0

Hi, I'm a beginner to this site and need some help.

I've had NAV popups for trojan.cachecachekit for a week and have finally gotten rid of them, but NAV found 2 infected files that it left alone and could not delete - Trojan.Cachecachekit and W32.Spybot.Worm. Does this mean that I'm still infected.

Here's my HijackThis log, hopefully someone can help me out.

Cheers

Logfile of HijackThis v1.99.1
Scan saved at 12:58:13 AM, on 11/08/2005
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP3 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\sistray.EXE
C:\WINNT\System32\khooker.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe
C:\Program Files\Lexmark 4200 Series\lxbmbmon.exe
C:\Program Files\NASDAK\OmniMouse Driver\4.0\MOUSE32A.EXE
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\WINNT\System32\internat.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\Netropa\InetKb\Inetkb.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Delane Webb\Desktop\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SiS Tray] C:\WINNT\System32\sistray.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINNT\System32\khooker.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [Lexmark 4200 Series] "C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe"
O4 - HKLM\..\Run: [FaxCenterServer4_in_1] "C:\Program Files\Lexmark 4200 Series\Fax\fm3032.exe" /s
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\NASDAK\OmniMouse Driver\4.0\MOUSE32A.EXE
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - https://www-3.ibm.com/pc/support/access/sdccommon/download/IbmEgath.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = kcx.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{BB7961F5-FC35-4282-B299-D97EE3A72BC9}: NameServer = 203.49.70.20 139.134.2.190
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = kcx.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = kcx.com
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: WIN32 (image) - Unknown owner - C:\WINNT\image.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

6
Contributors
15
Replies
16
Views
12 Years
Discussion Span
Last Post by pctechme
0

Hi,

Open NotePad, and copy the contents of the below "Quode" box:-

cd %windir%
attrib -s -r -h image.exe
del image.exe

Go to File Menu > Save As, and save the file with the name Test.bat and exit from NotePad.


Download Ewido and install it. Then run, you will receive a warning message saying "Database not found", click "OK" for this. Next in the main screen, click "Update" and click "Start Update". After the update process, exit from Ewido.


Download CCleaner and install it. Do not run it now.


Download Sysclean Pacakge, create a folder named Sysclean on Desktop, and put the downloaded file to that folder. Next download the pattern file for Windows OS (pattern file will have a name like lpt731.zip ) and extract the contents of the ZIP file to the same Sysclean folder.


Reboot in Safe Mode:-
Restart (or switch ON) the PC.
Then, keep tapping the F8 Key.
From the menu that will be displayed, out of which choose Safe Mode and press Enter.


Go to Start > Run and type services.msc and press ENTER. In the Services window that opens up, navigate to the service named WIN32 (image) and right-click it, and select "Properties".
In the Property window, click Stop in the "Service Status" option box. After this, in the "Startup" option box, select Disabled from the dropdown menu. Click "Apply" and then "OK".


Run HijackThis and click Do only a System scan.
Then put a check mark infront of below listed entries:-

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O23 - Service: WIN32 (image) - Unknown owner - C:\WINNT\image.exe (file missing)

Close all other open programs except Hijackthis and click the button Fix Checked in HijackThis.


Double-Click on the file Test.bat, a small DOS type window should open and close immediately.


Run CCleaner, click "Options" button and here go to "Advanced" tab and uncheck the option "Only delete files in Windows Temp folder older than 48 hours". Click OK to exit from the Options.
Finally click "Run Cleaner" and click "OK" to continue cleaning.

Run Ewido, click on the "Scanner" button in the left menu, then click on the "Start" button.
If ewido finds anything, it will pop up a notification. You can select "Clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.
When the scan finishes, click on "Save Report". This will create a text file.


Next, double-click on the sysclean.com file, and after few seconds, the Sysclean window appears. Here make sure that Automatically clean or delete infected files option is selected. Then click "Scan". After the scan is complete it gives a log, save the log file.


Reboot to normal mode, run HijackThis again, and post a fresh log along with Sysclean and Ewido logs.

