PDA

View Full Version : removing win32.delf.rtk


rhayek
2008-11-25, 02:19
I have server 2003 with S&D 1.6 and keeps detecting win32.delf.rtk. Also it has closed my NAV.
I have included the hijack log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:17:00 PM, on 11/24/2008
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\msdtc.exe
C:\Program Files\Dell\SysMgt\dataeng\bin\dcevt32.exe
C:\Program Files\Dell\SysMgt\dataeng\bin\dcstor32.exe
C:\PROGRA~1\SAV\DefWatch.exe
C:\WINDOWS\system32\Dfssvc.exe
C:\WINDOWS\System32\dns.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\cba\pds.exe
C:\WINDOWS\System32\ismserv.exe
C:\Program Files\Dell\OpenManage\Array Manager\mr2kserv.exe
C:\PROGRAM FILES\MICROSOFT SQL SERVER\MSSQL$AKM\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL$BKUPEXEC\Binn\sqlservr.exe
C:\PROGRA~1\SAV\Rtvscan.exe
C:\PROGRA~1\Symantec\SYMANT~1\NSCTOP.EXE
C:\WINDOWS\system32\ntfrs.exe
C:\Program Files\Dell\SysMgt\oma\bin\omsad32.exe
C:\WINDOWS\system32\wmiprvse.exe
C:\Program Files\Dell\SysMgt\iws\bin\win32\omaws32.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Dell\OpenManage\Array Manager\VxSvc.exe
C:\WINDOWS\System32\wins.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\ams_ii\hndlrsvc.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\system32\ams_ii\iao.exe
C:\WINDOWS\system32\cba\xfr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\logon.scr
C:\Program Files\VERITAS\Backup Exec\NT\pvlsvr.exe
C:\Program Files\VERITAS\Backup Exec\NT\beserver.exe
C:\Program Files\VERITAS\Backup Exec\NT\beremote.exe
C:\Program Files\VERITAS\Backup Exec\NT\bengine.exe
C:\Program Files\VERITAS\Backup Exec\NT\benetns.exe
C:\WINDOWS\system32\noytcyr.exe
C:\WINDOWS\system32\wsldoekd.exe
C:\WINDOWS\system32\afisicx.exe
C:\WINDOWS\system32\roytctm.exe
C:\WINDOWS\system32\tdydowkc.exe
C:\WINDOWS\system32\mabidwe.exe
C:\WINDOWS\system32\soxpeca.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\MXOALDR.EXE
C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
C:\Program Files\VERITAS\VxUpdate\VxTaskbarMgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Data\Users\Ron$\download\HiJackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdoclc.dll/hardAdmin.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AuCaption] DSA OMSA Reminder
O4 - HKLM\..\Run: [AuFlag] 
O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SAV\vptray.exe
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
O4 - HKLM\..\Run: [VxTaskbarMgr] C:\Program Files\VERITAS\VxUpdate\VxTaskbarMgr.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [!teamcfg] %SystemRoot%\..\dell\nicteaming\intel\nicteamconfig.bat (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Global Startup: MSDE Instance AKM.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\scm.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O15 - ESC Trusted Zone: http://ardownload.adobe.com
O15 - ESC Trusted Zone: http://www.adobe.com
O15 - ESC Trusted Zone: http://www.apc.com
O15 - ESC Trusted Zone: http://*.dell.ca
O15 - ESC Trusted Zone: http://www1.ca.dell.com
O15 - ESC Trusted Zone: http://software-files.download.com
O15 - ESC Trusted Zone: http://www.google.ca
O15 - ESC Trusted Zone: http://www.jklnsoft.com
O15 - ESC Trusted Zone: http://lw12fd.law12.hotmail.msn.com
O15 - ESC Trusted Zone: http://my.ca.msn.com
O15 - ESC Trusted Zone: http://runonce.msn.com
O15 - ESC Trusted Zone: http://search.msn.com
O15 - ESC Trusted Zone: http://www.msn.com
O15 - ESC Trusted Zone: http://login.passport.com
O15 - ESC Trusted Zone: http://loginnet.passport.com
O15 - ESC Trusted Zone: http://login.passport.net
O15 - ESC Trusted Zone: http://dl15.pctools.com
O15 - ESC Trusted Zone: http://downloads.pcworld.com
O15 - ESC Trusted Zone: http://www.realvnc.com
O15 - ESC Trusted Zone: http://www.spybotupdates.com
O15 - ESC Trusted Zone: http://www.timeamerica.com
O15 - ESC Trusted Zone: http://download1.veritas.com
O15 - ESC Trusted Zone: http://eventlookup.veritas.com
O15 - ESC Trusted Zone: http://seer.support.veritas.com
O15 - ESC Trusted Zone: http://support.veritas.com
O15 - ESC Trusted Zone: http://www.veritas.com
O15 - ESC Trusted Zone: http://download.windowsupdate.com
O15 - ESC Trusted Zone: http://*.windowsupdate.com
O15 - ESC Trusted Zone: http://*.windowsupdate.com (HKLM)
O15 - ESC Trusted IP range: http://192.168.0.1
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - https://vapwdb.ops.placeware.com/etc/place/DESK/VADpws-b3s/5.1.8.511/lib/quicksilver.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1124306027565
