Win32 Trojan Dropper Delf

Johncdaley · ‎07-18-2009

On running Ad-Aware, it found this trojan and then claimed to have removed it after being told to do so. I then re-booted and ran Norton 2009, which reported having removed all threats. I then re-ran Ad-Aware and it found the same trojan still there. I can't find a reference to a trojan with this exact name in the Norton threat finder, but I feel there must be some malware present in my PC for Ad-Aware to make this report. Ad-Aware support is no help! Does anyone have any suggestions?

delphinium · ‎11-21-2008

Johncdaley:

Is this an older free version of Adaware or a newer one with real-time antivirus scanning?

Also, please see if you can run a GMER log. Check all boxes. You will be able to attach the log using the "add attachments" link just below the post button. It always pays to check.

Please advise if you have NIS2009 or NAV2009 Or N360

Under certain circumstances profanity provides relief denied even to prayer.
Mark Twain

Johncdaley · ‎07-18-2009

I have the newer version of AdAware with realtime virus scanning.

I am using NAV2009.

Please pardon my ignorance, but what is a GMER log?

delphinium · ‎11-21-2008

Oops sorry Johncdaley:

I forgot the link

http://www.gmer.net/

When you have two real time scanners at the same time, it often causes conflicts, some of which are not obvious, but leave you more vulnerable than 1 real time and 1 or 2 on demand. It is recommended that Adaware be removed before we begin the repair as some anitivirus programs actually prevent the removal of the malware. If you have any other real time scanner on your machine, please remove it.

If you have trouble with the scan, all boxes checked, you do it in separate scans, half at a time, or attempt to get a scan in safe mode.

Under certain circumstances profanity provides relief denied even to prayer.
Mark Twain

Johncdaley · ‎07-18-2009

Does that include removing NAV2009?

delphinium · ‎11-21-2008

Hi Johncdaley:

Leave Norton installed. Since this is a Norton forum, you need at least one Norton product, and it does seem to limit some of the actions of the malware. Leave whatever firewall you use installed as well provided it is a stand-alone firewall without an antivirus engine. That will also cause problems.

Under certain circumstances profanity provides relief denied even to prayer.
Mark Twain

Johncdaley · ‎07-18-2009

Here is the GMER log. In Wordpad format for simplicity.

And, by the way, thanks for your interest.

delphinium · ‎11-21-2008

Johncdaley:

Could you please run a Sysprot scan for us. That is one unusual GMER. You will need to disable the auto protect in Norton for it to run.

Choose the report or log tab and HD and scan.

http://homepages.slingshot.co.nz/~crutches/SysProt

Also, can you please advise the name of the file that Adaware detected?

Under certain circumstances profanity provides relief denied even to prayer.
Mark Twain

Johncdaley · ‎07-18-2009

I am unable to find where I made a note of the names of the two files AdAware found. One was in %SYSTEMROOT% and the other in Win32.

I reinstalled AdAware and ran a scan so as to retrieve the names, but now AdAware finds no malicious objects.

So is there still any reason to run a Sysprot scan? Is there something in the GMER log that is of concern?

delphinium · ‎11-21-2008

Hi Johncdaley:

You have an abnormal GMER. It shows an abnormal termination in the ntoskrnl.exe, which might or might not be related to

a rootkit. Adaware might pick up some of the rootkit files which it has definitions for, which you are going to find in the systemroot and the system32, but it isn't going to be able to necessarily find or remove an active rootkit.

If we confirm that you do have one, Quads wll have to provide information and tools for you to accomplish it.

It's your call Johncdaley, it isn't as if we have a shortage of rootkits to remove.

Under certain circumstances profanity provides relief denied even to prayer.
Mark Twain