0

HI im infected with this cachecachekit trojan virus. I already downloaded and ran spybot and nothing happened. I got hijack and this is what it said. Please be patient with me as i'm not a techie. I'm just a simple guy whose pc got infected.

Thanks

Logfile of HijackThis v1.99.1
Scan saved at 4:28:17 PM, on 7/18/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Java\jre1.5.0_01\bin\jucheck.exe
C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\hijaCK THIS\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotions/spywaredetector/WebAAS.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4529/mcfscan.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: lsass (Local Security Authority System Service) - Unknown owner - C:\WINNT\lsass.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

3
Contributors
15
Replies
16
Views
12 Years
Discussion Span
Last Post by FLYN
0

FLYN,

Hi and welcome to the Daniweb forums :).

===============

Please go to Jotti's and have this file scanned. Post the results back here.

C:\WINNT\lsass.exe

0

Thanks for the warm welcome. I did what you asked me and this is the result.

Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 8d965fab8330b931a551c2b894b1fe7a
Packers detected: PE_PATCH
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found BackDoor.IRC.Sdbot
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VBA32 Found nothing

Ohhh boy.... what do i do now?

0

By the way I just discovered that my other pc which is using xp has redir.exe. Its not connected to my infected pc. However i read somewhere that redir.exe is a virus or trojan is it true or is it a valid application?

0

Regarding redir.exe. I did a google and the results are inconclusive. You would have to get the file scanned, or go to it's properties and find out when it was installed and who the manufacturer is.

C:\WINNT\lsass.exe will need to be deleted. Make note that there is a legitimate file of the same name in the system32 folder :).

Run hijackthis and hit the Open the Misc Tools Section and then the Open Uninstall Manager.

Run HiJackThis then:

1. Click "Open the Misc Tools Section"
2. Click "Open Process manager"

-

Next, while holding down the CTRL key, locate (if present) and click on (highlight) each of the following:

C:\WINNT\lsass.exe

Now double-check and make sure that only those item(s) above are highlighted, then click "Kill process". Now, click "Refresh", check again, and repeat this step if any remain.

Now manually delete the file. Post another log when you have rebooted.

0

It cant delete it , it said that the selected process could not be killed.It may have already closed or it may be protected by windows. This process might be a service. Should i delete it manually ?

0

Download the Pocket KillBox
Unzip the file to your desktop.
Run Pocket Killbox and paste the full file path of the below file in the box and click on Standard File Kill and End Explorer Shell While Killing File. Click on the button with the red circle and an X in the middle after you the file.

C:\WINNT\lsass.exe

Reboot afterwards if the file is successfully deleted.

If the file is not deleted, do not reboot yet. Run Pocket Killbox again and paste the full file path in the box and click on Delete on Reboot. Next click on the button with the red circle and an X in the middle. You will get a message saying "File with be deleted on next reboot, Process and Reboot now?" Click "Yes" to reboot.

That should do it.

0

I think we did it!!! the rdrivis gone along with the trojan. Thanks a lot I really appreciate it. Should I install a firewall for further protection?

0

Clear out your Temporary internet files and other temp files.
Go to Start > Settings > Control Panel >Internet Options.

Under the General tab click the Delete temporary internet files,
delete all Offline content as well. Clear out Cookies.

Also, go to Start > Find/search > Files or folders > in the named box, type: *.tmp and choose Edit > select all -> File > delete.

Empty/delete the entire contents of the C:\Windows\temp folder and C:\temp folder, if you have one. (Contents but not the folder itself.)

C:\Documents and Settings\username\Local Settings\Temp\

In order to view these files you may have to select 'show hidden files/folders.' Instructions on how to here.

Empty the Recycle Bin.

Definitely get a firewall :)

0

I can't find the internet option in the control panel. Im using windows 2000

0

Pls disregard the earlier post I found the internet settings in the control panel.But I when i did the search for *.temp what came up was something like this, ZLT00924.TMP,ZLT04fb2.TMP are these the ones I should delete?

Also, go to Start > Find/search > Files or folders > in the named box, type: *.tmp and choose Edit > select all -> File > delete.

0

C:Documents and SettingsusernameLocal SettingsTemp

In order to view these files you may have to select 'show hidden files/folders.' Instructions on how to here.

Empty the Recycle Bin.

Definitely get a firewall :)

When I went to C:Documents and SettingsusernameLocal Settings. I found a temp folder and temporary internet files folder. Should I delete both?

Edited by diafol: fixed formatting

0

When I went to C:\Documents and Settings\username\Local Settings. I found a temp folder and temporary internet files folder. Should I delete both?

Do not delete the actual folders, just the contents. All temp files can safely be deleted, although some may be in use and cannot be deleted immediately.

0

thanks for the run thru.I think we got rid of it.I go to file sharing sites like kazaa, how do i prevent any more infestations on the pc if i go back to kazaa. i have a firewall installed now

0

how do i prevent any more infestations on the pc if i go back to kazaa.

That's like asking how you can go back to a poker table but not lose money this time.

There are measures that you can take to minimize the chances that malicious programs will be downloaded and/or installed on your system, as well as measures you can take to minimize damage should those programs actually manage to install themselves. However, none of the methods are foolproof or comprehensive, and the makers of the malicious programs are constantly finding new security holes to exploit and new ways to bypass current protections.

P2P Filesharing networks are some of the most notorious distribution vehicles for malware, and it's getting much harder to find a P2P network that is known to be "clean" of such nasties. Throw in the fact that a large amount of the content shared on P2P networks is copyrighted material, and you've got some pretty good reasons to give filesharing a miss entirely.

0

I like that poker game analogy.Hmmm now Im doing some deep thinking about this file sharing thing.Ok here's my next question. I just surf the other day and my norton detected some trojan on the temporary internet files. It was able to delete it.So now I'm becoming intensely paranoid about going to other sites because that means you can get a trojan just by dropping by.I thought you can only get a virus by opening email attachments. That's why I use yahoo mail ...so it can scan it.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.