Bienvenido! - Willkommen! - Welcome!

Bitácora Técnica de Tux&Cía., Santa Cruz de la Sierra, BO
Bitácora Central: Tux&Cía.
Bitácora de Información Avanzada: Tux&Cía.-Información
May the source be with you!

Friday, September 26, 2008

Trojan horse Delf

Source
Description
Delf is a family of Trojan horse programs which allow a cracker to take complete control over infected PCs. Some versions log your keystrokes, allowing the cracker to review your passwords, credit card numbers, and any other information that you type. Backdoor.Delf.B is one common variant of this troublesome Trojan horse. Delf can install on a PC when you unwittingly run an infected email attachment or an infected file downloaded from a file sharing service.

If Delf.B Is On Your PC
Delf tries to disable several common antivirus applications, so you may notice that your antivirus utility has stopped working properly. You may also notice slow-loading Web pages or other unexpected Internet activity.
A Delf.B-infected PC will have files named Kernel32.exe in the Windows system directory (C:\WINDOWS\SYSTEM or C:\WINNT\SYSTEM32, depending on the operating system). However, several other viruses and Trojan horse programs use that same file name in the same location. Having the file is always trouble, but the culprit is not necessarily Delf. To prove definitively that the uninvited visitor is Delf.B, use the Registry Editor (click Start and Run, type regedit in the Open box, and click OK) to look at the following keys:

HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNSERVICES

HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
If both contain the value LoadWindowsFile, then Delf.B is the culprit.

WARNING: The following section includes step-by-step information on how to edit the Windows Registry, a large database containing system and program settings that are essential to how the OS (operating system) operates. Follow Registry-editing instructions to the letter and be sure to make a backup of your Registry before you begin (Registry errors can render your computer inoperable if you don't have a backup). This procedure differs depending on the OS you use. For more information on backing up and editing the Registry, see these articles: "Protect Yourself" and "Register Here."


How To Get Rid Of Backdoor.Delf.B
There are many versions of Delf; offshoots of this particular malware may require unique removal processes.
If you use the System Restore feature in Windows Me/XP, a copy of Delf could remain in the System Restore backup folder. To remove it, disable System Restore. To do this in WinXP, click Start and Control Panel, double-click the System icon, select the System Restore tab, check the Turn Off System Restore checkbox, and click Apply. Confirm that you want to disable System Restore, and the infected backups will be deleted.

To remove the System Restore feature's backup files in WinMe, right-click the My Computer icon on the Desktop, select Properties, and select the Performance tab. Click File System and Troubleshooting. Select Disable System Restore and click OK. The infected backups will be deleted. Restart your computer.
To remove Delf.B manually, start Windows in Safe Mode by pressing the F8 key as Windows begins to boot. Open Windows Explorer, navigate to the Windows system directory (C:\WINDOWS\SYSTEM or C:\WINNT\SYSTEM32, depending on the operating system) and delete the Kernel32.exe file.

Next, use the Registry Editor to remove Delf's remains from the Windows Registry. Click Start and Run, type regedit in the Open box, and click OK. In the Registry Editor, navigate to HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN. In the right pane, look for an item called LoadWindowsFile. Right-click it and select Delete. Next, navigate to HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNSERVICES. In the right pane, there should also be an item called LoadWindowsFile. Right-click it and select Delete. Close the Registry Editor to save your changes and restart the computer.

If you prefer, you can use an antivirus utility such as Symantec's Norton AntiVirus 2005 to remove Delf. Launch the program and click the LiveUpdate button to download the latest updates. Next, restart the computer. Start Windows in Safe Mode by pressing the F8 key when Windows begins to boot. Start Norton AntiVirus 2005 again, click the Scan button, and wait for the utility to find and remove the offending files. When the program is done, restart the PC.

After removing Delf using either method, WinMe/XP users should re-enable the System Restore feature.
by Kevin Savetz
==============================
Source
This parasite is a trojan; this means that it doesn't strive to make as many copies of it as possible and send them to various addresses, but concentrates on one single machine. Delf Trojan is able to give the hacker a remote access to the infected computer and a possibility of making various destructive actions. Some of these actions may seriously harm security and stability of the infected machine, that's why it's strongly recommended to remove this pest as soon as possible.
Delf Trojan properties:
• Allows remote user connection
• Logs keystrokes
• Connects itself to the internet
• Hides from the user
• Stays resident in background

Automatic Delf Trojan removal:

Delf Trojan manual removal:

Kill processes:
gadugadu.exe, project1.exe
HELP:
how to kill malicious processes

Delete files:
gadugadu.exe, project1.exe
HELP:
how to remove harmful files

Other programs to remove Delf Trojan:

• SUPERAntiSpyware - Download

==============================
Source

This easy-to-use application will help you detect and eliminate trojan threats from your computer.
cleandelf.exe will detect and remove W32/Delf Trojan and its variants completely, from your system.
Double click on cleandelf.exe to execute it.
Follow the user-friendly instructions in order to detect and remove this trojan from your computer.
==============================
Eliminar:

C:\Archivos de programa\GbPluggin\gbiehdst.dll
C:\Archivos de programa\GbPluggin\gbppdist.dll
C:\Archivos de programa\GbPluggin\gbppsv.exe

C:\Documents and Settings\Administrador\Configuración local\Archivos temporales de Internet\Content.IE5\933XHVIM\gbiehdst[1].js
C:\Documents and Settings\Administrador\Configuración local\Archivos temporales de Internet\Content.IE5\DLMA5EUF\gbppsv[1].js
C:\Documents and Settings\Administrador\Configuración local\Archivos temporales de Internet\Content.IE5\DLMA5EUF\Geremias_IIII_AVI[1].zip

No comments: