FALSE POSITIVE Trojan.Delf.nl

Discussion in 'ewido anti-spyware forum' started by gorgelink, Nov 3, 2006.

Thread Status:
Not open for further replies.
  1. gorgelink

    gorgelink Registered Member

    Joined:
    Aug 28, 2004
    Posts:
    49
    Hi,

    I would like to report a false positive.

    AVG Antispyware misidentifies a completely legitimate

    C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe

    as a Trojan.Delf.nl

    Anyone came a cros a similar problem?

    Take care, y'all.

    G.
     
  2. kayjay1

    kayjay1 Registered Member

    Joined:
    Apr 22, 2005
    Posts:
    10
    Yes I posted the same trojan on the previous thread but I wasnt sure if it was legitimate or not. Glad I saw your post.
     
  3. peter.ewido

    peter.ewido former ewido team

    Joined:
    Nov 10, 2003
    Posts:
    737
    Location:
    Brno, Czech Republic
    Thanks and sorry! Fixed in the latest update!
     
  4. porty

    porty Registered Member

    Joined:
    Sep 17, 2004
    Posts:
    48
    Yep, Ewido just found the same Trojan.Delf.nl on two machines today. Both pcs appear to have the latest Ewido updates, so I'll wait until tomorrow to see if a later update fixes the prob.
     
  5. peter.ewido

    peter.ewido former ewido team

    Joined:
    Nov 10, 2003
    Posts:
    737
    Location:
    Brno, Czech Republic
    505,226 threats in database?
     
  6. porty

    porty Registered Member

    Joined:
    Sep 17, 2004
    Posts:
    48
    Yes, that number is correct. The detection on one (new) pc occurred at first internet bootup about two hours ago.

    On the other machine, Ewido must have picked it up while running unattended over the last few hours as it wasn't there at bootup this morning (9am NZ time)

    Just now running a full scan to see what is detected. About halfway through and nothing except cookies so far.
     
  7. peter.ewido

    peter.ewido former ewido team

    Joined:
    Nov 10, 2003
    Posts:
    737
    Location:
    Brno, Czech Republic
    Ah ok, should be definitely not detected again :)
     
  8. porty

    porty Registered Member

    Joined:
    Sep 17, 2004
    Posts:
    48
    You're right, Peter. The full check showed nothing except cookies and a subsequent reboot showed no alarm on startup.

    Thanks :--));)
     
  9. Stu2

    Stu2 Registered Member

    Joined:
    Nov 3, 2006
    Posts:
    7
    Umm, Peter (or other wise person), can you advise? I also got the report of Delf.nl and so I clicked quarantine. Subsequently the computer will not boot all the way into XP. Any advice?

    Stu
     
  10. porty

    porty Registered Member

    Joined:
    Sep 17, 2004
    Posts:
    48
    Are you sure you just selected 'Quarantine' for the file?

    Or did you select 'Delete' or something similar?

    As this detection of a 'bad' winlogon.exe is definitely a false positive, I'm wondering if you managed to delete winlogon.exe altogether?

    It would be unusual, because normally, if you delete winlogon.exe, it'll regenerate on a reboot.

    If, for some reason it isn't regenerating, and you have System Restore turned on, do a System Restore to the point when everything was going well. Hopefully, all will return to normal :--))

    Good Luck!
     
  11. Stu2

    Stu2 Registered Member

    Joined:
    Nov 3, 2006
    Posts:
    7
     
  12. porty

    porty Registered Member

    Joined:
    Sep 17, 2004
    Posts:
    48
    When the PC begins to boot up, keep hitting the F8 key, which should get you a menu screen where you can select 'Safe Mode'. If you can get into Windows this way, you'll be able to use System Restore to take you back to an earlier time.

    This, of course, is provided that you had System Restore turned on to begin with :cautious:

    If you can't get in through Safe Mode, but System Restore IS on, about the only way I know to do it is with a Winternals prog called ERD Commander, which bypasses Windows almost entirely by booting from a CD, and which can enable you carry out a lot of repair operations, including System Restore.

    Good luck :)
     
  13. peter.ewido

    peter.ewido former ewido team

    Joined:
    Nov 10, 2003
    Posts:
    737
    Location:
    Brno, Czech Republic
    First of all, sorry for the inconvenience! To restore the file, you have to boot from a Windows XP CD (matching your service pack, I think you haven't installed any) and go to the Recovery Console. When you are there, please type in the following command:

    expand d:\i386\winlogon.ex_ c:\windows\system32\winlogon.exe

    (if the paths do not match your system configuration, please adjust them accordingly. however, the letter of your cd-rom drive can be different in the console than in Windows.)

