! be.Delf trojan prob (w/HiJackThis .log info

[PackRat2112]

A friend of mine has incountered the be.delf trojan and i can't
figure out how to remove this pesk.

she xp pro on an old pentium 333.

i ran avg the the system, it finds it in some obscure place, i
delete it.

then i ran ad-aware 6.0 and it found 541 (wow) entries, delete
that mess, ran it again, it found 13 entries, (none seemingly
that have anything to do with "delf"), deleted those.

then i ran spider bite. i didn't see anything i restarted the
system.

ran ad-aware again, it found 2 entries, (none seemingly that
have anything to do with "delf"), delete.

ran spybot and it stop running about half way though the
process. <ctrl-alt-del> end prog.
tried again... same thing.

looking around in here isaw something about "HijackThis" having
to do with a differant "delf" variety, and they said to the .log
details and maybe some one could figure out what to delete and
hopefully the whole process of getting rid of this, cause i
haven't a clue.

So, here's the log info. (I know it's quite long but what i
say)

could some help me with this, please.

tia.



Logfile of HijackThis v1.97.6
Scan saved at 11:48:34 AM, on 11/13/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\SearchUpdate33.exe
C:\Program Files\Common Files\slmss\slmss.exe
C:\WINDOWS\mwsvm.exe
C:\WINDOWS\System32\IEDriver\IEDriver.exe
C:\PROGRA~1\AWS\WEATHE~1\WEATHER.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Alset\HelpExpress\ME\HXDL.EXE
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\PROGRA~1\HEWLET~1\hpis\common\MOTIVE~1.EXE
C:\Documents and Settings\ME\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
file://C:\WINDOWS\System32\sb.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page
=
http://rd.yahoo.com/customize/ymsgr/defaults/sp/*http://www.yaho
o.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://rd.yahoo.com/customize/ymsgr/defaults/*http://my.yahoo.co
m
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://rd.yahoo.com/customize/ymsgr/defaults/sb/*http://www.yaho
o.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page
=
http://rd.yahoo.com/customize/ymsgr/defaults/sp/*http://www.yaho
o.com
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Default_Page_URL =
http://rd.yahoo.com/customize/ymsgr/defaults/*http://my.yahoo.co
m
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Default_Search_URL =
http://rd.yahoo.com/customize/ymsgr/defaults/su/*http://www.yaho
o.com
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet
Explorer\SearchURL,(Default) =
http://rd.yahoo.com/customize/ymsgr/defaults/su/*http://www.yaho
o.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet
Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,SearchAssistant =
http://www.websearch.com/ie.aspx?tb_id=50003
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-
3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\Program Files\Adobe\Acrobat
5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-
B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O2 - BHO: DefaultSearch.SeekSeek - {5074851C-F67A-488E-A9C9-
C244573F4068} - C:\WINDOWS\ieasst.dll
O2 - BHO: (no name) - {719D6C8D-73C4-4372-847F-4A5C9FC50CD6} -
C:\WINDOWS\System32\h32c3msp.dll
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} -
C:\PROGRA~1\Toolbar\toolbar.dll
O2 - BHO: SearchSquire3 - {907CA0E5-CE84-11D6-9508-02608CDD2846}
- C:\WINDOWS\System32\SEARCH~1.DLL
O2 - BHO: (no name) - {98DE779A-2364-4293-AB71-2B97C61C4640} -
C:\PROGRA~1\FREEDO~1\fdahlp.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} -
c:\windows\googletoolbar_en_2.0.95-big.dll
O3 - Toolbar: FDA Bar - {9595C62C-76C6-49A6-9BDA-3253DD7A34FF} -
C:\Program Files\Free Downloads Accelerator\fdabar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -
c:\windows\googletoolbar_en_2.0.95-big.dll
O3 - Toolbar: Pop-Up Blocker - {D7F30B62-8269-41AF-9539-
B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-
29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
/STARTUP
O4 - HKLM\..\Run: [PP5300usb] c:\paprport\FBDirect.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility]
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCDRealtime] C:\WINDOWS\realtime.exe
O4 - HKLM\..\Run: [SearchSquire33]
C:\WINDOWS\System32\SearchUpdate33.exe
O4 - HKLM\..\Run: [slmss] C:\Program Files\Common
Files\slmss\slmss.exe
O4 - HKLM\..\Run: [Mwsvm] C:\WINDOWS\mwsvm.exe
O4 - HKLM\..\Run: [absr] C:\WINDOWS\mwsvm.exe
O4 - HKLM\..\Run: [KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [IEDriver]
C:\WINDOWS\System32\IEDriver\IEDriver.exe
O4 - HKLM\..\RunServices: [ZipGenius Clean] C:\WINDOWS\zg.exe -
clean
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\WEATHER.EXE
1
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN
Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program
Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program
Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [HXDL.EXE] C:\Program
Files\Alset\HelpExpress\ME\HXDL.EXE -from="HXIUL.EXE" -
to="HXIUL.EXE"
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink
TotalAccess\TaskPanl.exe" -winstart
O4 - Global Startup: hp instant support.lnk = C:\Program
Files\Hewlett-Packard\hpis\bin\matcli.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control
Panel present
O8 - Extra context menu item: &Google Search -
res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links -
res://c:\windows\GoogleToolbar_en_2.0.95-
big.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page -
res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmcache.html
O8 - Extra context menu item: Download with Free Downloads
Accelerator - C:\Program Files\Free Downloads
Accelerator\fdaie.htm
O8 - Extra context menu item: Si&milar Pages -
res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page -
res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmtrans.html
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Instant Messenger (SM) (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet
Explorer\Plugins\NPDocBox.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave
ActiveX Control) -
http://download.macromedia.com/pub/shockwave/cabs/director/sw.ca
b
O16 - DPF: {2119776A-F1AD-4FCD-9548-F1E1C615350C} -
http://raven.veloz.com/pub/download/oodlz_wrd.cab
O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} -
http://dst.trafficsyndicate.com/Dnl/T_50003/btiein.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter
Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -
http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.appl
e.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {4F5E4276-C120-11D6-A1FD-00508B9D48EA} (dldisplay
Class) - http://www.gamehouse.com/ghdlctl.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class)
- http://207.188.7.150/12ae7d9a567125324d15/netzip/RdxIE601.cab
O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C}
(CWDL_DownLoadControl Class) -
http://www.callwave.com/include/cab/CWDL_DownLoad.CAB
O16 - DPF: {907CA0E5-CE84-11D6-9508-02608CDD2846} (Squire Class)
- http://update.searchsquire.com/SearchSquire33.CAB
O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297C} -
http://wdownload.weatherbug.com/minibug/tricklers/AWS/minibugins
taller.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave
Flash Object) -
http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.
cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan
Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-
us/tools/mcfscan/1,5,0,4288/mcfscan.cab




