Win32 Delf-GFV

system · 2007-10-15T13:23:25.000Z

Hi there.

I’m having a problem. I keep getting a detection notice the the files C:\WINDOWS\system32\cebaceb.dll[Morphine][UPX] and C:\WINDOWS\system32\cebaceb.dll.bak are infected with Win32: Delf-GFV [trj] but when I try to have Avast fix the problem it won’t allow it.

I tried running a boot scan and it gave me an access denied error message even when I booted in safe mode. My computer also won’t let me delete the file manually. I checked msconfig for the startup entry and couldn’t find anything.

What do I do?

Lisandro · 2007-10-15T14:29:59.000Z

Boot time scanning is not the same as scanning at Safe Mode.
Are you using Windows XP?
Can you schedule a boot-time scanning?
Start avast! > Right click the skin > Schedule a boot-time scanning.
Select for scanning archives.
Boot.
If infected files are found, it’s safer to send them to Chest instead of deleting them.
This way you can further analysis them.

system · 2007-10-15T14:40:46.000Z

I’ve tried it both ways, boot time scan and scanning while in safe mode. It won’t let me move or delete the files at all, just says access denied

DavidR · 2007-10-15T16:24:47.000Z

I don’t wish to insult you, but are you sure you did a boot-time scan as I can’t see how access would be denied before windows is running ?

Most Delf Trojans add a Startup entry: Startup Entry Name, SysService - Process Name, SysService.exe

Use Task Manager to check and End the Process if found (it might be worth reporting other unknown processes/startup entries). Also to end the startup entry, Windows Start, Run, type 'msconfig without the quotes, in the new window select the Startup Tab, find the SysService entry and uncheck it.

A google search for cebaceb.dll returns zero hits, which in itself is suspicious. Perhaps you could try and remove this with a tool to move on boot, etc.

MoveOnBoot http://www.snapfiles.com/get/moveonboot.html
Unlocker http://ccollomb.free.fr/unlocker/ is also good as it also has a few additional features to not only delete the files but stop any process that is stopping you from deleting a file.

Lisandro · 2007-10-15T17:00:28.000Z

DavidR post:4:

I don’t wish to insult you, but are you sure you did a boot-time scan as I can’t see how access would be denied before windows is running ?

Is there any possibility of denial of access due to access rights and not by file in use?
Is the boot time scanning run with the most access available?
For instance, there are XP policies that block the access with Restore Console…
It just that I’m not sure, just asking and trying to learn…

DavidR post:4:

MoveOnBoot http://www.snapfiles.com/get/moveonboot.html

Unlocker http://ccollomb.free.fr/unlocker/ is also good as it also has a few additional features to not only delete the files but stop any process that is stopping you from deleting a file.

Good suggestions… but I have already found that the tools fail in more than one situation.
Maybe KillBox or FileAssassin could be other possibilities.

system · 2007-10-15T22:04:32.000Z

i’m not sure. I’m not the most technologically savvy person.

I know that when i run the boot time scan, it finds the infected file, gives the option to delete then the message
Delete: Error 0xc0000022 {Access Denied}

I downloaded both utilities suggested. MoveOn couldn’t do anything with it, gave an error message that access was denied. Unlocker said it was connected to 3 processes, winlogon, explorer and iexplore

I unlocked and tried to delete, no luck.

I am now running uniblue spy eraser to see if the winlogon is spyware itself.

DavidR · 2007-10-15T22:17:59.000Z

Is this how you are initiating the boot-time scan ?
Right click the avast icon, select Start avast! Antivirus, Menu, ‘Schedule boot-time scan…’ Or see http://www.digitalred.com/avast-boot-time.php

It should also look something like this image when it runs and finds something.

system · 2007-10-15T22:45:31.000Z

Yep, that’s what it looks like.

I’ve only been scanning the Widows directory, since that’s where the file i’m having the problem with is, so it doesn’t give me all those options, but if I try to delete I get that error message.

system · 2007-10-15T23:20:46.000Z

Thanks for the assist, but there are so many problems with my computer, i’m just going to format it and start from scratch.

Lisandro · 2007-10-16T00:11:37.000Z

pmaloney post:9:

Thanks for the assist, but there are so many problems with my computer, i’m just going to format it and start from scratch.

Hmmm… It’s a pity because, for us, format is drop the towel, accept the defeat.

DavidR · 2007-10-16T01:26:20.000Z

pmaloney post:9:

Thanks for the assist, but there are so many problems with my computer, i’m just going to format it and start from scratch.

Yes, it is a shame we haven’t been able to help without having to take the format option. Though if as you suggest there are many things wrong it may well be better to start from a clean system and try to keep it that way.

system · 2007-10-18T11:27:26.000Z

Can anyone plz help me out?
I m also having the same problem, n i dont wanna format my pc js 4 this problem…
I have also tried all the above measures but no help 4m that.

Lisandro · 2007-10-18T12:16:07.000Z

vinit123456 post:12:

I m also having the same problem, n i dont wanna format my pc js 4 this problem…

Did you try the general cleaning processes?
For instance: http://forum.avast.com/index.php?topic=5373.0

essexboy · 2007-10-19T15:28:24.000Z

Reformat is the last option - So lets try and get you cleaned up. Please run these programmes in the correct order

Download ComboFix from Here or Here to your Desktop.

[*]Double click combofix.exe and follow the prompts.
[*]When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix’s window while its running. That may cause it to stall

THEN

Click here to download HJTsetup.exe

[*]Save HJTsetup.exe to your desktop.
[*]Doubleclick on the HJTsetup.exe icon on your desktop.
[*]By default it will install to C:\Program Files\Hijack This.
[*]Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
[*]Put a check by Create a desktop icon then click Next again.
[*]Continue to follow the rest of the prompts from there.
[*]At the final dialogue box click Finish and it will launch Hijack This.
[*]Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
[*]Click on “Edit > Select All” then click on “Edit > Copy” to copy the entire contents of the log.
[*]Come back here to this thread and Paste the log in your next reply.
[*]DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

Post both Combofix and Hijackthis logs

Announcements