Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

StartPage-DU.dll Trojan [RESOLVED]


  • This topic is locked This topic is locked

#1
nashraf

nashraf

    New Member

  • Member
  • Pip
  • 4 posts
Hi thanks for all the good posts.
I have used the advise u have given in some of the other posts, but not able to remove the above trojan. I have deleted some of the files associated with this Trojan using HackThis utility based on ur suggestions, but no success so far. I have also used some of the other utilities u have mentioned.

Below is my log file from hackThis.

Thanks.

--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 1:45:07 PM, on 7/23/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\nslsvice.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Aventail\Connect\as32svc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\sdkoh32.exe
C:\Program Files\Altiris\eXpress\NS Client\AeXNSAgent.exe
C:\Program Files\common files\dtt\blackd.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\mnmsrvc.exe
C:\PROGRA~1\MI6841~1\MSSQL\binn\sqlservr.exe
C:\WINDOWS\System32\rundll32.exe
C:\program files\lotus\notes\ntmulti.exe
C:\Program Files\AccessManager\PMAC\sp_SWIns.exe
C:\WINDOWS\System32\CCM\CcmExec.exe
C:\PROGRA~1\MI6841~1\MSSQL\binn\sqlagent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\System32\TPWRTRAY.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\DualPointUtility\TEDTray.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\CICheck\CICheck.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\WINDOWS\sdkhn32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\??xplore.exe
C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Network Associates\VirusScan\scan32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\MOZILL~1\firefox.exe
C:\Documents and Settings\nashraf\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\dcsww.dll/sp.html#77035
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\dcsww.dll/sp.html#77035
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\dcsww.dll/sp.html#77035
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\dcsww.dll/sp.html#77035
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\dcsww.dll/sp.html#77035
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\dcsww.dll/sp.html#77035
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\dcsww.dll/sp.html#77035
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Class - {90965649-8DEF-CF3B-37E1-4CB76DC73681} - C:\WINDOWS\d3cu32.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [DpUtil] C:\Program Files\TOSHIBA\DualPointUtility\TEDTray.exe
O4 - HKLM\..\Run: [ConfigFree] C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
O4 - HKLM\..\Run: [CICheck.exe] C:\Program Files\CICheck\CICheck.exe
O4 - HKLM\..\Run: [AeXAgentLogon] "C:\Program Files\Altiris\eXpress\NS Client\AeXAgentActivate.exe" /logon
O4 - HKLM\..\Run: [NDSTray.exe] "C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [sdkhn32.exe] C:\WINDOWS\sdkhn32.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Hcri] C:\Documents and Settings\nashraf\Application Data\heba.exe
O4 - Global Startup: QuickBooks 2002 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Collegiate &Dictionary - C:\Program files\Merriam-Webster Toolbar\dictionary.htm
O8 - Extra context menu item: Collegiate &Thesaurus - C:\Program files\Merriam-Webster Toolbar\thesaurus.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Merriam-Webster - {BAC53F31-6090-11d5-8497-0048548030CA} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'c:\program files\aventail\connect\asdns.dll' missing
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.deloitte.com
O15 - Trusted Zone: marketplace.deloitte.com
O15 - Trusted Zone: *.deloittenet.com
O15 - Trusted Zone: http://*.onesource.com
O15 - Trusted Zone: http://*.psnweb
O15 - Trusted Zone: http://*.taxshare
O15 - Trusted Zone: http://www.taxshare.com
O15 - Trusted Zone: http://*.onesource.com (HKLM)
O15 - Trusted Zone: http://*.psnweb (HKLM)
O16 - DPF: {36F17E17-AC00-42BC-A6D9-294AD4E7DCD6} (Altiris ClientBootstraper Class) - http://dt3dfaexns/ae...ntBootstrap.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1118333740253
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1118333681614
O16 - DPF: {F757B9F8-26DD-46BE-B57A-73A4744B7AFB} (DPFileTransferServer.FileUpload) - https://deloitteaudi...rServer2000.CAB
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = us.deloitte.com
O17 - HKLM\Software\..\Telephony: DomainName = us.deloitte.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = us.deloitte.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = us.deloitte.com,taxtech.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = us.deloitte.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = us.deloitte.com,taxtech.com
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Remote Procedure Call (RPC) Helper ( 11F#`I) - Unknown owner - C:\WINDOWS\sdkoh32.exe
O23 - Service: Altiris Agent (AeXNSClient) - Altiris, Inc. - C:\Program Files\Altiris\eXpress\NS Client\AeXNSAgent.exe
O23 - Service: Aventail Connect (As32Svc) - Aventail Corporation - C:\Program Files\Aventail\Connect\as32svc.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\common files\dtt\blackd.exe
O23 - Service: Visual Insight DA Plugin (DAPlugin) - Unknown owner - C:\Program Files\AccessManager\Client\DAPlugin.exe (file missing)
O23 - Service: DeployDirector v2_6 Server - Alexandria Software Consulting - C:\DeployDirector\standalone\bin\tomcat.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: Lotus Notes Single Logon - Unknown owner - C:\WINDOWS\System32\nslsvice.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Multi-user Cleanup Service - Unknown owner - C:\program files\lotus\notes\ntmulti.exe
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\System32\PCTKRNT.SYS
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\common files\dtt\RapApp.exe
O23 - Service: SP Software Installer - Smartpipes, Inc. - C:\Program Files\AccessManager\PMAC\sp_SWIns.exe
O23 - Service: Visual Insight Dial Analysis (sp_spi_da) - Smartpipes, Inc. - C:\Program Files\AccessManager\SMOC\spi_da.exe
  • 0