--
"One likes to believe in the freedom
Of music. But glittering prizes
And endless compromises shatter
The illusion of integrity"
- Neil Peart

 

[PackRat2112]

Hi PackRat!


I can't help with your log, but you might also try posting
your log at this site. They are experienced with many of
the scan programs, including HijackThis, and they can also
read your log and advise you how to get rid of your problem
files, some of which you may not be aware are unnecessary
or can be damaging to your system.

http://tomcoyote.org/forums/index.php?showforum=27

You can post as a guest, or register as a member, it's
free. ;-))

Good luck.
Jan

A friend of mine has encountered the be.delf trojan and I
can't figure out how to remove this pesk.

she xp pro on an old pentium 333.

I ran avg the system, it finds it in some obscure place, I
delete it.

then I ran ad-aware 6.0 and it found 541 (wow) entries,
delete that mess, ran it again, it found 13 entries, (none
seemingly that have anything to do with "delf"), deleted
those.

then I ran spider bite. I didn't see anything I restarted
the system.

ran ad-aware again, it found 2 entries, (none seemingly
that have anything to do with "delf"), delete.

ran spybot and it stop running about half way though the
process. <ctrl-alt-del> end prog.
tried again... same thing.

looking around in here I saw something about "HijackThis"
having to do with a different "delf" variety, and they
said to the .log details and maybe some one could figure
out what to delete and hopefully the whole process of
getting rid of this, cause I haven't a clue.

So, here's the log info. (I know it's quite long but what
I say)

could some help me with this, please.

tia.



