Any information on this Trojan? TDS was the only data base to define and catch this Trojan. This is great software 8)

Hi Skookum and welcome to the forum!
http://www.pestpatrol.com/pestinfo/t/trojanclicker_win32_delf_r.asp
Here you see the info i found about it.
(still must get used of the new layout of the PestPatrol pages :) )
If i read well so quick it could be a dialer.
Yes, TDS is great software, thousands of people use it!

if you have that one then you will almost certainly have a lot more

It almost always comes bundled with several other adaware pop up causing pieces of scum

I would suggest apart from running TDS, which is mainly an anti trojan though it does find and deal with a lot of spyware/adwares to also run a specific adware cleaner like Spybot or ADAWARE

Spybot - Search & Destroy from http://security.kolla.de
AdAware SE from http://www.lavasoft.de/support/download

Yuppers used Microworld EScan and KAV Per Pro and found several suspect files which leads me to this.
Kaspersky Inspector seems to keep finding "Stealth Virus". I'm just a bit confused about this issue as the file names keep changing. I,m wondering if this could be a real prob or a series of false alarms. In an effort to ferrit out the buggers I ran TDS3 at the same time in hopes of catching a Memory Resident but no such animal. I'm new to the KAV AV so it could be my config. Any thoughts on this issue?

The file extensions seem to be BMP TMP and DAT and some of the files didnt seem to be in the location referenced by the scan. Nor did they exist. Yet some did. My aching head ???

I would love to see Diamond take on the challenge of the Stealth Virus.
They, you, create very solid software. Have used TDS3 for several years now
and it's saved my bacon more than a couple of times. ;)

You did make sure all folder options are set to display all files and extensions, nothing hidden anymore?
Where are the files located or should they be? System restore, recyclebins, tempfiles, caches, all that you'll have cleansed out i suppose, so what is left?

Wow that was quick:
Yes I changed the registry entries to show all hidden and super hidden files. The hits were in a variety of locations for instance *.*\Nforce\setup.bmp , *.*Adobe\ATMlite\setup.bmp , C:\Winnt\System32\IAS\IAS.MDB , *.*\Local\Temp\DF6876.tmp also a couple Images like *.*\Duvall.bmp & *.*\Home.bmp These I deleted but before I deleted them I ran them through Kapersky's on site scan and they came up clean.
The file I couldnt find was C:\Winnt\System32\PED0D6~1.Dat. Couldn't even find the PED0D6 part of the long file name.
The puzzler is each scan, and I ran several, would pop with a different file name. Hmmmmm ??? Are these files morphing?
After the Tylenol kick's in I'm gonna go at it again.

A note: Before I ran Kaspersky Inspector, I ran the KAV on demand scan, which scanned nearly 800,000 files and came up clean. This includes archives and compressed files. I also removed any password protected files from the machine to remove that variable. One loophole is the IO errors. I think there were 17 or so. As I'm new to Kap Personal Pro. I'm not up to speed yet on all it's bells and whistles.

I would like to thank you for your prompt response. :)
Take care

And TDS alarmed on those files? did it alart earlier on them, and were there recent modification dates on the files?
If you can find copies of them, can you please submit them another time to TDS submit@diamondcs.com.au just to make sure?
There might be false positives, maybe not, but to avoid that best submit them.

No TDS didnt Kapersky Inspector did

Have you run AdAware and Spybot as Derek advised ?

-{ Quote: "
Kaspersky Inspector seems to keep finding "Stealth Virus". I'm just a bit confused about this issue as the file names keep changing. I,m wondering if this could be a real prob or a series of false alarms. " }-

Usually a file-integrity-checker, like Inspector, does not give false alarms.
Well, that is at least my experience with a similar program, ADinf32 Pro.
They simply tell you that a file is changed (changed, deleted or added).
It is up to the user to decide whether such a change is legitimate or malicious.

The Kapersky Inspector gave me a Stealth Virus alert for PED0D6~1.DAT file size 16384 kb.
This turned out to be Perfib_Perfdata_628.dat in C:\WINNT\System32\

When discovered ie: my using file operations, the file kept reproducing itself as .dat files then changed to a .tmp extension size is the one constant that being 16384 kb. Some of the file names are
{MSIMGIZ.dat , Index.dat} { ~DF274D.tmp , ~ DF37D7.tmp and several other ~DF followed by a Intiger}

Noticed something interesting. There are other files of like names and different sizes

~DFEAA9.tmp is 49152 kb or 3 times 16384 kb
Created: Friday, October 01, 2004, 5:46:41 PM
Accessed: Yesterday, October 10, 2004, 11:47:47 PM

~DF3998.tmp is 81920 kb or 5 times 16384 kb
Created: Monday, October 04, 2004, 9:12:41 PM
Accessed Yesterday,October 10, 2004, 11:47:47 PM

There are 12 variations of ~DF3998.tmp such as ~DF4658.tmp and other intigers
with the ~DF lead in, in my machine, all created at a different times and
all accessed yesterday, October 10, 2004, 11:47:47 PM.

Thats when I was running file search operations by size and extension, on the 16384 kb files and deleting them.

Looks like this file adapts to various methods of locating and removing it.

I did manage to get a couple files into a 3.5 floppy for research on the thing.

looks like I have my work cut out for me :o

Skookum

see my reply here
http://www.wilderssecurity.com/showthread.php?p=273844&posted=1#post273844

Try this link This is from Kalptaru Infotech Ltd where my infected file, unstsa2.exe, came from

HTTP://www.a2zhelp.com/forum/forummessages.asp?id=17

Hope this helps you out 8)

The unstsa2.exe filename comes in several infections, like this
http://sarc.com/avcenter/venc/data/pf/adware.blazefind.html
among others, where's an uninstall help link if it is this one.
But it's mentioned as part of the original trojan you started the thread with, for which i gave you the link in my first reply.

If your infection came from that link i'm not going to visit there in the forum. How did you get infected there, was it something you downloaded there or is the forum itself infected spreading the malware? In the latter case we'll remove your URL.

Hi:
The software had to come from a DL site Perhaps DivX, as they install GAIN or commonly known as Gator. I didn't read the EULA until later and after reading the EULA I removed the software. A bit late I might add. Frikin Gator anyway. Can't stand those creeps. You can bet I read these EULA's now.
After TDS found the trojan I checked the info in the property pages to get the owners of the software, Kalptaru IT Ltd. Went to there site and ask?

"Whats the story, my trojan scan found a TrojanClickerWin32.Delf.r in your file unsta2.exe.
Had a response within a couple of hours.
"Most probably these are some rouge software that somebody is distrubiting using our names. Although we are not able to identify who these people are but we have prepaired a step by step instructions to remove these kind of software. Please visit this url http://www.a2zhelp.com/forum/forummessages.asp?id=17 It will help you remove these kind of software in the future too."
We are an outsourced software development company and we don't promote or distribute these kind of malicious or iritating software. We have reported to proper authorities about this situation and they are working on finding out the sourse of this problem."

The red text are quotes I had never heard of KIT Ltd prior to this. It' a jungle out there. Knowledge is your best protection.