Advertisements


#2
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,130 posts
Hello Nashraf and welcome to Geeks to Go

As an introduction, please note that I am not Superhuman, I do not know everything, but what I do know has taken me years to learn. I am happy to pass on this information to you, but please bear in mind that I am also fallible.

Before we get underway, you may wish to print these instructions for easy reference during the fix, although please be aware that many of the required URLs are hyperlinks in the red names shown on your screen. Part of the fix may require you to be in Safe Mode, which may not allow you to access the internet, or my instructions!

You have quite a mixture of malware and Trojans that need to be eradicated. Lets see what we can do with the first sweep. I am assuming that all references to Deloitte in your log are legitimate; please advise if that is not the case.

I note that you are running HijackThis from Desktop; please create a new folder for it (for example C:\Program Files\Hijackthis\Hijackthis.exe) and move the programme into it. It is very important you do this before anything else since backup files can be deleted if they are not within their own folder!

To start please download the following programmes, we will run them later. Please save them to a place that you will remember, I suggest the Desktop:

Killbox by Option^Explicit
CWShredder
CCleaner
Ewido Security Suite
cwsserviceemove.reg file

Go to Start>Run and type Services.msc then hit OK
Scroll down and find this service:

Service: Remote Procedure Call (RPC) Helper ( 11F #`I)

When you find it, double-click on it. In the next window that opens, click the Stop button, then click on Properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then OK.

Run HiJackThis. Click on None of the above, just start the program. Now, click on the Config button (bottom right), then click on Misc Tools, then click on Delete an NT Service a window will pop up. Enter this item into that field (copy and paste):

RPC or 11F #`I

Click OK.

It should pull up information about the service, when it asks if you want to reboot now click YES

Install Ewido Security Suite it is a free version of the program.
  • Install ewido security suite
  • When installing, under "Additional Options" uncheck..
    • Install background guard
    • Install scan via context menu
    • You will need to update ewido to the latest definition files.
    • On the left hand side of the main screen click update.
    • Then click on Start Update.
  • The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display "Update successful")
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates
Do NOT run a scan yet.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:

Safe Mode

[*]Launch ewido, there should be an icon on your desktop, double-click it.
[*]The program will now open to the main screen.
[*]When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.