Logfile of HijackThis v1.97.6
Scan saved at 11:48:34 AM, on 11/13/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\SearchUpdate33.exe
C:\Program Files\Common Files\slmss\slmss.exe
C:\WINDOWS\mwsvm.exe
C:\WINDOWS\System32\IEDriver\IEDriver.exe
C:\PROGRA~1\AWS\WEATHE~1\WEATHER.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Alset\HelpExpress\ME\HXDL.EXE
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\PROGRA~1\HEWLET~1\hpis\common\MOTIVE~1.EXE
C:\Documents and Settings\ME\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search
Bar = file://C:\WINDOWS\System32\sb.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search
Page =
http://rd.yahoo.com/customize/ymsgr/defaults/sp/*http://www
.yaho o.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start
Page =
http://rd.yahoo.com/customize/ymsgr/defaults/*http://my.yah
oo.co m
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search
Bar =
http://rd.yahoo.com/customize/ymsgr/defaults/sb/*http://www
.yaho o.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search
Page =
http://rd.yahoo.com/customize/ymsgr/defaults/sp/*http://www
.yaho o.com
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Default_Page_URL =
http://rd.yahoo.com/customize/ymsgr/defaults/*http://my.yah
oo.co m
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Default_Search_URL =
http://rd.yahoo.com/customize/ymsgr/defaults/su/*http://www
.yaho o.com
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet
Explorer\SearchURL,(Default) =
http://rd.yahoo.com/customize/ymsgr/defaults/su/*http://www
.yaho o.com
R1 -
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet
Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,SearchAssistant =
http://www.websearch.com/ie.aspx?tb_id=50003
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-
3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
F2 - REG:system.ini:
UserInit=C:\WINDOWS\System32\Userinit.exe O2 - BHO: (no
name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\Program Files\Adobe\Acrobat
5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: EarthLink
Popup Blocker - {4B5F2E08-6F39-479a-B547- B2026E4C7EDF} -
C:\Program Files\EarthLink TotalAccess\PnEL.dll O2 - BHO:
DefaultSearch.SeekSeek - {5074851C-F67A-488E-A9C9-
C244573F4068} - C:\WINDOWS\ieasst.dll O2 - BHO: (no name)
- {719D6C8D-73C4-4372-847F-4A5C9FC50CD6} -
C:\WINDOWS\System32\h32c3msp.dll O2 - BHO: (no name) -
{8952A998-1E7E-4716-B23D-3DBE03910972} -
C:\PROGRA~1\Toolbar\toolbar.dll O2 - BHO: SearchSquire3 -
{907CA0E5-CE84-11D6-9508-02608CDD2846} -
C:\WINDOWS\System32\SEARCH~1.DLL O2 - BHO: (no name) -
{98DE779A-2364-4293-AB71-2B97C61C4640} -
C:\PROGRA~1\FREEDO~1\fdahlp.dll O2 - BHO: (no name) -
{AA58ED58-01DD-4d91-8333-CF10577473F7} -
c:\windows\googletoolbar_en_2.0.95-big.dll O3 - Toolbar:
FDA Bar - {9595C62C-76C6-49A6-9BDA-3253DD7A34FF} -
C:\Program Files\Free Downloads Accelerator\fdabar.dll
O3 - Toolbar: &Radio -
{8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: &Google -
{2318C2B1-4965-11d4-9B18-009027A5CD4F} -
c:\windows\googletoolbar_en_2.0.95-big.dll O3 - Toolbar:
Pop-Up Blocker - {D7F30B62-8269-41AF-9539- B2697FA7D77E} -
C:\Program Files\EarthLink TotalAccess\PnEL.dll O3 -
Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-
29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll O4 -
HKLM\..\Run: [POINTER] point32.exe O4 - HKLM\..\Run:
[AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [PP5300usb] c:\paprport\FBDirect.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility]
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCDRealtime] C:\WINDOWS\realtime.exe
O4 - HKLM\..\Run: [SearchSquire33]
C:\WINDOWS\System32\SearchUpdate33.exe
O4 - HKLM\..\Run: [slmss] C:\Program Files\Common
Files\slmss\slmss.exe
O4 - HKLM\..\Run: [Mwsvm] C:\WINDOWS\mwsvm.exe
O4 - HKLM\..\Run: [absr] C:\WINDOWS\mwsvm.exe
O4 - HKLM\..\Run: [KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [IEDriver]
C:\WINDOWS\System32\IEDriver\IEDriver.exe
O4 - HKLM\..\RunServices: [ZipGenius Clean]
C:\WINDOWS\zg.exe - clean
O4 - HKCU\..\Run: [Weather]
C:\PROGRA~1\AWS\WEATHE~1\WEATHER.EXE 1
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN
Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program
Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program
Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [HXDL.EXE] C:\Program
Files\Alset\HelpExpress\ME\HXDL.EXE -from="HXIUL.EXE" -
to="HXIUL.EXE"
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program
Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - Global Startup: hp instant support.lnk = C:\Program
Files\Hewlett-Packard\hpis\bin\matcli.exe
O6 - HKCU\Software\Policies\Microsoft\Internet
Explorer\Control Panel present
O8 - Extra context menu item: &Google Search -
res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmsearch.h
tml O8 - Extra context menu item: Backward &Links -
res://c:\windows\GoogleToolbar_en_2.0.95-
big.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page -
res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmcache.ht
ml O8 - Extra context menu item: Download with Free
Downloads Accelerator - C:\Program Files\Free Downloads
Accelerator\fdaie.htm
O8 - Extra context menu item: Si&milar Pages -
res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmsimilar.
html O8 - Extra context menu item: Translate Page -
res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmtrans.ht
ml O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Instant Messenger (SM) (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet
Explorer\Plugins\NPDocBox.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000}
(Shockwave ActiveX Control) -
http://download.macromedia.com/pub/shockwave/cabs/director/
sw.ca b
O16 - DPF: {2119776A-F1AD-4FCD-9548-F1E1C615350C} -
http://raven.veloz.com/pub/download/oodlz_wrd.cab
O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} -
http://dst.trafficsyndicate.com/Dnl/T_50003/btiein.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB}
(YInstStarter Class) -
http://download.yahoo.com/dl/installs/yinst0309.cab O16 -
DPF: {41F17733-B041-4099-A042-B518BB6A408C} -
http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info
.appl e.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {4F5E4276-C120-11D6-A1FD-00508B9D48EA}
(dldisplay Class) - http://www.gamehouse.com/ghdlctl.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE
Class) -
http://207.188.7.150/12ae7d9a567125324d15/netzip/RdxIE601.c
ab O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C}
(CWDL_DownLoadControl Class) -
http://www.callwave.com/include/cab/CWDL_DownLoad.CAB
O16 - DPF: {907CA0E5-CE84-11D6-9508-02608CDD2846} (Squire
Class) - http://update.searchsquire.com/SearchSquire33.CAB
O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297C} -
http://wdownload.weatherbug.com/minibug/tricklers/AWS/minib
ugins taller.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000}
(Shockwave Flash Object) -
http://download.macromedia.com/pub/shockwave/cabs/flash/swf
lash. cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6}
(McFreeScan Class) -
http://download.mcafee.com/molbin/iss-loc/vso/en-
us/tools/mcfscan/1,5,0,4288/mcfscan.cab