0

Hi, I've done as you instructed and below are the log files. Everything seemed to run smoothly, although when I ran HijackThis the following was not an option to be fixed (as you you listed):

O23 - Service: WIN32 (image) - Unknown owner - C:\WINNT\image.exe (file missing).

Anyway here are the log files, thanks again for your help.

Logfile of HijackThis v1.99.1
Scan saved at 2:12:29 AM, on 13/08/2005
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP3 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\sistray.EXE
C:\WINNT\System32\khooker.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe
C:\Program Files\Lexmark 4200 Series\lxbmbmon.exe
C:\Program Files\NASDAK\OmniMouse Driver\4.0\MOUSE32A.EXE
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\WINNT\System32\internat.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\Netropa\InetKb\Inetkb.exe
C:\WINNT\explorer.exe
C:\Documents and Settings\Delane Webb\Desktop\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SiS Tray] C:\WINNT\System32\sistray.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINNT\System32\khooker.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [Lexmark 4200 Series] "C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe"
O4 - HKLM\..\Run: [FaxCenterServer4_in_1] "C:\Program Files\Lexmark 4200 Series\Fax\fm3032.exe" /s
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\NASDAK\OmniMouse Driver\4.0\MOUSE32A.EXE
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - [url]https://www-3.ibm.com/pc/support/access/sdccommon/download/IbmEgath.cab[/url]
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = kcx.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = kcx.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = kcx.com
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

-------------------------------



/--------------------------------------------------------------\
|                 Trend Micro Sysclean Package                 |
|              Copyright 2002, Trend Micro, Inc.               |
|                  [url]http://www.trendmicro.com[/url]                   |
\--------------------------------------------------------------/


2005-08-12, 19:35:21,   Auto-clean mode specified.
2005-08-12, 19:35:21,   Running scanner "C:\Documents and Settings\Delane Webb\Desktop\Sysclean\TSC.BIN"...
2005-08-12, 19:36:15,   Scanner "C:\Documents and Settings\Delane Webb\Desktop\Sysclean\TSC.BIN" has finished running.
2005-08-12, 19:36:15,   TSC Log:

Damage Cleanup Engine (DCE)  3.9(Build 1020)
Windows 2000(Build 2195: Service Pack 3)

Start time : Fri Aug 12 2005 19:35:22

Load Damage Cleanup Template (DCT) "C:\Documents and Settings\Delane Webb\Desktop\Sysclean\tsc.ptn" (version 635) [success]

Complete time : Fri Aug 12 2005 19:36:15
Execute pattern count(4195), Virus found count(0), Virus clean count(0), Clean failed count(0)

2005-08-12, 19:37:20,   An error occurred while scanning file "C:\Documents and Settings\Delane Webb\NTUSER.DAT": Access is denied.
2005-08-12, 19:37:20,   An error occurred while scanning file "C:\Documents and Settings\Delane Webb\NTUSER.DAT.LOG": Access is denied.
2005-08-12, 19:37:52,   An error occurred while scanning file "C:\Documents and Settings\Delane Webb\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat": Access is denied.
2005-08-12, 19:37:52,   An error occurred while scanning file "C:\Documents and Settings\Delane Webb\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG": Access is denied.
2005-08-12, 19:54:47,   An error was detected on "C:\System Volume Information\*.*": Access is denied.
2005-08-12, 19:58:30,   An error occurred while scanning file "C:\WINNT\system32\config\default": Access is denied.
2005-08-12, 19:58:30,   An error occurred while scanning file "C:\WINNT\system32\config\DEFAULT.LOG": Access is denied.
2005-08-12, 19:58:30,   An error occurred while scanning file "C:\WINNT\system32\config\SAM": Access is denied.
2005-08-12, 19:58:30,   An error occurred while scanning file "C:\WINNT\system32\config\SAM.LOG": Access is denied.
2005-08-12, 19:58:30,   An error occurred while scanning file "C:\WINNT\system32\config\SECURITY": Access is denied.
2005-08-12, 19:58:30,   An error occurred while scanning file "C:\WINNT\system32\config\SECURITY.LOG": Access is denied.
2005-08-12, 19:58:30,   An error occurred while scanning file "C:\WINNT\system32\config\software": Access is denied.
2005-08-12, 19:58:30,   An error occurred while scanning file "C:\WINNT\system32\config\SOFTWARE.LOG": Access is denied.
2005-08-12, 19:58:31,   An error occurred while scanning file "C:\WINNT\system32\config\system": Access is denied.
2005-08-12, 19:58:31,   An error occurred while scanning file "C:\WINNT\system32\config\SYSTEM.ALT": Access is denied.
2005-08-12, 20:01:09,   Running scanner "C:\Documents and Settings\Delane Webb\Desktop\Sysclean\VSCANTM.BIN"...
2005-08-12, 20:24:14,   Files Detected:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 8/12/2005 20:01:10
VSAPI Engine Version : 7.510-1002
VSCANTM Version : 1.1-1001
Virus Pattern Version : 771 (106266 Patterns) (2005/08/10) (277100)
Command Line: C:\Documents and Settings\Delane Webb\Desktop\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Documents and Settings\Delane Webb\Desktop\Sysclean 

