|
#10 |
|
ƒ(ψ)=ΘΊΧφ
Join Date: May 2006
Location: India
Age: 22
Posts: 5,032
Thanks: 12
Thanked 392 Times in 362 Posts
Rep Power: 69
|
Re: Help to remove Trojan.Win32.Delf.bon -C:\Program Files\Internet Explorer\svchost.exe
Did you disable System restore and run the scan ?
Also run a full system scan on all the partitions. |
|
|
|
|
| Thread Tools | |
| Display Modes | |
|
|
Linear Mode