--
"One likes to believe in the freedom
Of music. But glittering prizes
And endless compromises shatter
The illusion of integrity"
- Neil Peart

Thanx Jan, i'll check it out.



--
"One likes to believe in the freedom
Of music. But glittering prizes
And endless compromises shatter
The illusion of integrity"
- Neil Peart

 

[Jan Il]

Hi PackRat!


I can't help with your log, but you might also try posting your log at this
site. They are experienced with many of the scan programs, including
HijackThis, and they can also read your log and advise you how to get rid of
your problem files, some of which you may not be aware are unnecessary or
can be damaging to your system.

http://tomcoyote.org/forums/index.php?showforum=27

You can post as a guest, or register as a member, it's free. ;-))

Good luck.
Jan

A friend of mine has encountered the be.delf trojan and I can't
figure out how to remove this pesk.

she xp pro on an old pentium 333.

I ran avg the system, it finds it in some obscure place, I
delete it.

then I ran ad-aware 6.0 and it found 541 (wow) entries, delete
that mess, ran it again, it found 13 entries, (none seemingly
that have anything to do with "delf"), deleted those.

then I ran spider bite. I didn't see anything I restarted the
system.

ran ad-aware again, it found 2 entries, (none seemingly that
have anything to do with "delf"), delete.

ran spybot and it stop running about half way though the
process. <ctrl-alt-del> end prog.
tried again... same thing.

looking around in here I saw something about "HijackThis" having
to do with a different "delf" variety, and they said to the .log
details and maybe some one could figure out what to delete and
hopefully the whole process of getting rid of this, cause I
haven't a clue.

So, here's the log info. (I know it's quite long but what I
say)

could some help me with this, please.

tia.



Logfile of HijackThis v1.97.6
Scan saved at 11:48:34 AM, on 11/13/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\SearchUpdate33.exe
C:\Program Files\Common Files\slmss\slmss.exe
C:\WINDOWS\mwsvm.exe
C:\WINDOWS\System32\IEDriver\IEDriver.exe
C:\PROGRA~1\AWS\WEATHE~1\WEATHER.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Alset\HelpExpress\ME\HXDL.EXE
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\PROGRA~1\HEWLET~1\hpis\common\MOTIVE~1.EXE
C:\Documents and Settings\ME\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
file://C:\WINDOWS\System32\sb.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page
=
http://rd.yahoo.com/customize/ymsgr/defaults/sp/*http://www.yaho
o.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://rd.yahoo.com/customize/ymsgr/defaults/*http://my.yahoo.co
m
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://rd.yahoo.com/customize/ymsgr/defaults/sb/*http://www.yaho
o.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page
=
http://rd.yahoo.com/customize/ymsgr/defaults/sp/*http://www.yaho
o.com
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Default_Page_URL =
http://rd.yahoo.com/customize/ymsgr/defaults/*http://my.yahoo.co
m
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Default_Search_URL =
http://rd.yahoo.com/customize/ymsgr/defaults/su/*http://www.yaho
o.com
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet
Explorer\SearchURL,(Default) =
http://rd.yahoo.com/customize/ymsgr/defaults/su/*http://www.yaho
o.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet
Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,SearchAssistant =
http://www.websearch.com/ie.aspx?tb_id=50003
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-
3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\Program Files\Adobe\Acrobat
5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-
B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O2 - BHO: DefaultSearch.SeekSeek - {5074851C-F67A-488E-A9C9-
C244573F4068} - C:\WINDOWS\ieasst.dll
O2 - BHO: (no name) - {719D6C8D-73C4-4372-847F-4A5C9FC50CD6} -
C:\WINDOWS\System32\h32c3msp.dll
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} -
C:\PROGRA~1\Toolbar\toolbar.dll
O2 - BHO: SearchSquire3 - {907CA0E5-CE84-11D6-9508-02608CDD2846}