29063 files have been read.
29063 files have been checked.
20554 files have been scanned.
28510 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 8/12/2005 20:24:14
---------*---------*---------*---------*---------*---------*---------*---------*
2005-08-12, 20:24:15,   Files Clean:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 8/12/2005 20:01:10
VSAPI Engine Version : 7.510-1002
VSCANTM Version : 1.1-1001
Virus Pattern Version : 771 (106266 Patterns) (2005/08/10) (277100)
Command Line: C:\Documents and Settings\Delane Webb\Desktop\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Documents and Settings\Delane Webb\Desktop\Sysclean 

29063 files have been read.
29063 files have been checked.
20554 files have been scanned.
28510 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 8/12/2005 20:24:14    22 minutes 59 seconds (1378.55 seconds) has elapsed.

---------*---------*---------*---------*---------*---------*---------*---------*
2005-08-12, 20:24:15,   Clean Fail:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 8/12/2005 20:01:10
VSAPI Engine Version : 7.510-1002
VSCANTM Version : 1.1-1001
Virus Pattern Version : 771 (106266 Patterns) (2005/08/10) (277100)
Command Line: C:\Documents and Settings\Delane Webb\Desktop\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Documents and Settings\Delane Webb\Desktop\Sysclean 

29063 files have been read.
29063 files have been checked.
20554 files have been scanned.
28510 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 8/12/2005 20:24:14    22 minutes 59 seconds (1378.55 seconds) has elapsed.

---------*---------*---------*---------*---------*---------*---------*---------*
2005-08-12, 20:24:15,   Scanner "C:\Documents and Settings\Delane Webb\Desktop\Sysclean\VSCANTM.BIN" has finished running.
2005-08-12, 20:28:25,   Running scanner "C:\Documents and Settings\Delane Webb\Desktop\Sysclean\VSCANTM.BIN"...
2005-08-12, 20:28:55,   Files Detected:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 8/12/2005 20:28:26
VSAPI Engine Version : 7.510-1002
VSCANTM Version : 1.1-1001
Virus Pattern Version : 771 (106266 Patterns) (2005/08/10) (277100)
Command Line: C:\Documents and Settings\Delane Webb\Desktop\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 D:\*.* /P=C:\Documents and Settings\Delane Webb\Desktop\Sysclean 

686 files have been read.
686 files have been checked.
655 files have been scanned.
1798 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 8/12/2005 20:28:55
---------*---------*---------*---------*---------*---------*---------*---------*
2005-08-12, 20:28:55,   Files Clean:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 8/12/2005 20:28:26
VSAPI Engine Version : 7.510-1002
VSCANTM Version : 1.1-1001
Virus Pattern Version : 771 (106266 Patterns) (2005/08/10) (277100)
Command Line: C:\Documents and Settings\Delane Webb\Desktop\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 D:\*.* /P=C:\Documents and Settings\Delane Webb\Desktop\Sysclean 

686 files have been read.
686 files have been checked.
655 files have been scanned.
1798 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 8/12/2005 20:28:55    24 seconds (23.46 seconds) has elapsed.

