Hi,

Open NotePad, and copy the contents of the below "Quode" box:-
Go to File Menu > Save As, and save the file with the name Test.bat and exit from NotePad.


Download Ewido and install it. Then run, you will receive a warning message saying "Database not found", click "OK" for this. Next in the main screen, click "Update" and click "Start Update". After the update process, exit from Ewido.


Download CCleaner and install it. Do not run it now.


Download Sysclean Pacakge, create a folder named Sysclean on Desktop, and put the downloaded file to that folder. Next download the pattern file for Windows OS (pattern file will have a name like lpt731.zip ) and extract the contents of the ZIP file to the same Sysclean folder.


Reboot in Safe Mode:-
Restart (or switch ON) the PC.
Then, keep tapping the F8 Key.
From the menu that will be displayed, out of which choose Safe Mode and press Enter.


Go to Start > Run and type services.msc and press ENTER. In the Services window that opens up, navigate to the service named WIN32 (image) and right-click it, and select "Properties".
In the Property window, click Stop in the "Service Status" option box. After this, in the "Startup" option box, select Disabled from the dropdown menu. Click "Apply" and then "OK".


Run HijackThis and click Do only a System scan.
Then put a check mark infront of below listed entries:-

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O23 - Service: WIN32 (image) - Unknown owner - C:\WINNT\image.exe (file missing)

Close all other open programs except Hijackthis and click the button Fix Checked in HijackThis.


Double-Click on the file Test.bat, a small DOS type window should open and close immediately.


Run CCleaner, click "Options" button and here go to "Advanced" tab and uncheck the option "Only delete files in Windows Temp folder older than 48 hours". Click OK to exit from the Options.
Finally click "Run Cleaner" and click "OK" to continue cleaning.

Run Ewido, click on the "Scanner" button in the left menu, then click on the "Start" button.
If ewido finds anything, it will pop up a notification. You can select "Clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.
When the scan finishes, click on "Save Report". This will create a text file.


Next, double-click on the sysclean.com file, and after few seconds, the Sysclean window appears. Here make sure that Automatically clean or delete infected files option is selected. Then click "Scan". After the scan is complete it gives a log, save the log file.


Reboot to normal mode, run HijackThis again, and post a fresh log along with Sysclean and Ewido logs.

Hi, I've done as you instructed and below are the log files. Everything seemed to run smoothly, although when I ran HijackThis the following was not an option to be fixed (as you you listed): O23 - Service: WIN32 (image) - Unknown owner - C:\WINNT\image.exe (file missing).

Anyway here are the log files, thanks again for your help.

Logfile of HijackThis v1.99.1
Scan saved at 2:12:29 AM, on 13/08/2005
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP3 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\sistray.EXE
C:\WINNT\System32\khooker.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe
C:\Program Files\Lexmark 4200 Series\lxbmbmon.exe
C:\Program Files\NASDAK\OmniMouse Driver\4.0\MOUSE32A.EXE
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\WINNT\System32\internat.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\Netropa\InetKb\Inetkb.exe
C:\WINNT\explorer.exe
C:\Documents and Settings\Delane Webb\Desktop\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SiS Tray] C:\WINNT\System32\sistray.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINNT\System32\khooker.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [Lexmark 4200 Series] "C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe"
O4 - HKLM\..\Run: [FaxCenterServer4_in_1] "C:\Program Files\Lexmark 4200 Series\Fax\fm3032.exe" /s
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\NASDAK\OmniMouse Driver\4.0\MOUSE32A.EXE
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - https://www-3.ibm.com/pc/support/acc...d/IbmEgath.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = kcx.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = kcx.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = kcx.com
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

-------------------------------



/--------------------------------------------------------------\
| Trend Micro Sysclean Package |
| Copyright 2002, Trend Micro, Inc. |
| http://www.trendmicro.com |
\--------------------------------------------------------------/


2005-08-12, 19:35:21, Auto-clean mode specified.
2005-08-12, 19:35:21, Running scanner "C:\Documents and Settings\Delane Webb\Desktop\Sysclean\TSC.BIN"...
2005-08-12, 19:36:15, Scanner "C:\Documents and Settings\Delane Webb\Desktop\Sysclean\TSC.BIN" has finished running.
2005-08-12, 19:36:15, TSC Log:

Damage Cleanup Engine (DCE) 3.9(Build 1020)
Windows 2000(Build 2195: Service Pack 3)

Start time : Fri Aug 12 2005 19:35:22

Load Damage Cleanup Template (DCT) "C:\Documents and Settings\Delane Webb\Desktop\Sysclean\tsc.ptn" (version 635) [success]

Complete time : Fri Aug 12 2005 19:36:15
Execute pattern count(4195), Virus found count(0), Virus clean count(0), Clean failed count(0)

2005-08-12, 19:37:20, An error occurred while scanning file "C:\Documents and Settings\Delane Webb\NTUSER.DAT": Access is denied.
2005-08-12, 19:37:20, An error occurred while scanning file "C:\Documents and Settings\Delane Webb\NTUSER.DAT.LOG": Access is denied.
2005-08-12, 19:37:52, An error occurred while scanning file "C:\Documents and Settings\Delane Webb\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat": Access is denied.
2005-08-12, 19:37:52, An error occurred while scanning file "C:\Documents and Settings\Delane Webb\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG": Access is denied.
2005-08-12, 19:54:47, An error was detected on "C:\System Volume Information\*.*": Access is denied.
2005-08-12, 19:58:30, An error occurred while scanning file "C:\WINNT\system32\config\default": Access is denied.
2005-08-12, 19:58:30, An error occurred while scanning file "C:\WINNT\system32\config\DEFAULT.LOG": Access is denied.
2005-08-12, 19:58:30, An error occurred while scanning file "C:\WINNT\system32\config\SAM": Access is denied.
2005-08-12, 19:58:30, An error occurred while scanning file "C:\WINNT\system32\config\SAM.LOG": Access is denied.
2005-08-12, 19:58:30, An error occurred while scanning file "C:\WINNT\system32\config\SECURITY": Access is denied.
2005-08-12, 19:58:30, An error occurred while scanning file "C:\WINNT\system32\config\SECURITY.LOG": Access is denied.
2005-08-12, 19:58:30, An error occurred while scanning file "C:\WINNT\system32\config\software": Access is denied.
2005-08-12, 19:58:30, An error occurred while scanning file "C:\WINNT\system32\config\SOFTWARE.LOG": Access is denied.
2005-08-12, 19:58:31, An error occurred while scanning file "C:\WINNT\system32\config\system": Access is denied.
2005-08-12, 19:58:31, An error occurred while scanning file "C:\WINNT\system32\config\SYSTEM.ALT": Access is denied.
2005-08-12, 20:01:09, Running scanner "C:\Documents and Settings\Delane Webb\Desktop\Sysclean\VSCANTM.BIN"...
2005-08-12, 20:24:14, Files Detected:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 8/12/2005 20:01:10
VSAPI Engine Version : 7.510-1002
VSCANTM Version : 1.1-1001
Virus Pattern Version : 771 (106266 Patterns) (2005/08/10) (277100)
Command Line: C:\Documents and Settings\Delane Webb\Desktop\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Documents and Settings\Delane Webb\Desktop\Sysclean

29063 files have been read.
29063 files have been checked.
20554 files have been scanned.
28510 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 8/12/2005 20:24:14
---------*---------*---------*---------*---------*---------*---------*---------*
2005-08-12, 20:24:15, Files Clean:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 8/12/2005 20:01:10
VSAPI Engine Version : 7.510-1002
VSCANTM Version : 1.1-1001
Virus Pattern Version : 771 (106266 Patterns) (2005/08/10) (277100)
Command Line: C:\Documents and Settings\Delane Webb\Desktop\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Documents and Settings\Delane Webb\Desktop\Sysclean

29063 files have been read.
29063 files have been checked.
20554 files have been scanned.
28510 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 8/12/2005 20:24:14 22 minutes 59 seconds (1378.55 seconds) has elapsed.

---------*---------*---------*---------*---------*---------*---------*---------*
2005-08-12, 20:24:15, Clean Fail:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 8/12/2005 20:01:10
VSAPI Engine Version : 7.510-1002
VSCANTM Version : 1.1-1001
Virus Pattern Version : 771 (106266 Patterns) (2005/08/10) (277100)
Command Line: C:\Documents and Settings\Delane Webb\Desktop\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Documents and Settings\Delane Webb\Desktop\Sysclean

29063 files have been read.
29063 files have been checked.
20554 files have been scanned.
28510 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 8/12/2005 20:24:14 22 minutes 59 seconds (1378.55 seconds) has elapsed.

---------*---------*---------*---------*---------*---------*---------*---------*
2005-08-12, 20:24:15, Scanner "C:\Documents and Settings\Delane Webb\Desktop\Sysclean\VSCANTM.BIN" has finished running.
2005-08-12, 20:28:25, Running scanner "C:\Documents and Settings\Delane Webb\Desktop\Sysclean\VSCANTM.BIN"...
2005-08-12, 20:28:55, Files Detected:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 8/12/2005 20:28:26
VSAPI Engine Version : 7.510-1002
VSCANTM Version : 1.1-1001
Virus Pattern Version : 771 (106266 Patterns) (2005/08/10) (277100)
Command Line: C:\Documents and Settings\Delane Webb\Desktop\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 D:\*.* /P=C:\Documents and Settings\Delane Webb\Desktop\Sysclean

686 files have been read.
686 files have been checked.
655 files have been scanned.
1798 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 8/12/2005 20:28:55
---------*---------*---------*---------*---------*---------*---------*---------*
2005-08-12, 20:28:55, Files Clean:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 8/12/2005 20:28:26
VSAPI Engine Version : 7.510-1002
VSCANTM Version : 1.1-1001
Virus Pattern Version : 771 (106266 Patterns) (2005/08/10) (277100)
Command Line: C:\Documents and Settings\Delane Webb\Desktop\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 D:\*.* /P=C:\Documents and Settings\Delane Webb\Desktop\Sysclean

686 files have been read.
686 files have been checked.
655 files have been scanned.
1798 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 8/12/2005 20:28:55 24 seconds (23.46 seconds) has elapsed.

---------*---------*---------*---------*---------*---------*---------*---------*
2005-08-12, 20:28:55, Clean Fail:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 8/12/2005 20:28:26
VSAPI Engine Version : 7.510-1002
VSCANTM Version : 1.1-1001
Virus Pattern Version : 771 (106266 Patterns) (2005/08/10) (277100)
Command Line: C:\Documents and Settings\Delane Webb\Desktop\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 D:\*.* /P=C:\Documents and Settings\Delane Webb\Desktop\Sysclean

686 files have been read.
686 files have been checked.
655 files have been scanned.
1798 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 8/12/2005 20:28:55 24 seconds (23.46 seconds) has elapsed.

---------*---------*---------*---------*---------*---------*---------*---------*
2005-08-12, 20:28:55, Scanner "C:\Documents and Settings\Delane Webb\Desktop\Sysclean\VSCANTM.BIN" has finished running.


----------------------

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 7:33:49 PM, 12/08/2005
+ Report-Checksum: EDC17528

+ Scan result:

C:\Documents and Settings\MonC\Cookies\monc@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\MonC\Cookies\monc@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\MonC\Cookies\monc@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\MonC\Cookies\monc@fastclick[1].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Documents and Settings\MonC\Cookies\monc@fastclick[2].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Documents and Settings\MonC\Cookies\monc@ilead.itrack[1].txt -> Spyware.Cookie.Itrack : Cleaned with backup
C:\Documents and Settings\MonC\Cookies\monc@pointroll[2].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
C:\Documents and Settings\MonC\Cookies\monc@servedby.advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\MonC\Cookies\monc@www.qksrv[1].txt -> Spyware.Cookie.Qksrv : Cleaned with backup
C:\WINNT\system32\TFTP1436 -> Backdoor.Rbot : Cleaned with backup
C:\WINNT\system32\TFTP1528 -> Backdoor.Rbot : Cleaned with backup
C:\WINNT\system32\TFTP1784 -> Backdoor.Rbot : Cleaned with backup
C:\WINNT\system32\TFTP2332 -> Backdoor.Rbot : Cleaned with backup
C:\WINNT\system32\TFTP3352 -> Backdoor.Rbot : Cleaned with backup


::Report End


My computer seems to be running extremely slowly also, any ideas???

Looking forward to your reply

Hi,
Log looks clean Is your Norton AntiVirus giving any alarms?

And, for the performance of the system, you can perform Disk Defragmenter. This is avaialble in Start > All Programs > Accessories > System Tools. Defrag all the hard disk partions.
Also, close not-so-important processes running in background, like WinZIP QuickPick. Right-click on the WinZip icon in System Tray, and click "Close and Remove" and click OK.

No problems from antivirus. All looks clean. Thanks heaps for your help

Still having major problems with performance though. Ran Disk Defragmenter but this has not improved the problem. Its running soslowly now that I often can't even log onto the internet as by the time the modem kicks in it thinks there is no dial tone. I'm just about to throw the whole thing out the window actually. I'm wondering if reformatting and starting from scratch is the way to go. What do you think?

Cheers

Hi,
Does your Modem give you "There is no dial tone" error? If yes, then you can make Modem not to wait for dialtone. Go to Start > Control Panel. Here click "Modems" (or "Phone And Modems") button. Here click "Properties," button and in General tab, uncheck the option "Wait for dial tone before dialling" and click "OK".

i have trojan.cachecachekit and i cant for the life of me figure out how to remove it , can i post my hijackthis log so someone can walk me though it ?

Hi tofadeisastart ,
Please start a new topic and post your log file in that topic. You can start a new topic by clicking the "New Thread" button present in the upper-left corner of this page.

hello i just recently got this trojan. i was using aol instant messenger and one of my friends had the trojan, and it automatically sent a message containing a link, asking to click the link and open a file, well stupid me totally forgot that it was an auto message and was not really my friend asking me to open a file, so i clicked the link, i opened it, ran it and everything, and before i knew it i had a trojan on my system. it was the cachecachekit trojan, or rdriv.sys, it changed file names frequently. my symantec corporate edition disovered the trojan and quarantined it over and over but the trojan kept repeating so finally i deleted all files of the trojan via symantec. now that i have done that, my symantec does not automatically pop up notifying me of a trojan, and whenever i complete a full scan of my system using symantec, it shows no viruses, trojans, etc. so im pretty sure the trojan is gone. the bad thing is that while it was still alive and running is it changed a lot of my settings:
-i cannot access any symantec webpage.
-it has turned my windows firewall off, and everything is grayed out so i am unable to turn it back on. it says that group policy is controlling these firewall settings.

i tried acessing group policy to change the firewall settings, i looked around and couldnt find anything. i dont know too much about computers and would greatly appreciated it if anyone could help me totally remove all of this junk and messed up settings, and get my computer back to normal with normal settings. email me or reply if you need any other information as to helping me out. please help, thanks.

Hi josh48315,
Download HijackThis and unzip it to dedicated folder (like C:\HijackThisFolder\hijackthis.exe).
Then run it and click the button Do a System scan and save log file. HijackThis will perform a scan and saves the log file as hijackthis.log in the same folder where it is installed and it also opens the file automatically.

Please start a new topic and post the complete HijackThis log file in that topic. You can start a new topic by clicking the "New Thread" button present in the upper-left corner of this page.