- C:\WINDOWS\System32\SEARCH~1.DLL
O2 - BHO: (no name) - {98DE779A-2364-4293-AB71-2B97C61C4640} -
C:\PROGRA~1\FREEDO~1\fdahlp.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} -
c:\windows\googletoolbar_en_2.0.95-big.dll
O3 - Toolbar: FDA Bar - {9595C62C-76C6-49A6-9BDA-3253DD7A34FF} -
C:\Program Files\Free Downloads Accelerator\fdabar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -
c:\windows\googletoolbar_en_2.0.95-big.dll
O3 - Toolbar: Pop-Up Blocker - {D7F30B62-8269-41AF-9539-
B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-
29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
/STARTUP
O4 - HKLM\..\Run: [PP5300usb] c:\paprport\FBDirect.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility]
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCDRealtime] C:\WINDOWS\realtime.exe
O4 - HKLM\..\Run: [SearchSquire33]
C:\WINDOWS\System32\SearchUpdate33.exe
O4 - HKLM\..\Run: [slmss] C:\Program Files\Common
Files\slmss\slmss.exe
O4 - HKLM\..\Run: [Mwsvm] C:\WINDOWS\mwsvm.exe
O4 - HKLM\..\Run: [absr] C:\WINDOWS\mwsvm.exe
O4 - HKLM\..\Run: [KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [IEDriver]
C:\WINDOWS\System32\IEDriver\IEDriver.exe
O4 - HKLM\..\RunServices: [ZipGenius Clean] C:\WINDOWS\zg.exe -
clean
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\WEATHER.EXE
1
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN
Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program
Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program
Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [HXDL.EXE] C:\Program
Files\Alset\HelpExpress\ME\HXDL.EXE -from="HXIUL.EXE" -
to="HXIUL.EXE"
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink
TotalAccess\TaskPanl.exe" -winstart
O4 - Global Startup: hp instant support.lnk = C:\Program
Files\Hewlett-Packard\hpis\bin\matcli.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control
Panel present
O8 - Extra context menu item: &Google Search -
res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links -
res://c:\windows\GoogleToolbar_en_2.0.95-
big.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page -
res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmcache.html
O8 - Extra context menu item: Download with Free Downloads
Accelerator - C:\Program Files\Free Downloads
Accelerator\fdaie.htm
O8 - Extra context menu item: Si&milar Pages -
res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page -
res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmtrans.html
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Instant Messenger (SM) (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet
Explorer\Plugins\NPDocBox.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave
ActiveX Control) -
http://download.macromedia.com/pub/shockwave/cabs/director/sw.ca
b
O16 - DPF: {2119776A-F1AD-4FCD-9548-F1E1C615350C} -
http://raven.veloz.com/pub/download/oodlz_wrd.cab
O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} -
http://dst.trafficsyndicate.com/Dnl/T_50003/btiein.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter
Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -
http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.appl
e.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {4F5E4276-C120-11D6-A1FD-00508B9D48EA} (dldisplay
Class) - http://www.gamehouse.com/ghdlctl.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class)
- http://207.188.7.150/12ae7d9a567125324d15/netzip/RdxIE601.cab
O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C}
(CWDL_DownLoadControl Class) -
http://www.callwave.com/include/cab/CWDL_DownLoad.CAB
O16 - DPF: {907CA0E5-CE84-11D6-9508-02608CDD2846} (Squire Class)
- http://update.searchsquire.com/SearchSquire33.CAB
O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297C} -
http://wdownload.weatherbug.com/minibug/tricklers/AWS/minibugins
taller.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave
Flash Object) -
http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.
cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan
Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-
us/tools/mcfscan/1,5,0,4288/mcfscan.cab