---------*---------*---------*---------*---------*---------*---------*---------*
2005-08-12, 20:28:55,   Clean Fail:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 8/12/2005 20:28:26
VSAPI Engine Version : 7.510-1002
VSCANTM Version : 1.1-1001
Virus Pattern Version : 771 (106266 Patterns) (2005/08/10) (277100)
Command Line: C:\Documents and Settings\Delane Webb\Desktop\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 D:\*.* /P=C:\Documents and Settings\Delane Webb\Desktop\Sysclean 

686 files have been read.
686 files have been checked.
655 files have been scanned.
1798 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 8/12/2005 20:28:55    24 seconds (23.46 seconds) has elapsed.

---------*---------*---------*---------*---------*---------*---------*---------*
2005-08-12, 20:28:55,   Scanner "C:\Documents and Settings\Delane Webb\Desktop\Sysclean\VSCANTM.BIN" has finished running.


----------------------

---------------------------------------------------------
 ewido security suite - Scan report
---------------------------------------------------------

 + Created on:          7:33:49 PM, 12/08/2005
 + Report-Checksum:     EDC17528

 + Scan result:

    C:\Documents and Settings\MonC\Cookies\monc@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
    C:\Documents and Settings\MonC\Cookies\monc@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
    C:\Documents and Settings\MonC\Cookies\monc@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
    C:\Documents and Settings\MonC\Cookies\monc@fastclick[1].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
    C:\Documents and Settings\MonC\Cookies\monc@fastclick[2].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
    C:\Documents and Settings\MonC\Cookies\monc@ilead.itrack[1].txt -> Spyware.Cookie.Itrack : Cleaned with backup
    C:\Documents and Settings\MonC\Cookies\monc@pointroll[2].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
    C:\Documents and Settings\MonC\Cookies\monc@servedby.advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
    C:\Documents and Settings\MonC\Cookies\monc@www.qksrv[1].txt -> Spyware.Cookie.Qksrv : Cleaned with backup
    C:\WINNT\system32\TFTP1436 -> Backdoor.Rbot : Cleaned with backup
    C:\WINNT\system32\TFTP1528 -> Backdoor.Rbot : Cleaned with backup
    C:\WINNT\system32\TFTP1784 -> Backdoor.Rbot : Cleaned with backup
    C:\WINNT\system32\TFTP2332 -> Backdoor.Rbot : Cleaned with backup
    C:\WINNT\system32\TFTP3352 -> Backdoor.Rbot : Cleaned with backup


::Report End

My computer seems to be running extremely slowly also, any ideas???

Looking forward to your reply :)

Edited by mike_2000_17: Fixed formatting

0

Hi,
Log looks clean :) Is your Norton AntiVirus giving any alarms?

And, for the performance of the system, you can perform Disk Defragmenter. This is avaialble in Start > All Programs > Accessories > System Tools. Defrag all the hard disk partions.
Also, close not-so-important processes running in background, like WinZIP QuickPick. Right-click on the WinZip icon in System Tray, and click "Close and Remove" and click OK.

0

No problems from antivirus. All looks clean. Thanks heaps for your help :D

Still having major problems with performance though. Ran Disk Defragmenter but this has not improved the problem. Its running soslowly now that I often can't even log onto the internet as by the time the modem kicks in it thinks there is no dial tone. I'm just about to throw the whole thing out the window actually. I'm wondering if reformatting and starting from scratch is the way to go. What do you think?

Cheers

0

Hi,
Does your Modem give you "There is no dial tone" error? If yes, then you can make Modem not to wait for dialtone. Go to Start > Control Panel. Here click "Modems" (or "Phone And Modems") button. Here click "Properties," button and in General tab, uncheck the option "Wait for dial tone before dialling" and click "OK".

0

i have trojan.cachecachekit and i cant for the life of me figure out how to remove it , can i post my hijackthis log so someone can walk me though it ?

0

i have trojan.cachecachekit and i cant for the life of me figure out how to remove it , can i post my hijackthis log so someone can walk me though it ?

Hi tofadeisastart :),
Please start a new topic and post your log file in that topic. You can start a new topic by clicking the "New Thread" button present in the upper-left corner of this page.

