glennday Posted February 10, 2009 ID:55280 Share Posted February 10, 2009 I have a windows 2003 server SP2 and have become infected with Win32.delf.rtk & Refpron.I have ran Spybot and Malwarebytes. I also have McAfee Antivirus installed and is up to date. All three have found and deleted infections but it keeps reinfecting itself.I have installed Hijack this and included a log file. Can you help?Logfile of Trend Micro HijackThis v2.0.2Scan saved at 7:30:35 AM, on 2/10/2009Platform: Windows 2003 SP2 (WinNT 5.02.3790)MSIE: Internet Explorer v7.00 (7.00.6000.16762)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\Dfssvc.exeC:\WINDOWS\System32\dns.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\ismserv.exeC:\Program Files\McAfee\Common Framework\FrameworkService.exeC:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exeC:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\svchost.exec:\Program Files\ArGo Software Design\Mail Server\mlsrvnt.exeC:\WINDOWS\system32\ntfrs.exeC:\WINDOWS\system32\SVCHOST.EXEC:\Program Files\UPHClean\uphclean.exeC:\Program Files\UltraVNC\WinVNC.exeC:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\dmadmin.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\Explorer.EXEC:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXEC:\Program Files\McAfee\Common Framework\UdaterUI.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exeC:\Program Files\McAfee\Common Framework\McTray.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/softAdmin.htmR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://*.windowsupdate.com (HKLM)O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CABO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1232656984900O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = andover101.localO17 - HKLM\Software\..\Telephony: DomainName = andover101.localO17 - HKLM\System\CCS\Services\Tcpip\..\{1780F450-986E-4125-AF50-EE22B85FC1F0}: NameServer = 127.0.0.1O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = andover101.localO17 - HKLM\System\CS1\Services\Tcpip\..\{1780F450-986E-4125-AF50-EE22B85FC1F0}: NameServer = 127.0.0.1O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = andover101.localO17 - HKLM\System\CS3\Services\Tcpip\..\{1780F450-986E-4125-AF50-EE22B85FC1F0}: NameServer = 127.0.0.1O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exeO23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exeO23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exeO23 - Service: ArGoSoft Mail Server (msServerForm) - ArGo Software Design - c:\Program Files\ArGo Software Design\Mail Server\mlsrvnt.exeO23 - Service: NetOp Helper ver. 9.00 (2007058) (NetOp Host for NT Service) - Danware Data A/S - C:\Program Files\Danware Data\NetOp Remote Control\Host\NHOSTSVC.EXEO23 - Service: VNC Server (winvnc) - UltraVNC - C:\Program Files\UltraVNC\WinVNC.exe--End of file - 6468 bytes Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted February 11, 2009 Root Admin ID:55451 Share Posted February 11, 2009 Well generally speaking we don't help business users for free. You should have either a Corporate or Technician license to obtain support.If this is not a business then why are you running Server 2003 ?I can assist you in attempting to clean the Server, however I'm a volunteer here and in my day job I'm a Corporate Network Administrator and you really should not clean up the Server in my opinion as you will never be able to trust it again. A server should not be used for surfing the Web and should have all Windows updates and Anti-Virus and permissions set so that non admins would not be able to attack the box easily.Let me know what you'd like to do though and I'll try to assist you if you do want to attempt to clean it instead of rebuild and restore data. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted February 15, 2009 Root Admin ID:56643 Share Posted February 15, 2009 Please post a status update on this or we'll be closing the post soon Link to post Share on other sites More sharing options...
Recommended Posts