« previous next »
Pages: [1]   Go Down

Author Topic: Delf-KWY trojan  (Read 3816 times)

0 Members and 1 Guest are viewing this topic.

flicky

  • Guest
Delf-KWY trojan
« on: August 29, 2008, 10:07:53 AM »
I was hit with win32.Delf-KWY today
When I do a boot scan it is recognised but avast! cannot delete or move it to the chest. I can only ignore it.
If you try to delete the files - ravsys.exe and autorun.ini they recreate themselves.
How do I get rid of this trojan if Avast! can't do it automatically?
Logged

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Delf-KWY trojan
« Reply #1 on: August 29, 2008, 01:28:54 PM »
Hi before anything can be done we need to know what you have got

  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)
Logged

lind

  • Guest
Re: Delf-KWY trojan
« Reply #2 on: September 01, 2008, 01:52:11 PM »
    Quote from: flicky on August 29, 2008, 10:07:53 AM
    I was hit with win32.Delf-KWY today
    When I do a boot scan it is recognised but avast! cannot delete or move it to the chest. I can only ignore it.
    If you try to delete the files - ravsys.exe and autorun.ini they recreate themselves.
    How do I get rid of this trojan if Avast! can't do it automatically?


    Hi flicky
    This is my information so far about win32.Delf-KWY

    Name: Trojan-Downloader.Win32.Delf.kwy

    Description:

    A trojan-downloader is a tool that downloads a trojan horse. A trojan, also known as a trojan horse, is simply a program that pretends to be something else.

    Why are trojans or trojan horses so dangerous? The basic idea is that you download a program, for example one that you think is some sort a game demo. When you run the demo, to your surprise, nothing happens. Or so you thought.

    What may have happened is that you've just unwittingly run some form of program that has planted itself on your hard drive. Perhaps it's going to be a very basic application, and simply delete some files on your system. Perhaps it's an even more sinister tool that will actually give other people full access to your hard drive and system. Sounds ridiculous? It happens literally every single day, to computer users all around the world.

    Referrer Site :

    Quote
    http://www.emsisoft.com/en/malware/?Trojan-Downloader.Win32.Delf.kwy

    2nd Infection

    Name:   RAVSYS.EXE

    We still have no confirm information about this but i can give you the Test Virus Scan about this malicious software


    Quote
    VirSCAN.org Scanned Report :
    Scanner results: 19% Scanner(7/36) found malware!
    File Name      : RAVSYS.EXE
    File Size      : 381952 byte
    File Type      : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
    MD5            : ec55fc7a83f60c7683b70e5dbc8e2f24
    SHA1           : 34d729c7e89ccda6295b34291978b6cd0be091bb
    Online report  : http://virscan.org/report/14d38180fe2b56c53319272282c7c76b.html

