This was found on a protected system (but outdated sig) , and now the system attempts to remove the dll file after reboot and fails causing a reboot cycle. I have to stop kaspersky to keep the system online.
I have tried safe mode to remove the file, but I keep getting an access denied.
I am trying malwarebytes software now, but I am not optimistic. Anyone had any success killing 'Trojan-Clicker.Win32.Delf.cbe'?
Thanks
Please attach the zipped virusinfo_syscure.zip; instructions, see: http://forum.kaspersky.com/index.php?s=&am...st&p=678334
Here's the file as requested.
Thanks for your time.
Thanks for your time.
Run this script, instructions: http://forum.kaspersky.com/index.php?s=&am...st&p=678368
After run script, attach a Combofix log, please review and follow these instructions carefully.
Download it here -> http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Before Saving it to Desktop, please rename it to something like 123.exe to stop malware from disabling it.
Now, please make sure no other programs are running, close all other windows and pause Kaspersky (right click the K icon and click pause protection > Choose the
option "resume manually" if still active) until after the scanning and removal process has taken place.
Please double click on the file you downloaded. Follow the onscreen prompts to start the scan.
Once the scanning process has started please DO NOT click on the Combofix window or attempt to use your computer as this can cause the scanning process to stall.
It may take a while to complete scanning and this is normal.
You will be disconnected from the internet and your desktop icons/toolbars will disappear during scanning, do not worry, this is normal and it will be restored after
scanning has completed.
Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please attach it to your next post. Also, please don't
forget to resume the Kaspersky that you paused.
CODE
begin
SetAVZGuardStatus(True);
SearchRootkit(true, true);
QuarantineFile('rjyzlcwm.sys','');
DeleteService('rjyzlcwm');
StopService('rjyzlcwm');
DelBHO('{59750DC0-4A9E-4991-B888-619135A0915B}');
QuarantineFile('c:\windows\system32\khdbzmy.dll','');
DeleteFile('c:\windows\system32\khdbzmy.dll');
DeleteFile('rjyzlcwm.sys');
BC_ImportDeletedList;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.
SetAVZGuardStatus(True);
SearchRootkit(true, true);
QuarantineFile('rjyzlcwm.sys','');
DeleteService('rjyzlcwm');
StopService('rjyzlcwm');
DelBHO('{59750DC0-4A9E-4991-B888-619135A0915B}');
QuarantineFile('c:\windows\system32\khdbzmy.dll','');
DeleteFile('c:\windows\system32\khdbzmy.dll');
DeleteFile('rjyzlcwm.sys');
BC_ImportDeletedList;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.
After run script, attach a Combofix log, please review and follow these instructions carefully.
Download it here -> http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Before Saving it to Desktop, please rename it to something like 123.exe to stop malware from disabling it.
Now, please make sure no other programs are running, close all other windows and pause Kaspersky (right click the K icon and click pause protection > Choose the
option "resume manually" if still active) until after the scanning and removal process has taken place.
Please double click on the file you downloaded. Follow the onscreen prompts to start the scan.
Once the scanning process has started please DO NOT click on the Combofix window or attempt to use your computer as this can cause the scanning process to stall.
It may take a while to complete scanning and this is normal.
You will be disconnected from the internet and your desktop icons/toolbars will disappear during scanning, do not worry, this is normal and it will be restored after
scanning has completed.
Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please attach it to your next post. Also, please don't
forget to resume the Kaspersky that you paused.
Here's a combofix log from one of the infected PC's - I am now dealing with 10 infected PC's. I have started reloading windows on a few...
Download and Save IceSword to your Desktop: http://mail.ustc.edu.cn/~jfpan/download/IceSword122en.zip
Unpack (right click > Extract) & execute it. In the left navigator choose "File". Go to the C:\Windows\system32\ folders, look for c:\windows\system32\cczzjxm.dll
Right click it and choose Force delete.
Then repeat logs, new AVZ log first, and then new Combofix log.
Unpack (right click > Extract) & execute it. In the left navigator choose "File". Go to the C:\Windows\system32\ folders, look for c:\windows\system32\cczzjxm.dll
Right click it and choose Force delete.
Then repeat logs, new AVZ log first, and then new Combofix log.
QUOTE(richbuff @ 14.05.2009 20:11) 
Download and Save IceSword to your Desktop: http://mail.ustc.edu.cn/~jfpan/download/IceSword122en.zip
Unpack (right click > Extract) & execute it. In the left navigator choose "File". Go to the C:\Windows\system32\ folders, look for c:\windows\system32\cczzjxm.dll
Right click it and choose Force delete.
Then repeat logs, new AVZ log first, and then new Combofix log.
Unpack (right click > Extract) & execute it. In the left navigator choose "File". Go to the C:\Windows\system32\ folders, look for c:\windows\system32\cczzjxm.dll
Right click it and choose Force delete.
Then repeat logs, new AVZ log first, and then new Combofix log.
I could not wait on this any longer - I've reloaded all 10 systems with fresh installs. I have a feeling I could block this with the anti-hacker module, the problem is anti-hacker causes network connections to drop constantly. I am going to work on streamlining my image rollout - this happens too often.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.