• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 805
  • Last Modified:

Remove Trojan BHO.DAB and Downloader.Delf.Ast

Experts!  I have a client's pc that is infected with these two viruses-  trojan downloader.delf.AST and bho.dab.  The infected files reside in the system32\directory.  Does anyone know of a tool that can remove these?  I thought about re-installing windows but the user doesn't have their recovery cd's.  Thanks!

I am using AVG FE 7.5.
0
samiam41
Asked:
samiam41
  • 13
  • 8
1 Solution
 
IndiGenusCommented:
It would help if we could see what was going on with your computer. I suggest that you download, run, and upload a HijackThis log from the link below.

http://www.trendsecure.com/portal/en-US/threat_analytics/hijackthis.php

Click on "Do a system scan and save a log file" button. Post the text from the log file. Do not have HJT fix anything at this point.

Please do not post the log into the comment window. Use "Attach File" under the comment window to post the log.
0
 
samiam41Author Commented:
indigenus- attached are the results

carlwarner- i am working on your post now

thank you both for your help!!
hijackthis.log
0
SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

 
IndiGenusCommented:
Download and Run ComboFix (by sUBs) You must run it directly from your Desktop.

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Disable your Anti-virus and any real-time Anti-spyware monitors that are running.
Then double click Combofix.exe & follow the prompts.
When finished, it will produce a log for you. Upload that log in your next reply with a new HijackThis log.  

Please do not post the log into the comment window. Use "Attach File" under the comment window to post the log.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Note 2: Remember to re-enable your Anti-virus and Anti-spyware.

NOTE: If you have issues connecting to your network or internet after running combofix you can either simply reboot, or do the following:
* Going to Control Panel > Network Connections.
* Right click on their Network icons & select "Repair"
or
Alternately, if the Network icon appears in the notification area in the lower right corner of Desktop, right-click it, and then click Repair from the shortcut menu.

PLEASE ALSO NOTE: Combofix will typically fix most and sometimes all Malware entries but many times a script is also needed to finish cleaning up. So please keep CF until advised whether you need the script or not.
0
 
samiam41Author Commented:
carlwarner- i remember seeing this site since  they were only 3 that showed up from my google search.  i was concerned with the age of the posts and wasn't sure if there was something newer.  if that works, rock on, but i wanted to make sure before i followed that post.  thanks!
0
 
samiam41Author Commented:
indigenus- downloaded and ran the util.  pc is restarting now.  i will update momentarily.  this is the same app as in the post carlwarner provided.  two experts recommending roughly the same thing sounds promising.
0
 
IndiGenusCommented:
samiam41,
I volunteer at Geeks also, and kahdah is very knowledgeable, as are most of the staff there. But no 2 infections are exactly alike. Each should be treated as an individual infection. As you can see the infected files in your log are different from the one there. Yes the tool used, combofix, is the same but there will likely need to be a follow up script that will be different. Hope that makes sense.

Dave
0
 
samiam41Author Commented:
great points.  glad i hestitated and posted the question.  i am attaching the results of the CF app.  looks like it worked (so far) as i can open ie without seeing numerous virus warnings.


log.txt
0
 
IndiGenusCommented:
1. Open Notepad.

2. Now copy/paste the text between the lines below into the Notepad window:

---------------------------------------------------------------------------------------------------------------

File::
C:\WINDOWS\system32\dimapi.dll.bak
C:\WINDOWS\system32\dv80tiog6.exe

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dv80tiog6"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dv80tiog6"=-

---------------------------------------------------------------------------------------------------------------

3. Save the above as CFScript.txt on your desktop.

4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please upload the following reports/logs.

-Combofix.txt
-A new HijackThis log

0
 
samiam41Author Commented:
10-4

Running it now
0
 
samiam41Author Commented:
here  is the updated log file
log.txt
0
 
IndiGenusCommented:
Looks like you got it. Can you post a new Hijackthis log too?
0
 
samiam41Author Commented:
of course.  i will run it now.  thanks for your patience.
0
 
samiam41Author Commented:
updated log file as requested
hijackthis.log
0
 
IndiGenusCommented:
Looks clean. Would recommend full system virus scan. And spyware scan, you have SAS and that is good.

Good luck,
Dave
0
 
samiam41Author Commented:
that is awesome how well you knocked that out.  you even took care of that "dv80tiog6" pop-up error i was getting.  if the log looks clean, will close out question and award points.  thanks again for your help.  
0
 
IndiGenusCommented:
Your welcome :)
0
 
samiam41Author Commented:
You're great.  Take care of yourself.  I know you tought a fellow IT pro something new and helped my client out big time!  
0
 
samiam41Author Commented:
i love learning about the security side and am working on my ccsp.  what were you looking for in the log file?  I went through them again and wasn't sure what i was looking for.  i would appreciate any time you could offer up to explain this.
0
 
IndiGenusCommented:
Hi,
There are many things to consider when reviewing HJT logs. Obviously files. Also CLSID's, and where files are located sometimes. There are several databases that we use, along with a good ole' search engine like Google. A lot of it is experience and training in this area. I am a member of 3 different schools in the anti-malware forums and have been trained by some of the best. Check out my blog for the most recent article that covers this.

http://www.anti-malwareoutlook.com/

Regards,
Dave
0
 
samiam41Author Commented:
Cool.  That gives me some direction to study more about the ever changing world of pc security.  I'll check out your blog and see how dangerous I can become.  : )  Thanks again.

-Aaron
0
 
samiam41Author Commented:
0

Featured Post

Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

  • 13
  • 8
Tackle projects and never again get stuck behind a technical roadblock.
Join Now