Now that the updates have been installed do the following:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • NOTE: During some scans with Ewido it is finding cases of false positives.**
    • You will need to step through the process of cleaning files one-by-one.
    • If ewido detects a file you KNOW to be legitimate, select none as the action.
    • DO NOT select "Perform action on all infections"
    • If you are unsure of any entry found select none for now.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop and include it in your reply.
Now close Ewido security suite.

Now please install CWShredder, and run it. Click Check For Update, then Fix and then OK followed by Next, let it fix everything it asks about

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\dcsww.dll/sp.html#77035
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\dcsww.dll/sp.html#77035
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\dcsww.dll/sp.html#77035
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\dcsww.dll/sp.html#77035
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\dcsww.dll/sp.html#77035
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\dcsww.dll/sp.html#77035
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\dcsww.dll/sp.html#77035
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {90965649-8DEF-CF3B-37E1-4CB76DC73681} - C:\WINDOWS\d3cu32.dll
O4 - HKLM\..\Run: [sdkhn32.exe] C:\WINDOWS\sdkhn32.exe
O4 - HKCU\..\Run: [Hcri] C:\Documents and Settings\nashraf\Application Data\heba.exe
O23 - Service: Remote Procedure Call (RPC) Helper ( 11F #`I) - Unknown owner - C:\WINDOWS\sdkoh32.exe
O23 - Service: Visual Insight DA Plugin (DAPlugin) - Unknown owner - C:\Program Files\AccessManager\Client\DAPlugin.exe (file missing)

Now close all windows other than HiJackThis, then click Fix Checked.

Unzip cwsserviceemove.reg file to your desktop. While in safe mode, double click on it and grant it permission to add the registry items.

Please install Killbox by Option^Explicit.

*Extract the programme to your desktop and double-click on its folder, then double-click on Killbox.exe to start the programme.
*In the Killbox programme, select the Delete on Reboot option.
*Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINDOWS\sdkoh32.exe
C:\WINDOWS\sdkhn32.exe
C:\WINDOWS\System32\??xplore.exe
C:\WINDOWS\system32\dcsww.dll/sp.html#77035
C:\WINDOWS\d3cu32.dll
C:\Documents and Settings\nashraf\Application Data\heba.exe


*Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

*Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "Yes" at the reboot now prompt..

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click download and run missingfilesetup.exe. Then try TheKillbox again.

There is almost certainly bound to be some junk (leftover bits and pieces) on your system that is doing nothing but taking up space. I would recommend that you run CCleaner. Install it, update it, check the default setting in the left-hand pane, Analyze, Run Cleaner. You may be fairly surprised by how much it finds. Also click Issues then Scan for issues fix selected issues

Next, go to Start>Run>type in %temp% hit Enter and delete the content of all the temp folders shown (only the content, not the folder).

Post back a fresh HijackThis log and I will take another look.
  • 0

#3
nashraf

nashraf

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Thanks for the respose and appreciate your help. All the entries with the deloitte are valid.

Below is the log file from HackThis. I saved the log file Ewidon as text, but now when I open it, its seems to be a binary file. If you need this file, I can run the scan again and send it to you.

Keep the good working going.

