4 replies to this topic

[moneal75]

So I am infected with rootkit.win32.delf.af so as I was following directions that led me to you guys, I DL'd Malwarebytes and followed instructions on how to install. I was told to select "quick scan" but after 2 (!!) hours, its just still saying "Enumerating registry objects prior to scan" and under Currently Scanning, it is still saying "preparing for the scan".

Is this normal? AHHHH!!!! Thanks in advance!

[AdvancedSetup]

Hello and Welcome to Malwarebytes.org

Please read and follow the instructions provided here as best you can: Pre- HJT Post Instructions
When ready please post your logs here: Malware Removal - HijackThis Logs

Someone will be happy to assist you further with cleaning your system.

During this scan and cleanup process you should not install any other software unless requested to do so.

[moneal75]

I finally got it to work and THANK YOU!!!

I thought I would post this in case you find it helpful for someone else.
I was infected in apptdata\Google with a rootkit.win32.delf.al file. I was also getting that stupid pop up box trying to get me to download that defender program. NOTHING was picking that up.

I ran:
Spyware doctor
Threatfire
spybot
my virus scan which is F-secure (whatever that means).

My virus scan was telling me I had that rootkit virus but would not let me delete it, it was saying I didnt have permission!

I installed Malwarebytes and ran the scan. It picked up the rootkit virus (trojan?) and also the defender pop up box file. It let me delete everything but the rootkit, so I rebooted it and it was still there.

I ran my virus scan and this time it let my virus scan delete it.

I dont know what Malwarebytes did but THANK YOU!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! That was a horrible drama that I spent 5 days on!!!!

I'm wondering though how come it took me running malwarebytes before my virus scan could delete it? Also what does that virus/trojan do (had I not been able to delete it)?

[exile360]

Most likely Malwarebytes removed a file or files and/or registry keys that had the file locked so that your antivirus could not remove it, but once they were gone, the rootkit lost a layer of its protection. Malwarebytes uses special drivers and techniques itself to remove nasty files like that which is why it was able to get at it when your antivirus couldn't.

To answer your second question, the trojan/rootkit was most likely there to try to trick you into buying that fake anti-whatever software and to steal personal information and passwords, so if you've visited any email/banking sites or used your credit card online since you got the infection then you should change your passwords and call your credit card company and let them know what happened so you can decide whether to cancel and replace your cards or just to watch what charges pop up.

PS: If you haven't done so already (wasn't sure by your post), you should definetely post in the Malwarebytes HijackThis forum so one of the experts can make sure you are completely clean. Good luck and safe surfing.

[Raid]

moneal75, on Nov 15 2008, 12:12 AM, said:

I finally got it to work and THANK YOU!!!

I dont know what Malwarebytes did but THANK YOU!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! That was a horrible drama that I spent 5 days on!!!!

If we cannot delete the rogue file, We intentionally "break" it's executable header. When you reboot, it doesn't load. Once the header itself is broken, the file for all intents and purposes is rendered harmless.