0

I've tried the solutions given for the same trojan.cachecachekit / NAV popup issue and it hasn't fixed my infected PC yet. It is windows 2000 Server and was hit here over the past few days when the ESBOT worm hit. I have run Ad Aware, Spybot, The Cleaner, Trojan Remover in addition to having Symantec AV Corp 10 running on the pc. I now get the notification from Symantec over and over again about finding the trojan.cachecachekit and can't delete rdriv.sys. I may be able to recover my sanity if someone can help me clean the server.

Here is a copy of my Hijackthis.log and my Sysclean.log:

Logfile of HijackThis v1.99.1
Scan saved at 12:30:36 PM, on 8/24/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\userinit.exe
C:\WINNT\Explorer.EXE
C:\Documents and Settings\Administrator\Desktop\hijackthis\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1124296363694
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A06D2E1B-8207-4A3F-A641-B882B0C71A76}: NameServer = 207.114.0.130,207.114.0.140
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = abs.net,charm.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = abs.net,charm.net
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = abs.net,charm.net
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: emailer - Boardtown Corporation - C:\PROGRA~1\WOMBAT~1\emailer.exe
O23 - Service: mailpopper (Mailpopper) - Boardtown.com - C:\PROGRA~1\WOMBAT~1\MAILPO~1.EXE
O23 - Service: Windows System32 (mswin32) - Unknown owner - C:\WINNT\msupd~.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Retrospect Client - EMC Dantz - C:\Program Files\Dantz\Client\Remotsvc.exe
O23 - Service: Retrospect Helper - EMC Dantz - C:\Program Files\Dantz\Client\rthlpsvc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Microsoft SSL (ssl) - Unknown owner - C:\WINNT\system32\ssl.exe (file missing)
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: wombatsvc - Boardtown Corporation - C:\Program Files\WombatSvc\wombatsvc.exe

=====


/--------------------------------------------------------------\
| Trend Micro Sysclean Package |
| Copyright 2002, Trend Micro, Inc. |
| http://www.trendmicro.com |
\--------------------------------------------------------------/


2005-08-23, 16:53:54, Auto-clean mode specified.
2005-08-23, 16:53:54, Running scanner "C:\Documents and Settings\Administrator\Desktop\sysclean\TSC.BIN"...
2005-08-23, 16:55:42, Scanner "C:\Documents and Settings\Administrator\Desktop\sysclean\TSC.BIN" has finished running.
2005-08-23, 16:55:42, TSC Log:

Damage Cleanup Engine (DCE) 3.9(Build 1020)
Windows 2000(Build 2195: Service Pack 4)

Start time : Tue Aug 23 2005 16:53:57

Load Damage Cleanup Template (DCT) "C:\Documents and Settings\Administrator\Desktop\sysclean\tsc.ptn" (version 638) [success]

Complete time : Tue Aug 23 2005 16:55:42
Execute pattern count(4218), Virus found count(0), Virus clean count(0), Clean failed count(0)

2005-08-23, 16:55:44, An error occurred while scanning file "C:\Documents and Settings\Administrator\NTUSER.DAT": Access is denied.
2005-08-23, 16:55:44, An error occurred while scanning file "C:\Documents and Settings\Administrator\ntuser.dat.LOG": Access is denied.
2005-08-23, 16:55:53, An error occurred while scanning file "C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat": Access is denied.
2005-08-23, 16:55:53, An error occurred while scanning file "C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG": Access is denied.
2005-08-23, 16:57:01, Could not set file for reading on "C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\786999f5617b331428135848d30802a1_a1420a4f-1992-4efe-8ad3-db7f17d6ce7a": Access is denied.
2005-08-23, 16:57:01, Could not set file for reading on "C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\7a436fe806e483969f48a894af2fe9a1_a1420a4f-1992-4efe-8ad3-db7f17d6ce7a": Access is denied.
2005-08-23, 17:09:19, An error was detected on "C:\System Volume Information\*.*": Access is denied.
2005-08-23, 17:19:16, An error occurred while scanning file "C:\WINNT\system32\config\default": Access is denied.
2005-08-23, 17:19:16, An error occurred while scanning file "C:\WINNT\system32\config\default.LOG": Access is denied.
2005-08-23, 17:19:16, An error occurred while scanning file "C:\WINNT\system32\config\SAM": Access is denied.
2005-08-23, 17:19:16, An error occurred while scanning file "C:\WINNT\system32\config\SAM.LOG": Access is denied.
2005-08-23, 17:19:17, An error occurred while scanning file "C:\WINNT\system32\config\SECURITY": Access is denied.
2005-08-23, 17:19:17, An error occurred while scanning file "C:\WINNT\system32\config\SECURITY.LOG": Access is denied.
2005-08-23, 17:19:17, An error occurred while scanning file "C:\WINNT\system32\config\software": Access is denied.
2005-08-23, 17:19:17, An error occurred while scanning file "C:\WINNT\system32\config\software.LOG": Access is denied.
2005-08-23, 17:19:17, An error occurred while scanning file "C:\WINNT\system32\config\system": Access is denied.
2005-08-23, 17:19:17, An error occurred while scanning file "C:\WINNT\system32\config\SYSTEM.ALT": Access is denied.
2005-08-23, 17:23:42, Running scanner "C:\Documents and Settings\Administrator\Desktop\sysclean\VSCANTM.BIN"...
2005-08-23, 18:12:29, Files Detected:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 8/23/2005 17:23:42
VSAPI Engine Version : 7.510-1002
VSCANTM Version : 1.1-1001
Virus Pattern Version : 795 (106812 Patterns) (2005/08/22) (279500)
Command Line: C:\Documents and Settings\Administrator\Desktop\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Documents and Settings\Administrator\Desktop\sysclean