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://dell.webex.com/client/v_mywebex-t20/support/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = pbf.bc.ca
O17 - HKLM\Software\..\Telephony: DomainName = pbf.bc.ca
O17 - HKLM\System\CCS\Services\Tcpip\..\{8484A1CD-A3B3-40C7-8621-DDA908C46564}: NameServer = 192.168.1.10,192.168.1.1,207.136.100.41,209.148.64.42
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = pbf.bc.ca
O23 - Service: afisicx Service (afisicx) - Unknown owner - C:\WINDOWS\system32\afisicx.exe
O23 - Service: Backup Exec Remote Agent for Windows Servers (BackupExecAgentAccelerator) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\beremote.exe
O23 - Service: Backup Exec Agent Browser (BackupExecAgentBrowser) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\benetns.exe
O23 - Service: Backup Exec Device & Media Service (BackupExecDeviceMediaService) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\pvlsvr.exe
O23 - Service: Backup Exec Job Engine (BackupExecJobEngine) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\bengine.exe
O23 - Service: Backup Exec Server (BackupExecRPCService) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\beserver.exe
O23 - Service: Compaq Redirection Service (CompaqSV) - Unknown owner - C:\WINDOWS\lsass.exe (file missing)
O23 - Service: Systems Management Event Manager (dcevt32) - Dell Inc. - C:\Program Files\Dell\SysMgt\dataeng\bin\dcevt32.exe
O23 - Service: Systems Management Data Manager (dcstor32) - Dell Inc. - C:\Program Files\Dell\SysMgt\dataeng\bin\dcstor32.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SAV\DefWatch.exe
O23 - Service: ExecView Communication Module (ECM) (ECM Service) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\ECM\ECM.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Hardware Monitor Service (Hardware Monitor) - Unknown owner - C:\WINDOWS\system32\mshms.exe (file missing)
O23 - Service: Shell Hardware Dectection Service (HWDect) - Unknown owner - C:\WINDOWS\system32\inetsrv\svchost.exe (file missing)
O23 - Service: Intel Alert Handler - Intel® Corporation - C:\WINDOWS\system32\ams_ii\hndlrsvc.exe
O23 - Service: Intel Alert Originator - Intel® Corporation - C:\WINDOWS\system32\ams_ii\iao.exe
O23 - Service: Intel File Transfer - Intel® Corporation - C:\WINDOWS\system32\cba\xfr.exe
O23 - Service: Intel PDS - Intel® Corporation - C:\WINDOWS\system32\cba\pds.exe
O23 - Service: Isp Logger (ispLog) - Unknown owner - C:\WINDOWS\isplog.exe (file missing)
O23 - Service: mabidwe - Unknown owner - C:\WINDOWS\system32\mabidwe.exe
O23 - Service: mr2kserv - Unknown owner - C:\Program Files\Dell\OpenManage\Array Manager\mr2kserv.exe
O23 - Service: Ms File Manager Services (mscecosd) - Unknown owner - C:\WINDOWS\system32\msceco.exe
O23 - Service: Symantec AntiVirus Server (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SAV\Rtvscan.exe
O23 - Service: noytcyr Service (noytcyr) - Unknown owner - C:\WINDOWS\system32\noytcyr.exe
O23 - Service: Symantec System Center Discovery Service (NSCTOP) - Symantec Corporation - C:\PROGRA~1\Symantec\SYMANT~1\NSCTOP.EXE
O23 - Service: OM Common Services (omsad) - Dell Inc. - C:\Program Files\Dell\SysMgt\oma\bin\omsad32.exe
O23 - Service: roytctm Service (roytctm) - Unknown owner - C:\WINDOWS\system32\roytctm.exe
O23 - Service: Protected Storage Manager (rspp) - Unknown owner - cmd /c start C:\WINDOWS\system32\wmiprvse.exe (file missing)
O23 - Service: RPC Server (r_server) - Unknown owner - C:\WINDOWS\system32\Com\lsas.exe (file missing)
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Windows Internet Name Server (Serv-U) - Unknown owner - C:\WINDOWS\winsrv.exe (file missing)
O23 - Service: Secure Port Server (Server Administrator) - Unknown owner - C:\Program Files\Dell\SysMgt\iws\bin\win32\omaws32.exe
O23 - Service: soxpeca Service (soxpeca) - Unknown owner - C:\WINDOWS\system32\soxpeca.exe
O23 - Service: System Protection (syspro) - Unknown owner - C:\WINDOWS\system32\lsasvc.exe (file missing)
O23 - Service: tdydowkc Service (tdydowkc) - Unknown owner - C:\WINDOWS\system32\tdydowkc.exe
O23 - Service: MSNT Task Manager (TskSrv) - Unknown owner - C:\WINDOWS\system32\inetsrv\tsksrv.exe (file missing)
O23 - Service: Disk Management Service (VxSvc) - VERITAS Software Corp. - C:\Program Files\Dell\OpenManage\Array Manager\VxSvc.exe
O23 - Service: wsldoekd Service (wsldoekd) - Unknown owner - C:\WINDOWS\system32\wsldoekd.exe