0

hello i just recently got this trojan. i was using aol instant messenger and one of my friends had the trojan, and it automatically sent a message containing a link, asking to click the link and open a file, well stupid me totally forgot that it was an auto message and was not really my friend asking me to open a file, so i clicked the link, i opened it, ran it and everything, and before i knew it i had a trojan on my system. it was the cachecachekit trojan, or rdriv.sys, it changed file names frequently. my symantec corporate edition disovered the trojan and quarantined it over and over but the trojan kept repeating so finally i deleted all files of the trojan via symantec. now that i have done that, my symantec does not automatically pop up notifying me of a trojan, and whenever i complete a full scan of my system using symantec, it shows no viruses, trojans, etc. so im pretty sure the trojan is gone. the bad thing is that while it was still alive and running is it changed a lot of my settings:
-i cannot access any symantec webpage.
-it has turned my windows firewall off, and everything is grayed out so i am unable to turn it back on. it says that group policy is controlling these firewall settings.

i tried acessing group policy to change the firewall settings, i looked around and couldnt find anything. i dont know too much about computers and would greatly appreciated it if anyone could help me totally remove all of this junk and messed up settings, and get my computer back to normal with normal settings. email me or reply if you need any other information as to helping me out. please help, thanks.

0

Hi josh48315,
Download HijackThis and unzip it to dedicated folder (like C:\HijackThisFolder\hijackthis.exe).
Then run it and click the button Do a System scan and save log file. HijackThis will perform a scan and saves the log file as hijackthis.log in the same folder where it is installed and it also opens the file automatically.

Please start a new topic and post the complete HijackThis log file in that topic. You can start a new topic by clicking the "New Thread" button present in the upper-left corner of this page.

0

Hi josh48315,
Download HijackThis and unzip it to dedicated folder (like C:\HijackThisFolder\hijackthis.exe).
Then run it and click the button Do a System scan and save log file. HijackThis will perform a scan and saves the log file as hijackthis.log in the same folder where it is installed and it also opens the file automatically.

Please start a new topic and post the complete HijackThis log file in that topic. You can start a new topic by clicking the "New Thread" button present in the upper-left corner of this page.

ok you're telling me to do all of that, what is it i am doing? what will posting this do?

0

Hi,
HijackThis searches in some key areas of the System and Windows Registry and pulls out the information from it. By this way, the virus/spyware related files can be removed manually. BUT these key areas are used by both legitimate and bad software/files. So, do NOT remove any of the entries that HijackThis shows by yourself! Post the log file, so that we can take a look on it.

0

hijack this log file:

Logfile of HijackThis v1.99.1
Scan saved at 8:02:30 PM, on 9/18/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\vptray.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
O1 - Hosts: 127.0.2.5 sarc.com
O1 - Hosts: 127.0.2.5 www.sarc.com
O1 - Hosts: 127.0.2.5 www.sophos.com
O1 - Hosts: 127.0.2.5 sophos.com
O1 - Hosts: 127.0.2.5 www.mcafee.com
O1 - Hosts: 127.0.2.5 mcafee.com
O1 - Hosts: 127.0.2.5 www.viruslist.com
O1 - Hosts: 127.0.2.5 viruslist.com
O1 - Hosts: 127.0.2.5 f-secure.com
O1 - Hosts: 127.0.2.5 www.f-secure.com
O1 - Hosts: 127.0.2.5 f-prot.com
O1 - Hosts: 127.0.2.5 www.f-prot.com
O1 - Hosts: 127.0.2.5 kaspersky.com
O1 - Hosts: 127.0.2.5 kaspersky-labs.com
O1 - Hosts: 127.0.2.5 www.avp.com
O1 - Hosts: 127.0.2.5 avp.com
O1 - Hosts: 127.0.2.5 www.kaspersky.com
O1 - Hosts: 127.0.2.5 www.networkassociates.com
O1 - Hosts: 127.0.2.5 networkassociates.com
O1 - Hosts: 127.0.2.5 www.ca.com
O1 - Hosts: 127.0.2.5 ca.com
O1 - Hosts: 127.0.2.5 mast.mcafee.com
O1 - Hosts: 127.0.2.5 my-etrust.com
O1 - Hosts: 127.0.2.5 www.my-etrust.com
O1 - Hosts: 127.0.2.5 download.mcafee.com
O1 - Hosts: 127.0.2.5 dispatch.mcafee.com
O1 - Hosts: 127.0.2.5 secure.nai.com
O1 - Hosts: 127.0.2.5 nai.com
O1 - Hosts: 127.0.2.5 www.nai.com
O1 - Hosts: 127.0.2.5 vil.nai.com
O1 - Hosts: 127.0.2.5 us.mcafee.com
O1 - Hosts: 127.0.2.5 rads.mcafee.com
O1 - Hosts: 127.0.2.5 trendmicro.com
O1 - Hosts: 127.0.2.5 www.trendmicro.com
O1 - Hosts: 127.0.2.5 housecall.trendmicro.com
O1 - Hosts: 127.0.2.5 pandasoftware.com
O1 - Hosts: 127.0.2.5 www.pandasoftware.com
O1 - Hosts: 127.0.2.5 www.trendmicro.com
O1 - Hosts: 127.0.2.5 free.grisoft.com
O1 - Hosts: 127.0.2.5 www.grisoft.com
O1 - Hosts: 127.0.2.5 grisoft.com
O1 - Hosts: 127.0.2.5 clamav.net
O1 - Hosts: 127.0.2.5 www.clamav.net
O1 - Hosts: 127.0.2.5 free-av.com
O1 - Hosts: 127.0.2.5 www.free-av.com
O1 - Hosts: 127.0.2.5 www.avast.com
O1 - Hosts: 127.0.2.5 avast.com
O1 - Hosts: 127.0.2.5 cert.org
O1 - Hosts: 127.0.2.5 www.cert.org
O1 - Hosts: 127.0.2.5 www.microsoft.com
O1 - Hosts: 127.0.2.5 microsoft.com
O1 - Hosts: 127.0.2.5 www.virustotal.com
O1 - Hosts: 127.0.2.5 virustotal.com
O1 - Hosts: 127.0.2.5 update.microsoft.com
O1 - Hosts: 127.0.2.5 windowsupdate.microsoft.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\\vptray.exe
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [DLBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,_RunDLLEntry@16
O4 - Startup: Clean Access Agent.lnk = C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {9239E4EC-C9A6-11D2-A844-00C04F68D538} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windows...b?1125371179109
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DirectX Drivers - Unknown owner - C:\WINDOWS\D1rectX.exe (file missing)
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: WLANKEEPER - IntelĀ® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

if you need any other information email or messare or reply, thanks a lot.

0

i read a really similar discussion in the web, with the same problem. Norton antivirus, and also Sophos, find it every second. I tryed to follow the instructions in the other forum, but there is again.