----------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 10:20:47 PM, on 7/24/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\nslsvice.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Aventail\Connect\as32svc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Altiris\eXpress\NS Client\AeXNSAgent.exe
C:\Program Files\common files\dtt\blackd.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\mnmsrvc.exe
C:\PROGRA~1\MI6841~1\MSSQL\binn\sqlservr.exe
C:\WINDOWS\System32\rundll32.exe
C:\program files\lotus\notes\ntmulti.exe
C:\Program Files\AccessManager\PMAC\sp_SWIns.exe
C:\WINDOWS\System32\CCM\CcmExec.exe
C:\PROGRA~1\MI6841~1\MSSQL\binn\sqlagent.exe
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\System32\TPWRTRAY.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\DualPointUtility\TEDTray.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\CICheck\CICheck.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\nashraf\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\kutib.dll/sp.html#77035
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\kutib.dll/sp.html#77035
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\kutib.dll/sp.html#77035
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [DpUtil] C:\Program Files\TOSHIBA\DualPointUtility\TEDTray.exe
O4 - HKLM\..\Run: [ConfigFree] C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
O4 - HKLM\..\Run: [CICheck.exe] C:\Program Files\CICheck\CICheck.exe
O4 - HKLM\..\Run: [AeXAgentLogon] "C:\Program Files\Altiris\eXpress\NS Client\AeXAgentActivate.exe" /logon
O4 - HKLM\..\Run: [NDSTray.exe] "C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Hcri] C:\Documents and Settings\nashraf\Application Data\heba.exe
O4 - Global Startup: QuickBooks 2002 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Collegiate &Dictionary - C:\Program files\Merriam-Webster Toolbar\dictionary.htm
O8 - Extra context menu item: Collegiate &Thesaurus - C:\Program files\Merriam-Webster Toolbar\thesaurus.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Merriam-Webster - {BAC53F31-6090-11d5-8497-0048548030CA} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'c:\program files\aventail\connect\asdns.dll' missing
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.deloitte.com
O15 - Trusted Zone: marketplace.deloitte.com
O15 - Trusted Zone: *.deloittenet.com
O15 - Trusted Zone: http://*.onesource.com
O15 - Trusted Zone: http://*.psnweb
O15 - Trusted Zone: http://*.taxshare
O15 - Trusted Zone: http://www.taxshare.com
O15 - Trusted Zone: http://*.onesource.com (HKLM)
O15 - Trusted Zone: http://*.psnweb (HKLM)
O16 - DPF: {36F17E17-AC00-42BC-A6D9-294AD4E7DCD6} (Altiris ClientBootstraper Class) - http://dt3dfaexns/ae...ntBootstrap.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1118333740253
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1118333681614
O16 - DPF: {F757B9F8-26DD-46BE-B57A-73A4744B7AFB} (DPFileTransferServer.FileUpload) - https://deloitteaudi...rServer2000.CAB
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = us.deloitte.com
O17 - HKLM\Software\..\Telephony: DomainName = us.deloitte.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = us.deloitte.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = us.deloitte.com,taxtech.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = us.deloitte.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = us.deloitte.com,taxtech.com
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Altiris Agent (AeXNSClient) - Altiris, Inc. - C:\Program Files\Altiris\eXpress\NS Client\AeXNSAgent.exe
O23 - Service: Aventail Connect (As32Svc) - Aventail Corporation - C:\Program Files\Aventail\Connect\as32svc.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\common files\dtt\blackd.exe
O23 - Service: Visual Insight DA Plugin (DAPlugin) - Unknown owner - C:\Program Files\AccessManager\Client\DAPlugin.exe (file missing)
O23 - Service: DeployDirector v2_6 Server - Alexandria Software Consulting - C:\DeployDirector\standalone\bin\tomcat.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Lotus Notes Single Logon - Unknown owner - C:\WINDOWS\System32\nslsvice.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Multi-user Cleanup Service - Unknown owner - C:\program files\lotus\notes\ntmulti.exe
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\System32\PCTKRNT.SYS
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\common files\dtt\RapApp.exe
O23 - Service: SP Software Installer - Smartpipes, Inc. - C:\Program Files\AccessManager\PMAC\sp_SWIns.exe
O23 - Service: Visual Insight Dial Analysis (sp_spi_da) - Smartpipes, Inc. - C:\Program Files\AccessManager\SMOC\spi_da.exe

--------------------------------------------------------------------
--------------------------------------------------------------------
  • 0

#4
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,130 posts
Hello again Nashraf

Its looking better, but alas, not yet clean. It would have been useful to have seen the Ewido report but not essential. Lets give it one more conventional try and a manual deletion this time. If there is anything in my instructions that you dont understand, please ask.

