TrojanClicker.Win32.Delf.r

Discussion in 'Trojan Defence Suite' started by Skookum, Oct 2, 2004.

Thread Status:
Not open for further replies.
  1. Skookum

    Skookum Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    10
    Any information on this Trojan? TDS was the only data base to define and catch this Trojan. This is great software :cool:
     
  2. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
  3. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    if you have that one then you will almost certainly have a lot more

    It almost always comes bundled with several other adaware pop up causing pieces of scum

    I would suggest apart from running TDS, which is mainly an anti trojan though it does find and deal with a lot of spyware/adwares to also run a specific adware cleaner like Spybot or ADAWARE

    Spybot - Search & Destroy from http://security.kolla.de
    AdAware SE from http://www.lavasoft.de/support/download
     
  4. Skookum

    Skookum Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    10
    Re: TrojanClicker.Win32.Delf.r and Stealth Virus

    Yuppers used Microworld EScan and KAV Per Pro and found several suspect files which leads me to this.
    Kaspersky Inspector seems to keep finding "Stealth Virus". I'm just a bit confused about this issue as the file names keep changing. I,m wondering if this could be a real prob or a series of false alarms. In an effort to ferrit out the buggers I ran TDS3 at the same time in hopes of catching a Memory Resident but no such animal. I'm new to the KAV AV so it could be my config. Any thoughts on this issue?

    The file extensions seem to be BMP TMP and DAT and some of the files didnt seem to be in the location referenced by the scan. Nor did they exist. Yet some did. My aching head o_O

    I would love to see Diamond take on the challenge of the Stealth Virus.
    They, you, create very solid software. Have used TDS3 for several years now
    and it's saved my bacon more than a couple of times. ;)
     
  5. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    You did make sure all folder options are set to display all files and extensions, nothing hidden anymore?
    Where are the files located or should they be? System restore, recyclebins, tempfiles, caches, all that you'll have cleansed out i suppose, so what is left?
     
  6. Skookum

    Skookum Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    10
    Wow that was quick:
    Yes I changed the registry entries to show all hidden and super hidden files. The hits were in a variety of locations for instance *.*\Nforce\setup.bmp , *.*Adobe\ATMlite\setup.bmp , C:\Winnt\System32\IAS\IAS.MDB , *.*\Local\Temp\DF6876.tmp also a couple Images like *.*\Duvall.bmp & *.*\Home.bmp These I deleted but before I deleted them I ran them through Kapersky's on site scan and they came up clean.
    The file I couldnt find was C:\Winnt\System32\PED0D6~1.Dat. Couldn't even find the PED0D6 part of the long file name.
    The puzzler is each scan, and I ran several, would pop with a different file name. Hmmmmm o_O Are these files morphing?
    After the Tylenol kick's in I'm gonna go at it again.

    A note: Before I ran Kaspersky Inspector, I ran the KAV on demand scan, which scanned nearly 800,000 files and came up clean. This includes archives and compressed files. I also removed any password protected files from the machine to remove that variable. One loophole is the IO errors. I think there were 17 or so. As I'm new to Kap Personal Pro. I'm not up to speed yet on all it's bells and whistles.

    I would like to thank you for your prompt response. :)
    Take care
     
  7. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    And TDS alarmed on those files? did it alart earlier on them, and were there recent modification dates on the files?
    If you can find copies of them, can you please submit them another time to TDS submit@diamondcs.com.au just to make sure?
    There might be false positives, maybe not, but to avoid that best submit them.
     
    Last edited: Oct 10, 2004
  8. Skookum

    Skookum Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    10
    No TDS didnt Kapersky Inspector did
     
  9. FanJ

    FanJ Guest

    Have you run AdAware and Spybot as Derek advised ?
     
  10. FanJ

    FanJ Guest

    Re: TrojanClicker.Win32.Delf.r and Stealth Virus

    Usually a file-integrity-checker, like Inspector, does not give false alarms.
    Well, that is at least my experience with a similar program, ADinf32 Pro.
    They simply tell you that a file is changed (changed, deleted or added).
    It is up to the user to decide whether such a change is legitimate or malicious.
     
  11. Skookum

    Skookum Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    10
    Stealth Virus this may be a new thread

    The Kapersky Inspector gave me a Stealth Virus alert for PED0D6~1.DAT file size 16384 kb.
    This turned out to be Perfib_Perfdata_628.dat in C:\WINNT\System32\

    When discovered ie: my using file operations, the file kept reproducing itself as .dat files then changed to a .tmp extension size is the one constant that being 16384 kb. Some of the file names are
    {MSIMGIZ.dat , Index.dat} { ~DF274D.tmp , ~ DF37D7.tmp and several other ~DF followed by a Intiger}

    Noticed something interesting. There are other files of like names and different sizes

    ~DFEAA9.tmp is 49152 kb or 3 times 16384 kb
    Created: Friday, October 01, 2004, 5:46:41 PM
    Accessed: Yesterday, October 10, 2004, 11:47:47 PM

    ~DF3998.tmp is 81920 kb or 5 times 16384 kb
    Created: Monday, October 04, 2004, 9:12:41 PM
    Accessed Yesterday,October 10, 2004, 11:47:47 PM

    There are 12 variations of ~DF3998.tmp such as ~DF4658.tmp and other intigers
    with the ~DF lead in, in my machine, all created at a different times and
    all accessed yesterday, October 10, 2004, 11:47:47 PM.

    Thats when I was running file search operations by size and extension, on the 16384 kb files and deleting them.

    Looks like this file adapts to various methods of locating and removing it.

    I did manage to get a couple files into a 3.5 floppy for research on the thing.

    looks like I have my work cut out for me :eek:
     
  12. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
  13. Skookum

    Skookum Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    10
  14. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    The unstsa2.exe filename comes in several infections, like this
    http://sarc.com/avcenter/venc/data/pf/adware.blazefind.html
    among others, where's an uninstall help link if it is this one.
    But it's mentioned as part of the original trojan you started the thread with, for which i gave you the link in my first reply.

    If your infection came from that link i'm not going to visit there in the forum. How did you get infected there, was it something you downloaded there or is the forum itself infected spreading the malware? In the latter case we'll remove your URL.
     
    Last edited: Oct 12, 2004
  15. Skookum

    Skookum Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    10
    Hi:
    The software had to come from a DL site Perhaps DivX, as they install GAIN or commonly known as Gator. I didn't read the EULA until later and after reading the EULA I removed the software. A bit late I might add. Frikin Gator anyway. Can't stand those creeps. You can bet I read these EULA's now.
    After TDS found the trojan I checked the info in the property pages to get the owners of the software, Kalptaru IT Ltd. Went to there site and ask?

    "Whats the story, my trojan scan found a TrojanClickerWin32.Delf.r in your file unsta2.exe.
    Had a response within a couple of hours.
    "Most probably these are some rouge software that somebody is distrubiting using our names. Although we are not able to identify who these people are but we have prepaired a step by step instructions to remove these kind of software. Please visit this url http://www.a2zhelp.com/forum/forummessages.asp?id=17 It will help you remove these kind of software in the future too."
    We are an outsourced software development company and we don't promote or distribute these kind of malicious or iritating software. We have reported to proper authorities about this situation and they are working on finding out the sourse of this problem."


    The red text are quotes I had never heard of KIT Ltd prior to this. It' a jungle out there. Knowledge is your best protection.
     
Thread Status:
Not open for further replies.