    Scanner        Engine Ver      Sig Ver           Sig Date    Time   Scan result
    a-squared      3.5.0.22        2008.08.17        2008-08-17  6.72   -
    AhnLab V3      2008.08.18.01   2008.08.18        2008-08-18  1.23   -
    AntiVir        7.8.1.19        7.0.6.26          2008-08-18  2.20   TR/Downloader.Gen
    Arcavir        1.0.5           200808171633      2008-08-17  1.22   -
    AVAST!         3.0.1           080817-0          2008-08-17  0.74   -
    AVG            7.5.51.442      270.6.5/1618      2008-08-18  1.53   -
    BitDefender    7.60825.1563568 7.20568           2008-08-18  5.82   Trojan.Crypt.Delf.C
    CA (VET)       9.0.0.143       31.6.6035         2008-08-15  4.95   -
    ClamAV         0.93.3          8052              2008-08-18  0.06   -
    Comodo         2.11            2.0.0.620         2008-08-18  1.10   -
    CP Secure      1.1.0.715       2008.08.18        2008-08-18  6.18   -
    Dr.Web         4.44.0.9170     2008.08.18        2008-08-18  3.22   -
    ewido          4.0.0.2         2008.08.17        2008-08-17  6.52   -
    F-Prot         4.4.4.56        20080817          2008-08-17  5.50   W32/Hupigon.G.gen!Eldorado (generic, not disinfectable)
    F-Secure       5.51.6100       2008.08.17.03     2008-08-17  0.09   -
    Fortinet       2.81-3.11       9.440             2008-08-18  1.82   -
    ViRobot        20080816        2008.08.16        2008-08-16  0.40   -
    Ikarus         T3.1.01.34      2008.08.18.71295  2008-08-18  3.40   Backdoor.Win32.Agent.ahj
    JiangMin       11.0.706        2008.08.18        2008-08-18  1.29   -
    Kaspersky      5.5.10          2008.08.18        2008-08-18  0.08   -
    KingSoft       2008.1.14.15    2008.8.18.17      2008-08-18  0.75   -
    McAfee         5.2.00          5362              2008-08-15  3.17   -
    Microsoft      1.3807          2008.08.18        2008-08-18  7.39   -
    mks_vir        2.01            2008.08.18        2008-08-18  2.63   Win32.4
    Norman         5.93.01         5.93.00           2008-08-15  5.06   -
    Panda          9.05.01         2008.08.17        2008-08-17  4.83   -
    Trend Micro    8.700-1004      5.484.03          2008-08-18  0.14   -
    Quick Heal     9.50            2008.08.16        2008-08-16  1.85   -
    Rising         20.0            20.58.02.00       2008-08-18  0.96   -
    Sophos         2.77.0          4.32              2008-08-18  1.96   -
    Sunbelt        3.1.1546.1      2193              2008-08-14  1.08   VIPRE.Suspicious
    Symantec       1.3.0.24        20080817.003      2008-08-17  2.22   -
    nProtect       2008-08-18.00   1894688           2008-08-18  3.83   Trojan.Crypt.Delf.C
    The Hacker     6.2.96          v00396            2008-08-11  0.42   -
    VBA32          3.12.8.3        20080817.1524     2008-08-17  2.27   -
    VirusBuster    4.5.11.10       10.84.3/598170    2008-08-17  0.92   -


    This is another function of the malicious software (Warning!)

       
    Quote
    File System Modifications

        * The following file was created in the system:

    #   Filename(s)   File Size   File MD5
    1    %Windir%\Ravsys.exe
    [file and pathname of the sample #1]    381,952 bytes    0xEC55FC7A83F60C7683B70E5DBC8E2F24

     
       Registry Modifications

        * The following Registry Key was created:
              o HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System

        * The newly created Registry Value is:
              o [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
                    + DisableWindowsUpdateAccess = 0x00000001


    Quote
    (This Scan shows that the malicious software is non other than a mallwere

    I Suggest
     you use the ffl. program to try to remove the malicious software from your system

    1st We have SuperAntiSpyware

    Download link

    Quote
    http://downloads2.superantispyware.com/downloads/SUPERAntiSpyware.exe

    Instruction:
    Download the software then install after wards update to current version then go to setting then check the Full System Scan ( this is very important )
    when the program detect the spyware/trojan/malware delete it after deletion it would require a system
    Restart then scan again if the malicious software came back (just for double check^_^

    2nd We Have Malwarebytes'

    If you follow these instructions, everything should go smoothly.


        Please download Malwarebytes' Anti-Malware and save it to a convenient location.
    [list=1]
       
    • Double click on mbam-setup.exe to install it.
         
    • Before clicking the Finish button, make sure that these 2 boxes are checked (ticked):
        Update Malwarebytes' Anti-Malware
            Launch Malwarebytes' Anti-Malware
      • Malwarebytes' Anti-Malware will now check for updates. If your firewall prompts, please allow it. If you can't update it, select the Update tab. Under Update Mirror, select one of the websites and click on Check for Updates.
           
      • Select the Scanner tab. Click on Perform full scan, then click on Scan.
           
      • Leave the default options as it is and click on Start Scan.
           
      • When done, you will be prompted. Click OK, then click on Show Results.
           
      • Checked (ticked) all items and click on Remove Selected.
           
      • After it has removed the items, Notepad will open. Please post this log in your next reply. You can also find the log in the Logs tab. The bottom most log is the latest.
      Next,
           
      • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
           
      • Double click on RSIT.exe to run RSIT.
           
      • Click Continue at the disclaimer screen.
           
      • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)
      Please post the following:
      [list=1]
      • The Malwarebyte's Anti-Malware log
      • The contents of log.txt
      • The contents of info.txt
      Hope This Help :3
      Logged
      Pages: [1]   Go Up
      « previous next »