win32.delf.uc keeps coming back

Hi.

I'm sorry, I have messed up and missed replying to this topic. Are you still with me?

spybob said:
I elected not to remove some of the last programs mentioned prior to following the rest of your instructions. Would there be any difference had I not removed any programs from the beginning of this?
Click to expand...
No problem and no difference.

Zero Access is a serious rootkit infection that patches system drivers on your computer, it is known to be highly resistant to being removed and difficult to repair the damage it does to the system. With some versions the only practical way to remove it is to re-format the hard drive and re-install Windows.

Also, there are non-malware related issues in the logs you have provided from your computer which show the need of a reformat and re-installation of Windows:
  • There are signs of so many install/uninstall of programs and broken programs.
  • There's very little space left on the hard drive. The system drive (C:\) needs more space for Windows to function properly.

The best advise I can give you for this computer is to backup all important files (those you don't want to lose) and perform the re-format and re-installation of Windows.
 
yes I am. I understand you are all volunteers but does it usually take a month to get an issue resolved? I am now having an issue with my other computer but dont' want to do anything till this one is resolved.
 
If done correctly, re-formatting and re-installing Windows XP will resolve both the malware and non-malware related problems on the computer. Do you need any help with the process?
 
How do I avoid infecting any data or program settings (i.e. excel & word toolbar customizations) that I would backup for reinstall?
 
spybob said:
How do I avoid infecting any data or program settings (i.e. excel & word toolbar customizations) that I would backup for reinstall
Click to expand...
I do not use Word and Excel, so you must be more specific:
-Explain how (and maybe why) you have customized word/excel toolbars.
-Are these customizations so extensive that they can't be reapplied manually after the re-install?
-Other information that could help me understand.
 
regardless of word or excel, how can i figure out if any file i've backed up from my data (assuming there are no .exe) is infected? What are the odds that backing up, formatting, doing a clean install and then putting my data on the newly installed drive will be infected from what i've backed up?
 
This will minimize the risk of bringing any infection with you to the fresh install:

In addition to exe-files, you should generally not backup any html-files. Run a online virus scan on the backup media after the re-install (before restoring). Programs should be re-installed from the offical source.

Windows itself should be re-installed from the official cd and the computer should not be connected to any network until updated to Service Pack 3 (SP3) and anti virus installed. Service Pack 2 (SP2) or Windows XP Service Pack 1a (SP1a) must be installed to apply SP3. Using the computer with only SP2 (or lower) installed is absolutely not recommended and makes it vulnerable for attacks using already known security holes.


Here's instructions to use a online scan after the re-install.


ESET Online Scanner

You can use either Internet Explorer or Mozilla FireFox for this scan.

  • Open the following link in a new window:
    ESET Online Scanner
    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.
    Click to expand...
  • Select the option YES, I accept the Terms of Use then click on:
    EOLS2.gif
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on:
    EOLS3.gif
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • You can use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  • Now click on:
    EOLS4.gif
 
Last edited:
Before I format my hard drive I reread these emails and am wondering if I actually still have the Zero Access problem, or other malware threats?
 
spybob said:
Before I format my hard drive I reread these emails and am wondering if I actually still have the Zero Access problem, or other malware threats?
Click to expand...
At this point it's still not clear what remaining malware threats that may still reside on this computer. Given the nature of any rootkit infection, it is impossible to know all the changes that may have been made to your system. There exists no tool that can reset the security in Windows to a fresh clean install.

This is a list of files to backup when doing a reformat. It should cover most, but may not be complete for your computer.

Remember to backup all important documents, personal data files, music, photos, e-mails and bookmarks.

This is a list of Microsoft Office Word/Excel files that you may want to backup:
custom.dic (personal dictionary)
*.acl (personal autocorrect list)
mssp2_en.exc (personal exclusion dictionary)
normal.dot (default new documents template)
*.dot (Any other templates you've made)

*.xlb (personal toolbar)
book.xlt (defaults for new workbooks)
sheet.xlt (defaults for new worksheets)
personal.xl* (personal macros)
*.xlt (Any other templates you've made)

The safest practice is not to backup any files with the following file extensions: exe, .scr, .ini, .htm, .html, .php, .asp, .xml, .zip, .rar, .cab.


