Failure to remove Trojan-PSW.Win32.Delf.IP

iamdanielj · July 28, 2006, 4:29pm

First off I need to say (R). I love this suite of programs, and wish them all well for the future. No to my enquiry.

Comodo Antivirus detects that the file c:\windows\system32\derstg.exe contains the virus Trojan-PSW.Win32.Delf.IP. It can neither disinfect or remove the file, even though it says it does. I thought this should just be brought to the attention of the correct authoritys because I want these programs to kick ■■■.

Also Comodo seems to name virus’s different to the symantec way of doing things, not that this is a bad thing, but could be a confusing thing for end-users who want to learn more about the virus on their system. maybe having a thing saying the virus might go under these names or something.

Thank you for your time.

m0ng0d · July 29, 2006, 1:06am

OK… NO!

I’d imagine it can’t touch it because it is running. Do you see it in the Task Manager?

Also it would be good to know if it is a false positive or not. Submitting it would be one way to know, and other would be to use a 3rd party… like jotti

iamdanielj · July 29, 2006, 8:09am

Umm, Its not in the task-manager under its own name. I can’t see anything that looks wrong under processes but I’m not exactly the greatest at it. It’s not under its own file name.

Jotti Results -
AntiVir -
Found Trojan/PSW.Delf.IP.2

ArcaVir -
Found Trojan.Psw.Delf.Ip

Avast -
Found nothing

AVG Antivirus -
Found PSW.Generic.NRH

BitDefender -
Found Generic.Malware.E!.414C1825

ClamAV -
Found nothing

Dr.Web -
Found Trojan.PWS.Sable

F-Prot Antivirus -
Found nothing

Fortinet -
Found W32/Delf.B!tr.pws

Kaspersky Anti-Virus -
Found Trojan-PSW.Win32.Delf.ip

NOD32 -
Found Win32/PSW.Delf.IP

Norman Virus Control -
Found W32/Delf.JGC

UNA -
Found Trojan.PSW.Win32.Delf

VirusBuster -
Found nothing

VBA32 -
Found Trojan-PSW.Win32.Delf.ip

I’m glad I changed to Comodo from Avast! At least it found it, unlike Avast!

Anyways am currently sending the file password zipped to the correct email addresss for submissions.

m0ng0d · July 29, 2006, 4:19pm

Ok, so it is a bady… give this a try.

Install this tiny freeware file, WhoLockMe? is a hand tool that will install into the context menu (right-click on a file in explorer). When WhoLockMe loads, it will show you a list of the application(s) that put the lock on the file. Write there names down (as they’d most likely be a part of the infection), kill the processes from WhoLockMe, then start deleting file(s).

I would also suggest looking for manual cleanup routines at the other AV web-sites for the products that identified it successfully.

(S)