Before we get underway, you may wish to print these instructions for easy reference during the fix, although please be aware that many of the required URLs are hyperlinks in the red names shown on your screen. Part of the fix may require you to be in Safe Mode, which may not allow you to access the internet, or my instructions!

I note that you are still running HijackThis from your Desktop; please create a new folder for it (for example C:\Program Files\Hijackthis\Hijackthis.exe) and move the programme into it. It is very important you do this before anything else since backup files can be deleted if they are not within their own folder!

Install Ewido Security Suite it is a free version of the programme.
  • Install Ewido security suite
  • When installing, under "Additional Options" uncheck..
    • Install background guard
    • Install scan via context menu
    • You will need to update Ewido to the latest definition files.
    • On the left hand side of the main screen click update.
    • Then click on Start Update.
  • The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display "Update successful")
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates
Do NOT run a scan yet.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:

Safe Mode

[*]Launch Ewido, there should be an icon on your desktop, double-click it.
[*]The program will now open to the main screen.
[*]When you run Ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.

Now that the updates have been installed do the following:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • NOTE: During some scans with Ewido it is finding cases of false positives.**
    • You will need to step through the process of cleaning files one-by-one.
    • If ewido detects a file you KNOW to be legitimate, select none as the action.
    • DO NOT select "Perform action on all infections"
    • If you are unsure of any entry found select none for now.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop and include it in your reply.
Now close Ewido security suite.

Now please install CWShredder, and run it. Click Check For Update, then Fix and then OK followed by Next, let it fix everything it asks about

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\kutib.dll/sp.html#77035
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\kutib.dll/sp.html#77035
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\kutib.dll/sp.html#77035
R3 - Default URLSearchHook is missing
O4 - HKCU\..\Run: [Hcri] C:\Documents and Settings\nashraf\Application Data\heba.exe
O23 - Service: Visual Insight DA Plugin (DAPlugin) - Unknown owner - C:\Program Files\AccessManager\Client\DAPlugin.exe (file missing)

Now close all windows other than HiJackThis, then click Fix Checked.

Unzip cwsserviceemove.reg file to your desktop. While in safe mode, double click on it and grant it permission to add the registry items.

Please set your system to show all files; please see here if you're unsure how to do this.

Please delete these files (if present) using Windows Explorer:

C:\WINDOWS\system32\kutib.dll
C:\Documents and Settings\nashraf\Application Data\heba.exe

Close Windows Explorer and Reboot normally

Now we must hide the files we revealed earlier by reversing the process, this is an important safeguard to stop important system files being deleted by accident.

Please run CCleaner again. Open, check the default setting in the left-hand pane, Analyze, Run Cleaner. Also click Issues then Scan for issues fix selected issues

Next, go to Start>Run>type in %temp% hit Enter and delete the content of all the temp folders shown (only the content, not the folder).

Post back a fresh HijackThis log and I will take another look.
  • 0

#5
nashraf

nashraf

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Below is the report from Hijack and Ewido. Thanks.