--
"One likes to believe in the freedom
Of music. But glittering prizes
And endless compromises shatter
The illusion of integrity"
- Neil Peart

 

[Jan Il]

Thanx Jan, i'll check it out.

You're very welcome, PackRat, and I hope you're able to resolve your
problem. ;-)

 

[mzlindyone]

A friend of mine has incountered the be.delf trojan and i can't
figure out how to remove this pesk.

she xp pro on an old pentium 333.

Ouch. It's not apparently relevant here, but WHY would she choose to
run (if you call it running) the most insecure OS ever to come out of
Redmond on a machine that can't handle it?

i ran avg the the system, it finds it in some obscure place, i
delete it.

WHAT obscure place? It matters, a lot. Look in the log for the exact
location.

then i ran ad-aware 6.0 and it found 541 (wow)

Wow is right, I think that's the most I've ever heard of.
So I take it your friend likes to install lots of free software?

entries, delete
that mess, ran it again, it found 13 entries, (none seemingly
that have anything to do with "delf"), deleted those.

then i ran spider bite. i didn't see anything i restarted the
system.

ran ad-aware again, it found 2 entries, (none seemingly that
have anything to do with "delf"), delete.

Try updating Ad-Aware again. It should be finding the LOP that's
hanging Spybot, by now.

ran spybot and it stop running about half way though the
process. <ctrl-alt-del> end prog.
tried again... same thing.

Spybot S&D gets hung on the LOP spyware. As far as I know a simple
update should solve that. There are still several chunks of spyware
here and one of them may be using delf as its downloader or AVG *may*
be misidentifying it.

C:\WINDOWS\System32\SearchUpdate33.exe
C:\Program Files\Common Files\slmss\slmss.exe
C:\WINDOWS\mwsvm.exe
C:\WINDOWS\System32\IEDriver\IEDriver.exe

I never saw that last one before, but IE in normal use doesn't need a
"driver". Unless it has to do with that Google toolbar I see, she
doesn't want it.

C:\PROGRA~1\AWS\WEATHE~1\WEATHER.EXE

Is or at least WAS also considered spyware but I think most people who
have it want it.


Carol