--
End of file - 13425 bytes
Blender
2008-11-27, 22:32
Hi and welcome,

Is this computer used for work? If so -- do you have permission from supervisor/IT department to do whatever it takes to fix it?

This system is severely infected. :(
Alot more than delf on that system.
Including but not limited to the following:

http://www.sophos.com/security/analyses/viruses-and-spyware/trojwollfa.html
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=BKDR_HACDEF.M&VSect=T
http://virscan.org/report/1d06ac87510e3965b9ff77f6cca26f22.html

And several other back doors, downloaders.
Passwords are likely comprimized as well.

Looks like your system was being used as an FTP server as well.
Intruders that can gain access can use your system to serve up usually pirated or "adult" content.
Hidden backdoors/rootkits are often involved which can hide services, processes, and even hide the ability to see the network activity.
Removal is often difficult and one cannot always tell it was all removed/repaired.

O23 - Service: Windows Internet Name Server (Serv-U) - Unknown owner - C:\WINDOWS\winsrv.exe (file missing)

If this was my system -- it would be without question flattened/re-installed either from scratch or from a known good image backup.
I can't say for sure we can clean it up & be sure it will be as secure as it was before the infection.

If this machine has any customer/company confidential data atored on it -- it would be seriously irresponsible of me to clean this up & let you go thinking that data is still safe.
Simply because I don't know how long system has been infected & how long intruders had access and how much info they could have stolen and how many changes were made to system to make re-entry easier.

This box needs to be pulled offline till you or your IT department figures out what has been decided.
Other systems on the network need to be checked as well.

I wish I had better news but in my opinion the safest option is total wipe/re-install.

Let me know what you decide please.

Thanks
rhayek
2008-11-29, 05:17
Yes this computer is used for work and I do have permission to fix it.

I think I may take your advise and attempt to do a fresh install on the hard drive.

Thanks
Ron
Blender
2008-11-30, 14:18
Hi,

That would be my choice as well.
At least you will be sure of a secure safe system.

Don't forget to change passwords on sensitive sites/services you belong to or used with that system.

Some additional advise on keeping it safe & secure..
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279

Good luck & stay safe!