Hijack Report
-----------------------------------------------------------------------
-----------------------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 1:10:48 PM, on 7/25/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\nslsvice.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Aventail\Connect\as32svc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Altiris\eXpress\NS Client\AeXNSAgent.exe
C:\Program Files\common files\dtt\blackd.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\mnmsrvc.exe
C:\WINDOWS\System32\rundll32.exe
C:\PROGRA~1\MI6841~1\MSSQL\binn\sqlservr.exe
C:\program files\lotus\notes\ntmulti.exe
C:\Program Files\AccessManager\PMAC\sp_SWIns.exe
C:\WINDOWS\System32\CCM\CcmExec.exe
C:\PROGRA~1\MI6841~1\MSSQL\binn\sqlagent.exe
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\System32\TPWRTRAY.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\DualPointUtility\TEDTray.exe
C:\Program Files\CICheck\CICheck.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = tycoproxy.proxy.com:80
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [DpUtil] C:\Program Files\TOSHIBA\DualPointUtility\TEDTray.exe
O4 - HKLM\..\Run: [ConfigFree] C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
O4 - HKLM\..\Run: [CICheck.exe] C:\Program Files\CICheck\CICheck.exe
O4 - HKLM\..\Run: [AeXAgentLogon] "C:\Program Files\Altiris\eXpress\NS Client\AeXAgentActivate.exe" /logon
O4 - HKLM\..\Run: [NDSTray.exe] "C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunOnce: [!CleanupNetMeetingDispDriver] "C:\WINDOWS\System32\rundll32.exe" msconf.dll,CleanupNetMeetingDispDriver 0
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: QuickBooks 2002 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Collegiate &Dictionary - C:\Program files\Merriam-Webster Toolbar\dictionary.htm
O8 - Extra context menu item: Collegiate &Thesaurus - C:\Program files\Merriam-Webster Toolbar\thesaurus.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Merriam-Webster - {BAC53F31-6090-11d5-8497-0048548030CA} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'c:\program files\aventail\connect\asdns.dll' missing
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.deloitte.com
O15 - Trusted Zone: marketplace.deloitte.com
O15 - Trusted Zone: *.deloittenet.com
O15 - Trusted Zone: http://*.onesource.com
O15 - Trusted Zone: http://*.psnweb
O15 - Trusted Zone: http://*.taxshare
O15 - Trusted Zone: http://www.taxshare.com
O15 - Trusted Zone: http://*.onesource.com (HKLM)
O15 - Trusted Zone: http://*.psnweb (HKLM)
O16 - DPF: {36F17E17-AC00-42BC-A6D9-294AD4E7DCD6} (Altiris ClientBootstraper Class) - http://dt3dfaexns/ae...ntBootstrap.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1118333740253
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1118333681614
O16 - DPF: {F757B9F8-26DD-46BE-B57A-73A4744B7AFB} (DPFileTransferServer.FileUpload) - https://deloitteaudi...rServer2000.CAB
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = us.deloitte.com
O17 - HKLM\Software\..\Telephony: DomainName = us.deloitte.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = us.deloitte.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = us.deloitte.com,taxtech.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = us.deloitte.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = us.deloitte.com,taxtech.com
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Altiris Agent (AeXNSClient) - Altiris, Inc. - C:\Program Files\Altiris\eXpress\NS Client\AeXNSAgent.exe
O23 - Service: Aventail Connect (As32Svc) - Aventail Corporation - C:\Program Files\Aventail\Connect\as32svc.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\common files\dtt\blackd.exe
O23 - Service: Visual Insight DA Plugin (DAPlugin) - Unknown owner - C:\Program Files\AccessManager\Client\DAPlugin.exe (file missing)
O23 - Service: DeployDirector v2_6 Server - Alexandria Software Consulting - C:\DeployDirector\standalone\bin\tomcat.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Lotus Notes Single Logon - Unknown owner - C:\WINDOWS\System32\nslsvice.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Multi-user Cleanup Service - Unknown owner - C:\program files\lotus\notes\ntmulti.exe
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\System32\PCTKRNT.SYS
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\common files\dtt\RapApp.exe
O23 - Service: SP Software Installer - Smartpipes, Inc. - C:\Program Files\AccessManager\PMAC\sp_SWIns.exe
O23 - Service: Visual Insight Dial Analysis (sp_spi_da) - Smartpipes, Inc. - C:\Program Files\AccessManager\SMOC\spi_da.exe


---------------------------------------------------------------------------
--------------------------------------------------------------------------

