Hi Andrew & Others :
I found the Thread on the Aumha Forums that you started that has been
replied to by Bill Castner, a Moderator & Microsoft Most Valuable
Professional . I realize his Responses to you were not helpful for the
immediate future ; however, he has posted Other Info in those forums
about Delf as follows :
"You will not be able to enumerate a Delf infection. It has one to in some cases multiple rootkits, who have as one responsiblity to ensure that the detection and identification of their activity is suppressed by the Windows APIs.
Your log shows you are still infected. I honestly do not believe that AVG free is capable of removing a Delf infection. There are Delf variants that I know cannot be removed by most paid antivirus programs.
The way Delf infections work is that they have a rootkit service entry that protects a DLL. In turn, the DLL protects the rootkit. These will be invisible to Windows APIs and invisible to tools that depend on them, such as REGEDIT. There can be multiple DLLs and multiple rootkit entries, each providing some measure of stealth and removal challenges to each other in a symbiotic relationship.
In the main, Delf will employ userland rootkits, rather than kernel mode rootkits. You need to find and kill the rootkit services. Then go back and remove the now unprotected DLLs.
You can expect that Delf will defeat most rootkit detector utilities. They will not see the rootkits, or if they see them they will be unable to remove them. The current Delf infections are usually from China, and you can expect a lot of tedious work with such utilities as Ice Sword or Dark Spy to remove the rootkit entries, if it is even possible in Normal modes of Windows. With some newer variants you will need to use a WinPE environment, or even Recovery Console, and delete the rootkits manually. This is somewhat challenging as their filenames will change on every restart of the computer.
If, and many do now a days, the Delf infection has kernel level hooks, you might not be abe to remove them at all unless you are very skilled at rebuilding native XP or Vista services by hand.
Since the objective of Delf is to steal user informatiion, including passwords, and distribute them to malicious users on the Internet, the best advice I can give you is to reformat and reinstall on clean media. You can expect to have to reformat any hard drive, and any portable media device such as a USB pen drive used with the computer. See my thoughts here: http://aumha.net/viewtopic.php?t=28580
You should consider using a Sophos IDE for this to start. These can be terrificly effective on the smaller Delf infections: http://www.sophos.com/security/analyses/w32delfeyr.html
Instructions for use: http://www.sophos.com/support/knowledgebase/article/363.html
This of course will do nothing for your already compromised user account information and compromised passwords. "