This is my hijackthis.log now

Logfile of HijackThis v1.99.1
Scan saved at 20.32.56, on 27/09/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
C:\Programmi\File comuni\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\ewido\security suite\ewidoctrl.exe
C:\Programmi\ewido\security suite\ewidoguard.exe
C:\Programmi\Norton AntiVirus\navapsvc.exe
C:\Programmi\Norton AntiVirus\IWP\NPFMntor.exe
c:\Programmi\Sophos\Sophos Anti-Virus\SAVAdminService.exe
c:\Programmi\Sophos\AutoUpdate\ALsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\File comuni\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\rundll32.exe
C:\Programmi\File comuni\Symantec Shared\ccApp.exe
C:\PROGRA~1\HELPEX~1\SMARTB~1\MotiveSB.exe
C:\Programmi\iTunes\iTunesHelper.exe
C:\Programmi\File comuni\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programmi\iPod\bin\iPodService.exe
C:\Programmi\Sophos\AutoUpdate\ALMon.exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\Programmi\MSN Messenger\msnmsgr.exe
C:\WINDOWS\winsmc.exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Davide\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://www.google.it/[/url]
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programmi\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmi\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AdslTaskBar] rundll32.exe stmctrl.dll,TaskBar
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Programmi\D-Tools\daemon.exe" -lang 1033 -noicon
O4 - HKLM\..\Run: [Zone Labs Client] C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programmi\File comuni\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Programmi\File comuni\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\HELPEX~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmi\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Programmi\Sophos\AutoUpdate\ALMon.exe
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Tasto di scelta rapida per l'avvio di AutoCAD.lnk = C:\Programmi\File comuni\Autodesk Shared\acstart16.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - [url]http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab[/url]
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - [url]http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab[/url]
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - [url]http://download.ewido.net/ewidoOnlineScan.cab[/url]
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - [url]http://gamingzone.ubisoft.com/dev/packages/GSManager.cab[/url]
O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-622221193458} - file://c:\ex.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - [url]http://software-dl.real.com/25d4449a8db01f22e105/netzip/RdxIE601_it.cab[/url]
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [url]http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1127828733062[/url]
O16 - DPF: {64311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - [url]http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab[/url]
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - [url]http://www.pandasoftware.com/activescan/as5free/asinst.cab[/url]
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - [url]http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab[/url]
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - [url]http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab[/url]
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - [url]http://messenger.zone.msn.com/binary/Chess.cab31267.cab[/url]
O17 - HKLM\System\CCS\Services\Tcpip\..\{62958EE5-EB6B-4FE2-A7C8-48DF25167C12}: NameServer = 62.211.69.150 212.48.4.15
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34546} - C:\WINDOWS\System32\vbsys2.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Programmi\File comuni\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Programmi\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Programmi\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Programmi\File comuni\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MS Smc Service (MSsmc) - Unknown owner - C:\WINDOWS\winsmc.exe
O23 - Service: Servizio Auto-Protect di Norton AntiVirus (navapsvc) - Symantec Corporation - C:\Programmi\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Programmi\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Crea report sullo stato di Sophos Anti-Virus (SAVAdminService) - Sophos plc - c:\Programmi\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Programmi\Norton AntiVirus\SAVScan.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos plc - c:\Programmi\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FILECO~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
O23 - Service: Sophos AutoUpdate Service - Sophos plc - c:\Programmi\Sophos\AutoUpdate\ALsvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


This is rdriv.txt


      ~~~~~~~~~~~~~ Pre-run File Check ~~~~~~~~~~~~~ 

rdriv.sys PRESENT!
ItunesMusic.exe NOT PRESENT!
wkssvc.exe NOT PRESENT!


      ~~~~~~~~~~~~~ Post run File Check ~~~~~~~~~~~~~ 

rdriv.sys NOT PRESENT!
ItunesMusic.exe NOT PRESENT!
wkssvc.exe NOT PRESENT!


this is ewido log

---------------------------------------------------------
 ewido security suite - Rapporto Scansione
---------------------------------------------------------

 + Creato il:           19.29.49, 27/09/2005
 + Report-Checksum:     836CD19D

 + Risultati scansione:

    HKLM\SOFTWARE\Classes\GSDA.GSDACtl\CLSID\\ -> Spyware.GameSpyArcade : Pulito con Backup
    HKLM\SOFTWARE\Classes\GSDA.GSDACtl.1\CLSID\\ -> Spyware.GameSpyArcade : Pulito con Backup
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/gsda.dll\\.Owner -> Spyware.GameSpyArcade : Pulito con Backup
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/gsda.dll\\{70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} -> Spyware.GameSpyArcade : Pulito con Backup
    C:\Documents and Settings\Davide\Cookies\davide@2o7[1].txt -> Spyware.Cookie.2o7 : Pulito con Backup
    C:\Documents and Settings\Davide\Cookies\davide@ad.yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Pulito con Backup
    C:\Documents and Settings\Davide\Cookies\davide@as-eu.falkag[2].txt -> Spyware.Cookie.Falkag : Pulito con Backup
    C:\Documents and Settings\Davide\Cookies\davide@as1.falkag[1].txt -> Spyware.Cookie.Falkag : Pulito con Backup
    C:\Documents and Settings\Davide\Cookies\davide@atdmt[1].txt -> Spyware.Cookie.Atdmt : Pulito con Backup
    C:\Documents and Settings\Davide\Cookies\davide@casalemedia[2].txt -> Spyware.Cookie.Casalemedia : Pulito con Backup
    C:\Documents and Settings\Davide\Cookies\davide@com[2].txt -> Spyware.Cookie.Com : Pulito con Backup
    C:\Documents and Settings\Davide\Cookies\davide@doubleclick[2].txt -> Spyware.Cookie.Doubleclick : Pulito con Backup
    C:\Documents and Settings\Davide\Cookies\davide@e-2dj6wjkowldjoko.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Pulito con Backup
    C:\Documents and Settings\Davide\Cookies\davide@e-2dj6wjnyojdjcko.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Pulito con Backup
    C:\Documents and Settings\Davide\Cookies\davide@estat[1].txt -> Spyware.Cookie.Estat : Pulito con Backup
    C:\Documents and Settings\Davide\Cookies\davide@fastclick[2].txt -> Spyware.Cookie.Fastclick : Pulito con Backup
    C:\Documents and Settings\Davide\Cookies\davide@ilead.itrack[2].txt -> Spyware.Cookie.Itrack : Pulito con Backup
    C:\Documents and Settings\Davide\Cookies\davide@ivwbox[1].txt -> Spyware.Cookie.Ivwbox : Pulito con Backup
    C:\Documents and Settings\Davide\Cookies\davide@rotator.adjuggler[1].txt -> Spyware.Cookie.Adjuggler : Pulito con Backup
    C:\Documents and Settings\Davide\Cookies\davide@statcounter[1].txt -> Spyware.Cookie.Statcounter : Pulito con Backup
    C:\Documents and Settings\Davide\Cookies\davide@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Pulito con Backup
    C:\Documents and Settings\Davide\Cookies\davide@www.myaffiliateprogram[1].txt -> Spyware.Cookie.Myaffiliateprogram : Pulito con Backup
    C:\Documents and Settings\Davide\Impostazioni locali\Temporary Internet Files\Content.IE5\SH0BKBS7\s_ta_ts[1].js -> TrojanDownloader.Inor.a : Pulito con Backup
    C:\Documents and Settings\Davide\Impostazioni locali\Temporary Internet Files\Content.IE5\ZSGC9XNA\b[1].jar/Dummy.class -> Trojan.Byteverify : Pulito con Backup
    C:\Documents and Settings\Emanuele\Cookies\emanuele@adtech[2].txt -> Spyware.Cookie.Adtech : Pulito con Backup
    C:\Documents and Settings\Emanuele\Cookies\emanuele@as1.falkag[2].txt -> Spyware.Cookie.Falkag : Pulito con Backup
    C:\Documents and Settings\Emanuele\Cookies\emanuele@atdmt[2].txt -> Spyware.Cookie.Atdmt : Pulito con Backup
    C:\Documents and Settings\Emanuele\Cookies\emanuele@cz3.clickzs[2].txt -> Spyware.Cookie.Clickzs : Pulito con Backup
    C:\Documents and Settings\Emanuele\Cookies\emanuele@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Pulito con Backup
    C:\Documents and Settings\Emanuele\Cookies\emanuele@ilead.itrack[2].txt -> Spyware.Cookie.Itrack : Pulito con Backup
    C:\Documents and Settings\Emanuele\Cookies\emanuele@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Pulito con Backup
    C:\Documents and Settings\Emanuele\Cookies\emanuele@tradedoubler[2].txt -> Spyware.Cookie.Tradedoubler : Pulito con Backup
    C:\Documents and Settings\Emanuele\Impostazioni locali\Temporary Internet Files\Content.IE5\LLT2ZBDA\eied_s7_70[1].cab/eied_s7_c_70.exe -> TrojanDownloader.Mediket.ay : Pulito con Backup
    C:\WINDOWS\Temp\tmp12B1.tmp -> Trojan.Rootkit.k : Pulito con Backup
    C:\WINDOWS\Temp\tmp39.tmp -> Trojan.Rootkit.k : Pulito con Backup
    C:\WINDOWS\Temp\tmp3F.tmp -> Trojan.Rootkit.k : Pulito con Backup


::Fine Rapporto

I'm still doing now panda on-line, and in the meanwhile, the window alert of the virus continue to appear

Edited by mike_2000_17: Fixed formatting

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.