The logs has shown that there are almost no space left on the hard drives. Did you fill the hard drives with data?

How are you planning to backup your files?

How old is the hard drive on this computer?

Do you have futher questions related to this topic?
 
thank you for the list of items.

If I install XP on a different hard drive and then attach the original as a secondary, run virus detection on both drives then copy data from secondary to primary and then repartition the secondary, is there any more risk than copying data to a different backup since I would no longer be booting from the original or using any of the exe's from there?
 
spybob said:
If I install XP on a different hard drive and then attach the original as a secondary, run virus detection on both drives then copy data from secondary to primary and then repartition the secondary, is there any more risk than copying data to a different backup since I would no longer be booting from the original or using any of the exe's from there?
Click to expand...
There's a bump in the road again.

Do you have any experience in how to swap out internal components of a computer? Do you know how minimize the risk of static discharge while working with computers like that?
 
It appears to me that you have experience with hard drive swapping and that you know how to minimize the risk of damaging static discharge while swapping internal components of a computer.

spybob said:
(...) is there any more risk than copying data to a different backup since I would no longer be booting from the original or using any of the exe's from there?
Click to expand...
Using a different (empty) physical hard drive should work and you will definitely not lose any data until you repartition the original drive. The risk is low if you only copy the files described in my previous post back to the fresh install.

Please note:
  • It might be a good idea to have the original drive disconnected while installing Windows on the different drive to avoid accidental format and loss of data on the original drive.
  • Please make sure that you do not accidentally boot from the original hard drive.
  • Run an online virus scan on the files before copying anything back. Note that copying back entire profile/user directories is really bad practice.
  • Use extra care not to accidentally copy back other files and directories than described since your backup now contain all files.
  • Keep the computer disconnected from any network until Service Pack 3 and anti-virus is installed (read below).


When you have finished installing windows, determine which service pack is installed:
  • Click Start, and then click Run.
  • Copy and paste, or type the following command and then click OK:
    winver
    A dialog box displays the version of Windows and the service pack that is currently installed on your computer.

As previously written, you should not connect the computer to any network until updated to Service Pack 3 (SP3) and anti-virus installed. Currently I'm only recommending Microsoft's anti-virus solution.

Service Pack version must be SP1a or SP2 to upgrade to SP3. Install the appropriate service packs, SP1a if no service pack or SP2 if your Windows media had SP1 preinstalled, then install SP3. Make sure to reboot after each service pack install.

The safest method is to download and burn the necessary tools to cd(s) on a known uninfected computer:

Windows XP Service Pack 1a (SP1a)
Windows XP Service Pack 2 (SP2)
Windows XP Service Pack 3 (SP3)
Microsoft Security Essentials Installer
Microsoft Security Essentials Definitions
Flash Disinfector

When finished installing SP3, run the Microsoft Security Essentials Installer, followed by the definitions update, then run Flash_Disinfector.


Flash Disinfector

Running Flash Disinfector will disable autorun on your computer to avoid infection if plugging in an infected external usb/hard-drive.

  • Double click the file to run it.
  • You will be prompted to plug in your flash drive. Please do not plug in any external drives for this first run! Just click OK.
  • Flash_Disinfector will start disinfecting and secure your hard drive(s). This takes a few seconds, and your desktop will disappear during the process (this is normal).
  • When done, a message box will appear. Click OK.
  • Your desktop should now re-appear.
  • If it doesn't.
    • Press Ctrl + Alt + Del to open Task Manager.
    • Click on File > New Task (Run...).
    • Type in explorer.exe and press OK.
    • Your desktop should now appear.
If you want to "disinfect" and secure external drives later, then re-run Flash Disinfector and plug in the device when prompted.



Update Windows and Internet Explorer

Connect the computer to the internet, but do not use it for anything until you have fully updated Windows and Internet Explorer:

Update Windows and Internet Explorer to protect your computer from malware. Update Internet Explorer even if you do not plan to use it. Having an outdated version installed is a security risk.

