Jump to content

Win32.delf.rtk / refpron infection

Recommended Posts

I have a windows 2003 server SP2 and have become infected with Win32.delf.rtk & Refpron.

I have ran Spybot and Malwarebytes. I also have McAfee Antivirus installed and is up to date. All three have found and deleted infections but it keeps reinfecting itself.

I have installed Hijack this and included a log file. Can you help?

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 7:30:35 AM, on 2/10/2009

Platform: Windows 2003 SP2 (WinNT 5.02.3790)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

Running processes:












C:\Program Files\McAfee\Common Framework\FrameworkService.exe

C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe

C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe



c:\Program Files\ArGo Software Design\Mail Server\mlsrvnt.exe



C:\Program Files\UPHClean\uphclean.exe

C:\Program Files\UltraVNC\WinVNC.exe

C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe





C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE

C:\Program Files\McAfee\Common Framework\UdaterUI.exe


C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

C:\Program Files\McAfee\Common Framework\McTray.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/softAdmin.htm

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://*.windowsupdate.com (HKLM)

O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1232656984900

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = andover101.local

O17 - HKLM\Software\..\Telephony: DomainName = andover101.local

O17 - HKLM\System\CCS\Services\Tcpip\..\{1780F450-986E-4125-AF50-EE22B85FC1F0}: NameServer =

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = andover101.local

O17 - HKLM\System\CS1\Services\Tcpip\..\{1780F450-986E-4125-AF50-EE22B85FC1F0}: NameServer =

O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = andover101.local

O17 - HKLM\System\CS3\Services\Tcpip\..\{1780F450-986E-4125-AF50-EE22B85FC1F0}: NameServer =

O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe

O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe

O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe

O23 - Service: ArGoSoft Mail Server (msServerForm) - ArGo Software Design - c:\Program Files\ArGo Software Design\Mail Server\mlsrvnt.exe

O23 - Service: NetOp Helper ver. 9.00 (2007058) (NetOp Host for NT Service) - Danware Data A/S - C:\Program Files\Danware Data\NetOp Remote Control\Host\NHOSTSVC.EXE

O23 - Service: VNC Server (winvnc) - UltraVNC - C:\Program Files\UltraVNC\WinVNC.exe


End of file - 6468 bytes

Link to post
Share on other sites

  • Root Admin

Well generally speaking we don't help business users for free. You should have either a Corporate or Technician license to obtain support.

If this is not a business then why are you running Server 2003 ?

I can assist you in attempting to clean the Server, however I'm a volunteer here and in my day job I'm a Corporate Network Administrator and you really should not clean up the Server in my opinion as you will never be able to trust it again. A server should not be used for surfing the Web and should have all Windows updates and Anti-Virus and permissions set so that non admins would not be able to attack the box easily.

Let me know what you'd like to do though and I'll try to assist you if you do want to attempt to clean it instead of rebuild and restore data.

Link to post
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.