Ewido log

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 12:19:38 PM, 7/25/2005
+ Report-Checksum: D08CF34B

+ Scan result:

:mozilla.40:C:\Documents and Settings\nashraf\Application Data\Mozilla\Firefox\Profiles\59vyg6dm.default\cookies.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup
:mozilla.43:C:\Documents and Settings\nashraf\Application Data\Mozilla\Firefox\Profiles\59vyg6dm.default\cookies.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup
:mozilla.49:C:\Documents and Settings\nashraf\Application Data\Mozilla\Firefox\Profiles\59vyg6dm.default\cookies.txt -> Spyware.Cookie.Sitestat : Cleaned with backup
:mozilla.50:C:\Documents and Settings\nashraf\Application Data\Mozilla\Firefox\Profiles\59vyg6dm.default\cookies.txt -> Spyware.Cookie.Sitestat : Cleaned with backup
:mozilla.86:C:\Documents and Settings\nashraf\Application Data\Mozilla\Firefox\Profiles\59vyg6dm.default\cookies.txt -> Spyware.Cookie.Revenue : Cleaned with backup
:mozilla.87:C:\Documents and Settings\nashraf\Application Data\Mozilla\Firefox\Profiles\59vyg6dm.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.88:C:\Documents and Settings\nashraf\Application Data\Mozilla\Firefox\Profiles\59vyg6dm.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.89:C:\Documents and Settings\nashraf\Application Data\Mozilla\Firefox\Profiles\59vyg6dm.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.90:C:\Documents and Settings\nashraf\Application Data\Mozilla\Firefox\Profiles\59vyg6dm.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.98:C:\Documents and Settings\nashraf\Application Data\Mozilla\Firefox\Profiles\59vyg6dm.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.99:C:\Documents and Settings\nashraf\Application Data\Mozilla\Firefox\Profiles\59vyg6dm.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.100:C:\Documents and Settings\nashraf\Application Data\Mozilla\Firefox\Profiles\59vyg6dm.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.101:C:\Documents and Settings\nashraf\Application Data\Mozilla\Firefox\Profiles\59vyg6dm.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\nashraf\Cookies\nashraf@ad.yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\nashraf\Cookies\nashraf@as-us.falkag[1].txt -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Documents and Settings\nashraf\Cookies\nashraf@casalemedia[1].txt -> Spyware.Cookie.Casalemedia : Cleaned with backup


::Report End
  • 0

#6
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,130 posts
Congratulations! your new log is clean. :tazz: Just a little bit more to do to prevent further infection.

MOST IMPORTANT: You should update Windows and Internet Explorer to get all the Latest Security Patches to protect your computer from the malware that is around on the internet.

I recommend going to the following link and update as recommended by Microsoft. This adds more security and extra features including a pop-up blocker for Internet Explorer. Microsoft Update

Now that everything is fixed, I suggest that you consider getting these programmes to help keep the computer clean:

SPYWARE BLASTER - Blocks bad ActiveX items from installing on your computer.
AD-AWARE PERSONAL A fine free malware detector and removal programme
SPYBOT S&D Excellent free spyware detector and removal programme
GOOGLE TOOLBAR - Blocks many unwanted pop-ups in Internet Explorer.
FIREFOX - Safer alternative to the Internet Explorer web browser.
AVG ANTIVIRUS - Free antivirus programme if you currently are not using one.
ZONEALARM - Free firewall programme if you currently are not using one.

Remember to update these frequently.

Please note that whilst there is nothing wrong in having more than one spyware detector/prevention programmes for on demand scanning, having two or more antivirus systems is not recommended as they may well interfere with each other.

You may also want to read "How did I get infected in the first place" to learn how to better secure your computer.

Be sure to keep Windows and your Anti-Virus updated. ;)

Happy safe surfing Nashraf!
  • 0

#7
nashraf

nashraf

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Thanks for great help.
  • 0

#8
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,130 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP