0

Good day everyone.

A couple of days ago my norton av caught trojan.cachecachekit. now the popup nav window keeps coming up, and it can't get it to go away.

I tried the following without success:

in safe mode, i ran:

ewido
killbox
ad-ware
cleanup

still didn't stop in

Now I just ran Hijack this, and her is the log (i haven't fixed anything yet):

Logfile of HijackThis v1.99.1
Scan saved at 11:31:16 AM, on 7/15/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\Program Files\Promise\Utility\MsgAgt.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb03.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?.home=ytie
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/?.home=ytie
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?.home=ytie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb03.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Shortcut to Microsoft Outlook.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O15 - Trusted Zone: http://www.norton.com
O15 - Trusted Zone: securityresponse.symantec.com
O15 - Trusted Zone: www.update.symantec.com
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/abarth/us/win/QuickTimeInstaller.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{FBDACE83-556A-4DF0-96CD-8DC40D475DED}: NameServer = 201.225.225.225,201.225.225.226,201.224.73.162
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: WIN32 (image) - Unknown owner - C:\WINNT\image.exe (file missing)
O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Local Security Authority System Service (Local Security Authority System) - Unknown owner - C:\WINNT\lsass.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Promise RAID message agent (RAIDmAgt) - Promise Technology, Inc. - C:\Program Files\Promise\Utility\MsgAgt.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

6
Contributors
17
Replies
18
Views
12 Years
Discussion Span
Last Post by DMR
0

Open NotePad, and copy the contents of the below "Code" box:-

cd %windir%
attrib -s -r -h image.exe
attrib -s -r -h lsass.exe
del lsass.exe
del image.exe

Go to File Menu > Save As, and save the file with the name Test.bat and exit from NotePad.


Download Sysclean Pacakge, create a folder named Sysclean on Desktop, and put the downloaded file to that folder. Next download the pattern file for Windows OS (pattern file will have a name like lpt731.zip ) and extract the contents of the ZIP file to the same Sysclean folder.

Download CleanUp! and install it, do not run it now. Next, download AboutBuster.

Reboot in Safe Mode. Run HijackThis and click Do only a System scan. Then put a check mark infront of below listed entries:-

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?.home=ytie
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/?.home=ytie
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?.home=ytie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O15 - Trusted Zone: http://www.norton.com
O15 - Trusted Zone: securityresponse.symantec.com
O15 - Trusted Zone: www.update.symantec.com
O23 - Service: WIN32 (image) - Unknown owner - C:\WINNT\image.exe (file missing)
O23 - Service: Local Security Authority System Service (Local Security Authority System) - Unknown owner - C:\WINNT\lsass.exe

Close all other open programs except Hijackthis and click the button Fix Checked in HijackThis.


Go to Start > Run and type services.msc and press ENTER. In the Services window that opens up, navigate to the service named WIN32 (image) and right-click it, and select "Properties".
In the Property window, click Stop in the "Service Status" option box. After this, in the "Startup" option box, select Disabled from the dropdown menu. Click "Apply" and then "OK".
Repeat the above operations for this service too:-
Local Security Authority System Service (Local Security Authority System)
Exit from Services window.


Double-Click on the file Test.bat, a small DOS type window should open and close immediately.


Next, run AboutBuster and click "Begin Removal".
After this, run CleanUp!, click "Options" button, move the "Quick Setup" slider to "Thorough CleanUp!" and click "Yes" for the warning message and exit from Options. Click "CleanUp!" to start cleaning. After cleaning, click "Close", and choose "No" to avoid the restart of the PC.


Next, double-click on the sysclean.com file, and after few seconds, the Sysclean window appears. Here make sure that Automatically clean or delete infected files option is selected. Then click "Scan". After the scan is complete it gives a log, save the log file.


Run HijackThis again. Then click Do a System scan and save log, and post the fresh log along with the Sysclean log.

0

good day, SwatKat.

I went through your procedures, and got to the point where I'm supposed to run "About Buster" - but it would not open, saying the file was corrupted. I tried downloading again, but same result,

So moving on anyway, I went to run Sysclean, but after configuring, when I started the scan, a popup said "Pattern file 'LPT$VPN' is missing. Please download a new copy"

How can I get that LPT$VPN file? The Sysclean won't proceed without it.

Thanks.

0

I got sysclean to work. ( i had extractedthe zip file to the sysclean folder I created, but left the program unloaded on the desktop outside the folder - once I put it in the folder with that lpt$vn file it worked)

will continue on then and post the Hijack this log once I'm done.

thanks.

0

/--------------------------------------------------------------\
| Trend Micro Sysclean Package |
| Copyright 2002, Trend Micro, Inc. |
| http://www.trendmicro.com |
\--------------------------------------------------------------/


2005-07-18, 09:21:34, Auto-clean mode specified.
2005-07-18, 09:21:34, Running scanner "C:\Documents and Settings\Administrator\Desktop\Sysclean\TSC.BIN"...
2005-07-18, 09:21:55, Scanner "C:\Documents and Settings\Administrator\Desktop\Sysclean\TSC.BIN" has finished running.
2005-07-18, 09:21:55, TSC Log:

Damage Cleanup Engine (DCE) 3.9(Build 1020)
Windows 2000(Build 2195: Service Pack 4)

Start time : Mon Jul 18 2005 09:21:35

Load Damage Cleanup Template (DCT) "C:\Documents and Settings\Administrator\Desktop\Sysclean\tsc.ptn" (version 627) [success]

Complete time : Mon Jul 18 2005 09:21:55
Execute pattern count(4102), Virus found count(0), Virus clean count(0), Clean failed count(0)

2005-07-18, 09:22:03, An error occurred while scanning file "C:\Documents and Settings\Administrator\NTUSER.DAT": Access is denied.
2005-07-18, 09:22:03, An error occurred while scanning file "C:\Documents and Settings\Administrator\ntuser.dat.LOG": Access is denied.
2005-07-18, 09:36:43, An error occurred while scanning file "C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat": Access is denied.
2005-07-18, 09:36:43, An error occurred while scanning file "C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG": Access is denied.
2005-07-18, 09:43:08, An error was detected on "C:\Documents and Settings\Administrator\NetHood\EVADISK on Evans pc\*.*": The system cannot find the path specified.
2005-07-18, 09:43:08, An error was detected on "C:\Documents and Settings\Administrator\Recent\EVADISK on Evans pc\*.*": The system cannot find the path specified.
2005-07-18, 09:43:08, An error was detected on "C:\Documents and Settings\Administrator\Recent\EVADISK on Evans pc (10)\*.*": The system cannot find the path specified.
2005-07-18, 09:43:08, An error was detected on "C:\Documents and Settings\Administrator\Recent\EVADISK on Evans pc (11)\*.*": The system cannot find the path specified.
2005-07-18, 09:43:08, An error was detected on "C:\Documents and Settings\Administrator\Recent\EVADISK on Evans pc (2)\*.*": The system cannot find the path specified.
2005-07-18, 09:43:08, An error was detected on "C:\Documents and Settings\Administrator\Recent\EVADISK on Evans pc (3)\*.*": The system cannot find the path specified.
2005-07-18, 09:43:08, An error was detected on "C:\Documents and Settings\Administrator\Recent\EVADISK on Evans pc (4)\*.*": The system cannot find the path specified.
2005-07-18, 09:43:08, An error was detected on "C:\Documents and Settings\Administrator\Recent\EVADISK on Evans pc (5)\*.*": The system cannot find the path specified.
2005-07-18, 09:43:08, An error was detected on "C:\Documents and Settings\Administrator\Recent\EVADISK on Evans pc (6)\*.*": The system cannot find the path specified.
2005-07-18, 09:43:08, An error was detected on "C:\Documents and Settings\Administrator\Recent\EVADISK on Evans pc (7)\*.*": The system cannot find the path specified.
2005-07-18, 09:43:08, An error was detected on "C:\Documents and Settings\Administrator\Recent\EVADISK on Evans pc (8)\*.*": The system cannot find the path specified.
2005-07-18, 09:43:08, An error was detected on "C:\Documents and Settings\Administrator\Recent\EVADISK on Evans pc (9)\*.*": The system cannot find the path specified.
2005-07-18, 10:00:35, Could not set file for reading on "C:\RECYCLER\NPROTECT\NPROTECT.LOG": Access is denied.
2005-07-18, 10:00:36, An error was detected on "C:\System Volume Information\*.*": Access is denied.
2005-07-18, 10:05:49, An error occurred while scanning file "C:\WINNT\system32\config\default": Access is denied.
2005-07-18, 10:05:49, An error occurred while scanning file "C:\WINNT\system32\config\default.LOG": Access is denied.
2005-07-18, 10:05:49, An error occurred while scanning file "C:\WINNT\system32\config\SAM": Access is denied.
2005-07-18, 10:05:49, An error occurred while scanning file "C:\WINNT\system32\config\SAM.LOG": Access is denied.
2005-07-18, 10:05:49, An error occurred while scanning file "C:\WINNT\system32\config\SECURITY": Access is denied.
2005-07-18, 10:05:49, An error occurred while scanning file "C:\WINNT\system32\config\SECURITY.LOG": Access is denied.
2005-07-18, 10:05:49, An error occurred while scanning file "C:\WINNT\system32\config\software": Access is denied.
2005-07-18, 10:05:49, An error occurred while scanning file "C:\WINNT\system32\config\software.LOG": Access is denied.
2005-07-18, 10:05:49, An error occurred while scanning file "C:\WINNT\system32\config\system": Access is denied.
2005-07-18, 10:05:49, An error occurred while scanning file "C:\WINNT\system32\config\SYSTEM.ALT": Access is denied.
2005-07-18, 10:07:41, Running scanner "C:\Documents and Settings\Administrator\Desktop\Sysclean\VSCANTM.BIN"...
2005-07-18, 10:35:01, Files Detected:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 7/18/2005 10:07:42
VSAPI Engine Version : 7.510-1002
VSCANTM Version : 1.1-1001
Virus Pattern Version : 731 (104621 Patterns) (2005/07/14) (273100)
Command Line: C:\Documents and Settings\Administrator\Desktop\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Documents and Settings\Administrator\Desktop\Sysclean

36517 files have been read.
36517 files have been checked.
29057 files have been scanned.
56228 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 7/18/2005 10:35:01
---------*---------*---------*---------*---------*---------*---------*---------*
2005-07-18, 10:35:01, Files Clean:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 7/18/2005 10:07:42
VSAPI Engine Version : 7.510-1002
VSCANTM Version : 1.1-1001
Virus Pattern Version : 731 (104621 Patterns) (2005/07/14) (273100)
Command Line: C:\Documents and Settings\Administrator\Desktop\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Documents and Settings\Administrator\Desktop\Sysclean

36517 files have been read.
36517 files have been checked.
29057 files have been scanned.
56228 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 7/18/2005 10:35:01 27 minutes 14 seconds (1633.94 seconds) has elapsed.

---------*---------*---------*---------*---------*---------*---------*---------*
2005-07-18, 10:35:01, Clean Fail:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 7/18/2005 10:07:42
VSAPI Engine Version : 7.510-1002
VSCANTM Version : 1.1-1001
Virus Pattern Version : 731 (104621 Patterns) (2005/07/14) (273100)
Command Line: C:\Documents and Settings\Administrator\Desktop\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Documents and Settings\Administrator\Desktop\Sysclean

36517 files have been read.
36517 files have been checked.
29057 files have been scanned.
56228 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 7/18/2005 10:35:01 27 minutes 14 seconds (1633.94 seconds) has elapsed.

---------*---------*---------*---------*---------*---------*---------*---------*
2005-07-18, 10:35:01, Scanner "C:\Documents and Settings\Administrator\Desktop\Sysclean\VSCANTM.BIN" has finished running.
2005-07-18, 10:35:01, Could not set file for reading on "E:\RECYCLER\NPROTECT\NPROTECT.LOG": Access is denied.
2005-07-18, 10:35:01, An error was detected on "E:\System Volume Information\*.*": Access is denied.
2005-07-18, 10:35:01, Running scanner "C:\Documents and Settings\Administrator\Desktop\Sysclean\VSCANTM.BIN"...
2005-07-18, 10:35:07, Files Detected:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 7/18/2005 10:35:02
VSAPI Engine Version : 7.510-1002
VSCANTM Version : 1.1-1001
Virus Pattern Version : 731 (104621 Patterns) (2005/07/14) (273100)
Command Line: C:\Documents and Settings\Administrator\Desktop\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 E:\*.* /P=C:\Documents and Settings\Administrator\Desktop\Sysclean

4 files have been read.
4 files have been checked.
2 files have been scanned.
2 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 7/18/2005 10:35:07
---------*---------*---------*---------*---------*---------*---------*---------*
2005-07-18, 10:35:07, Files Clean:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 7/18/2005 10:35:02
VSAPI Engine Version : 7.510-1002
VSCANTM Version : 1.1-1001
Virus Pattern Version : 731 (104621 Patterns) (2005/07/14) (273100)
Command Line: C:\Documents and Settings\Administrator\Desktop\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 E:\*.* /P=C:\Documents and Settings\Administrator\Desktop\Sysclean

4 files have been read.
4 files have been checked.
2 files have been scanned.
2 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 7/18/2005 10:35:07 0.09 seconds has elapsed.

---------*---------*---------*---------*---------*---------*---------*---------*
2005-07-18, 10:35:07, Clean Fail:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 7/18/2005 10:35:02
VSAPI Engine Version : 7.510-1002
VSCANTM Version : 1.1-1001
Virus Pattern Version : 731 (104621 Patterns) (2005/07/14) (273100)
Command Line: C:\Documents and Settings\Administrator\Desktop\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 E:\*.* /P=C:\Documents and Settings\Administrator\Desktop\Sysclean

4 files have been read.
4 files have been checked.
2 files have been scanned.
2 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 7/18/2005 10:35:07 0.09 seconds has elapsed.

---------*---------*---------*---------*---------*---------*---------*---------*
2005-07-18, 10:35:07, Scanner "C:\Documents and Settings\Administrator\Desktop\Sysclean\VSCANTM.BIN" has finished running.


Logfile of HijackThis v1.99.1
Scan saved at 10:36:28 AM, on 7/18/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?.home=ytie
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/?.home=ytie
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?.home=ytie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb03.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Shortcut to Microsoft Outlook.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/abarth/us/win/QuickTimeInstaller.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{FBDACE83-556A-4DF0-96CD-8DC40D475DED}: NameServer = 201.225.225.225,201.225.225.226,201.224.73.162
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Promise RAID message agent (RAIDmAgt) - Promise Technology, Inc. - C:\Program Files\Promise\Utility\MsgAgt.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

0

swatkat,

I just posted results sysclean and hijackthis above. i've rebooted in normal mode and thus far have not seen the Norton AV popup which has been driving me insane.

Thanks for your kind help -- I'm standing by anyway incase you see something in the logs.

Rgds,
Jason

0

Hi,
Log looks better. There are some things to be removed now. Download AboutBuster.

Run HijackThis, select these entries:-

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com

Close all other running programs, click "Fix Checked" in HijackThis.

Exit from HijackThis, and run AboutBuster, click "Begin Removal".

After this, reboot the PC, and post a fresh HijackThis log.

0

AboutBuster 5.0 reference file 31
Scan started on [7/18/2005] at [3:45:48 PM]
------------------------------------------------
No Ads Found!
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 3:45:51 PM

Logfile of HijackThis v1.99.1
Scan saved at 3:46:23 PM, on 7/18/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\Program Files\Promise\Utility\MsgAgt.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb03.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?.home=ytie
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/?.home=ytie
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?.home=ytie
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb03.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Shortcut to Microsoft Outlook.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/abarth/us/win/QuickTimeInstaller.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{FBDACE83-556A-4DF0-96CD-8DC40D475DED}: NameServer = 201.225.225.225,201.225.225.226,201.224.73.162
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Promise RAID message agent (RAIDmAgt) - Promise Technology, Inc. - C:\Program Files\Promise\Utility\MsgAgt.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

0

Swatkat,

just posted above About logfile and Hijackthis log.

Waiting to hear from you on anything.

Thanks!

0

jasonatpanama,

Does your last post mean that swatkat has helped you fix the problem entirely?

If so, please give us a definite response on that that, as we can mark this thread as "Solved" if so.

Thanks.

0

I was unfortunately hit with trojan.cachecachekit and tried everything to remove it. I spent hours and hours on this. After finding your website and trying all the steps you offered I was finally able to remove it. I believe that it was the Trend Micro Sysclean that actually killed it for me. Thanks!!!!

0

Hi Moonchild,

First of all- Welcome to our site.

Secondly- On behalf of the all of us who volunteer our time trying to help - I'm glad we were able to help you. :)

0

Hello, I am having the same kind of problem with this virus. / Looks like alot to do to get rid of it. Can someone tell me what shall I do first, please, thank you.
(this bug is driving me crazy)
PS> I have just installed XP home ed.
Also have Norton anti virus, and Zone alarm installed.

0

Download Sysclean Pacakge, create a folder named Sysclean on Desktop, and put the downloaded file to that folder. Next download the pattern file for Windows OS (pattern file will have a name like lpt731.zip ) and extract the contents of the ZIP file to the same Sysclean folder.

Reboot in Safe Mode.

Next, double-click on the sysclean.com file, and after few seconds, the Sysclean window appears. Here make sure that Automatically clean or delete infected files option is selected. Then click "Scan". After the scan is complete it gives a log, save the log file.

FreddyCoupler. Do the above then post the scan results and an hijackthis log into your own thread please.

0

before I start/ Just a quick question. Since this is a new install,and I have nothing much installed, would I be better formatting HD and installing XP fresh again? / If the anwswer here is "yes" , then after I install XP, what are the first things to do right after the install so as to avoid any virus problems ?
If the answer is "no" , then I will get started on the prevous advise. / thanks.

0

Hi FreddyCoupler,

If you have a brand new install, it might be more time-efficient to just install again, but the choice is really up to you. If you do decide to go with a fresh install, the following link has good information about the protective measures you should put in place immediately after reinstalling XP:

http://www.daniweb.com/techtalkforums/thread27519.html


If you decide to go through the cleaning instructions that swatkat posted, please start your own thread and post your information there. Mostly for clarity's sake, our site's Forum Rules prohibit members from "tagging" their questions onto a thread started by another member.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.