Please open the Windows Update site in Internet Explorer and install all critical updates. Repeat the process until no further updates are offered.


Select your desired settings for updating.

  • Go to Start > Control Panel > Automatic Updates
    1. Select Automatic (recommended) radio button if you want the updates to be downloaded and installed without prompting you.
    2. Select Download updates for me, but let me choose when to install them radio button if you want the updates to be downloaded automatically but to be installed at another time.
    3. Select Notify me but don't automatically download or install them radio button if you want to be notified of the updates.


I'll be back with another post with further recommendations, please do not download files/install any further programs until you have read my next post.
 
Install Various Common Programs

Here follows instructions to install various common programs. Please do not install a program you don't need. Make sure you read the prompts during the installation of all programs and uncheck options to install any toolbars and alternate homepage.

Mozilla Firefox: http://www.mozilla.org/en-US/firefox/new/

Java: Download and install Java Runtime Environment (JRE) 6 Update 30 (~16Mb) (Windows Offline)

Adobe Flash Player:
Uncheck the option to install McAfee Security Scan Plus before downloading!
http://get.adobe.com/flashplayer/otherversions/
Note: There are separate versions for "other browsers" and Internet Explorer. Don't install the one for Internet Explorer if you do not plan to use Internet Explorer.

Consider using the more lightweight Foxit Reader (14Mb) rather than Adobe Reader (66Mb) to read pdf files.
  • Please uncheck the options to Install Foxit PDF Creator Toolbar and make Ask my browser default search provider, also uncheck the option to Set Ask.com as my hompage while installing Foxit Reader.
  • Please uncheck the optional install of McAfee Security Scan Plus if/when downloading Adobe Reader


Consider using the following security programs

  • WinPatrol
    This is a lightweight system monitor. Download it from here. You can find information about how WinPatrol works here.
  • Malwarebytes' Anti-Malware
    Download and install Malwarebytes Anti Malware Free.
    Update and perform a quick scan 1-2 times a week.
  • Spybot Search & Destroy
    Instructions are located here. Do not enable Teatimer during the install if using Winpatrol. Update, re-immunize & scan using Spybot Search & Destroy regularly.
  • Hosts File
    Every version of windows includes a hosts file as part of them. A hosts file is a bit like a phone book, it points to the actual numeric address (i.e. the IP address) from the human friendly name of a website. This feature can be used to block malicious websites.
    Download HostsXpert and unzip it to your computer, somewhere where you can find it.
    • Run HostsXpert
    • If Hosts file is Read Only, click on Make Writeable, otherwise move on to next stage.
    • Click Download button.
    • Click MVPs Hosts
    • Click Merge File
    • Press OK to download latest MVPs update and merge it with your Hosts file.
    • When finished click File Handling
    • Click Make Read Only to secure your Hosts file.
    • Close HostsXpert.

    Note: On some PCs, having a custom HOSTS file installed can cause a significant slowdown. Following these instructions should resolve the issue:
    • Click Start > Run
    • Type services.msc & click OK
    • In the list, find the service called DNS Client & double click on it.
    • On the dropdown box, change the setting from automatic to manual.
    • Click OK & then close the Services window.

    Update the hosts file regularly. For a more detailed explanation of the HOSTS file, click here.
  • Secunia Online Inspector
    Microsoft isn't the only company whose products can contain security vulnerabilities. To check for vulnerable programs running on your PC that are in need of an update, you can use the Secunia Online Software Inspector (OSI). I suggest that you run it and install the suggested updates at least once a week.


It is ABSOLUTELY ESSENTIAL to keep Windows, Java, Adobe and all of your security programs up to date. If you forget, then your computer will likely get reinfected.


Please read the topic below which will give you a few suggestions on how to minimize your chances of getting another infection.

If following all this advise does not keep your computer clear of infections, then ask for help at the forum directly. Installing/uninstalling all sorts of anti virus and security programs to scan your computer is not recommended.


Do you have any further questions related to this case?
 
Last edited by a moderator:
You must log in or register to reply here.
Back
Top