    After that your system should be booting again. In general, you are strongly advised to install SP2 and all hotfixes as it looks like you haven't even SP1 installed :( (the false positive only occured on SP0 winlogon files)
     
  14. Stu2

    Stu2 Registered Member

    Joined:
    Nov 3, 2006
    Posts:
    7
    Thanks for your help Peter. Unfortunately I have not yet had success. Sorry to be long winded, but I should explain some background. I inherited the computer as part of a split with ex-wife, so I know little of its history (and you can tell I am not an expert). The official Windows CD I have is printed as SP1, but I cannot be sure if that was indeed what was installed.

    expand d:\i386\winlogon.ex_ c:\windows\system32\winlogon.exe
    (if the paths do not match your system configuration, please adjust them accordingly. however, the letter of your cd-rom drive can be different in the console than in Windows.)

    I attempted this, and got the message
    unable to create the file winlogon.exe
    no files expanded

    I wondered if the commands are case-sensitive? Also, as I say, my CD is printed as SP1, and you suggest SP0 is installed - could that be the problem?
    Finally, just now (and the computer in question is 12 km away), I noted what wrote about the letter of the cd-rom drive in in the console. In fact, in the console the prompt was C> so maybe I need to use c:\ for both source (cd) and destination (hard drive) o_O? Or should I be seeking a SP0 cd from a friend?

    will do when system comes back

    As explained above, I am not really sure, but the CD says SP1


    thanks again

    Stu
     
    Last edited by a moderator: Nov 14, 2006
  15. Stu2

    Stu2 Registered Member

    Joined:
    Nov 3, 2006
    Posts:
    7
    expand d:\i386\winlogon.ex_ c:\windows\system32\winlogon.exe
    (if the paths do not match your system configuration, please adjust them accordingly. however, the letter of your cd-rom drive can be different in the console than in Windows.)

    I attempted this, and got the message
    unable to create the file winlogon.exe
    no files expanded

    Finally, just now (and the computer in question is 12 km away), I noted what wrote about the letter of the cd-rom drive in in the console. In fact, in the console the prompt was C> so maybe I need to use c:\ for both source (cd) and destination (hard drive) o_O?

    NOPE! Went home and tried that: The system cant find the file or directory specified :(
     
  16. peter.ewido

    peter.ewido former ewido team

    Joined:
    Nov 10, 2003
    Posts:
    737
    Location:
    Brno, Czech Republic
    Do you have more than one hard disk? Or more than one partitions? If so, the CD drive could have a different letter. You can try by changing to all possible letters and making a directory listing ("dir"). If you can see a folder "i386", it's the CD :)
     
  17. Stu2

    Stu2 Registered Member

    Joined:
    Nov 3, 2006
    Posts:
    7
    OK

    I also tried plugging in a USB flash drive, but this did not appear to be recognised


    By the way, I said earlier that the CD has a sticker SP1 - in fact it is SP1a
     
  18. peter.ewido

    peter.ewido former ewido team

    Joined:
    Nov 10, 2003
    Posts:
    737
    Location:
    Brno, Czech Republic
    What's your Windows directory? C:\Windows?
     
  19. Stu2

    Stu2 Registered Member

    Joined:
    Nov 3, 2006
    Posts:
    7
    yes, it is.

    And I did try (more than once, and on several days) expand d:\i386\winlogon.ex_ c:\windows\system32\winlogon.exe

    that's where it said "unable to create file winlogon.exe"

    [in earlier message Stu said] I was even able to copy the winlogon.ex_ to drive c: (I just put it on c:, not in the windows directories, thinking that may be wiser)

    Stu now points out: note that was by "copy" command, not "expand" and the file copied was winlogon.ex_ (whatever that .ex_ means), not winlogon.exe - so that's why I didn't mess with the Windows directory I had even wondered if "expand" might work better after that copying to hard drive
     
  20. Stu2

    Stu2 Registered Member

    Joined:
    Nov 3, 2006
    Posts:
    7
    Problem is finally fixed. If anyone comes across it, the solution is very similar to originally posted by Peter:

    PETER::
    First of all, sorry for the inconvenience! To restore the file, you have to boot from a Windows XP CD (matching your service pack, I think you haven't installed any) and go to the Recovery Console. When you are there, please type in the following command:

    expand d:\i386\winlogon.ex_ c:\windows\system32\winlogon.exe


    EXCEPT THAT the "expand" command did not work! Through much trial and error I finally found that

    copy d:\i386\winlogon.ex_ c:\windows\system32\winlogon.exe

    FIXED THE PROBLEM!
     
Thread Status:
Not open for further replies.