This trojan keeps infecting my PC.
Program: AVG Anti-Spyware
Name: Downloader.Delf.dbo
Location: C:\WINDOWS\system32\comctl3.dll
Risk: High
Description: This malicious software downloads, and then installs without the user’s knowledge, other harmful programs such as backdoors.
Browser Behavior: Keeps opening www.search-daily.com
Can you send the samples to virus@avast.com ?
You can zip and password the files… Inform a link to this thread and the password used.
You can send the files to Chest and, from there, resend to Alwil for analysis.
Thanks.
There may be a legit use for this file name, so I would suggest confirming the detection at: VirusTotal - Multi engine on-line virus scanner I feel virustotal is the better option as it uses the windows version of avast (more packers supported) and there are currently over 30 different scanners.
Can you post the contents of a hijackthis log here.
Program & Tutorial - Also useful as a diagnostic tool - FileHippo Download - HiJackThis - HJT Information HiJackThis Tutorial 1
Hi Heidelloon,
In order to avoid SillyDl infections it is important to follow safe computing practices, such as keeping your Operating System and third party applications up to date and patched with the latest updates, and use an Anti-Spyware and Adware solution,
polonus
Well that is true, but first we have to confirm the detection is good.
Heidelloon is using an anti-spyware (AVG-AS) as well as avast, though I would suggest trying SuperAntiSpyware as I believe its detections are better. I’m not sure that avg-as is keeping up the developments/signatures, etc. as it once was when it was called Ewido.
Hi DavidR,
Do I read you right as you think it could well be an FP?
pol
It is a possibility as a google search for comctl3.dll returns some hits which would appear to be legit but some that think it malware so we need to confirm.
http://www.spywaredata.com/spyware/malware/interop.comctl3.dll.php - the file location differs in this one though.
http://forum.grisoft.cz/freeforum/read.php?4,109582,page=1,backpage=,sv= - this AVG one reports continual alerting on comctl3.dll and there is a virustotal listing that also shows this can be detected by avast as Win32:BHO-ID. Yet there was no mention of this file being detected by avast.
Avast didn’t detect this trojan. However I had to do a fresh install of Windows XP. So don’t worry about it. Also not even HiJackthis couldn’t delete it. The odd thing was that it kept infecting my Explorer.exe/ FireFox & Internet Explorer 7.0.
This is one reason I suggested the confirmation of the detection, just in case it was a bad detection, considering avast has previously detected malware in a file with that name, yet doesn’t in this one would tend to support that it might have been a false positive by avg-as.
Hijackthis isn’t there to delete, just give information on what is running on your system, from your log file we can see if there is anything that shouldn’t be there and try to deal with it.
So that detection by avg-as (incorrect or not) may not have had anything to do with the browser problem. If by the infection you mean the opening of search-daily.com, that infection may have been adware. Check out this report about search-daily.com, http://www.siteadvisor.com/sites/search-daily.com.
However, having done a fresh install of XP we won’t get to the bottom of the problem.
I won’t call it odd… it’s very common nowadays the ‘reinfection’.
If a virus is replicant (coming and coming again), you could follow the general cleaning procedure:
Disable System Restore on Windows ME or Windows XP. System Restore cannot be disabled on Windows 9x and it’s not available in Windows 2k. After boot you can enable System Restore again after step 3.
Clean your temporary files. You can use CleanUp or the Windows Advanced Care features for that.
Schedule a boot time scanning with avast. Start avast! > Right click the skin > Schedule a boot-time scanning. Select for scanning archives. Boot. Other option is scanning in SafeMode (repeatedly press F8 while booting).
It will be good if you download, install, update and run AVG Antispyware. Some users recommend SUPERantispyware, Spyware Terminator and/or a-squared (take care about false positives).
If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
If you still detecting any strange behavior or even you’re sure you’re not clean, maybe it will be good to test your machine with anti-rootkit applications. I suggest AVG or Panda.
Also, if you still detecting strange behaviors or you want to be sure you’re clean, maybe making a HijackThis log to post here and, specially, scan and submit to on-line analysis the RunScanner log would help to identify the problem and the solution.
After you’re clean, use the immunization of SpywareBlaster or, which is better, the Windows Advanced Care features of spyware/adware cleaning and removal.
Finally, when you’re clean, check for insecure applications with Secunia Software Inspector to update insecure applications and avoid reinfection.