C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\54EBXG96\p5[1].jpg [WORM_ESBOT.D]
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\5CSW94W9\socks11[1].exe [TROJ_PROXY.BO]
C:\WINNT\system32\394.tmp [TROJ_PROXY.BO]
C:\WINNT\system32\ssl.exe [WORM_ESBOT.D]
26750 files have been read.
26750 files have been checked.
24321 files have been scanned.
38564 files have been scanned. (including files in archived)
4 files containing viruses.
Found 4 viruses totally.
Maybe 0 viruses totally.
Stop At : 8/23/2005 18:12:29
---------*---------*---------*---------*---------*---------*---------*---------*
2005-08-23, 18:12:29, Files Clean:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 8/23/2005 17:23:42
VSAPI Engine Version : 7.510-1002
VSCANTM Version : 1.1-1001
Virus Pattern Version : 795 (106812 Patterns) (2005/08/22) (279500)
Command Line: C:\Documents and Settings\Administrator\Desktop\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Documents and Settings\Administrator\Desktop\sysclean

Success Clean [ WORM_ESBOT.D]( 1) from C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\54EBXG96\p5[1].jpg
Success Clean [ TROJ_PROXY.BO]( 1) from C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\5CSW94W9\socks11[1].exe
Success Clean [ TROJ_PROXY.BO]( 1) from C:\WINNT\system32\394.tmp
26750 files have been read.
26750 files have been checked.
24321 files have been scanned.
38564 files have been scanned. (including files in archived)
4 files containing viruses.
Found 4 viruses totally.
Maybe 0 viruses totally.
Stop At : 8/23/2005 18:12:29 48 minutes 45 seconds (2924.47 seconds) has elapsed.

---------*---------*---------*---------*---------*---------*---------*---------*
2005-08-23, 18:12:29, Clean Fail:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 8/23/2005 17:23:42
VSAPI Engine Version : 7.510-1002
VSCANTM Version : 1.1-1001
Virus Pattern Version : 795 (106812 Patterns) (2005/08/22) (279500)
Command Line: C:\Documents and Settings\Administrator\Desktop\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Documents and Settings\Administrator\Desktop\sysclean

26750 files have been read.
26750 files have been checked.
24321 files have been scanned.
38564 files have been scanned. (including files in archived)
4 files containing viruses.
Found 4 viruses totally.
Maybe 0 viruses totally.
Stop At : 8/23/2005 18:12:29 48 minutes 45 seconds (2924.47 seconds) has elapsed.

---------*---------*---------*---------*---------*---------*---------*---------*
2005-08-23, 18:12:29, Scanner "C:\Documents and Settings\Administrator\Desktop\sysclean\VSCANTM.BIN" has finished running.


/--------------------------------------------------------------\
| Trend Micro Sysclean Package |
| Copyright 2002, Trend Micro, Inc. |
| http://www.trendmicro.com |
\--------------------------------------------------------------/


2005-08-24, 10:44:43, Auto-clean mode specified.
2005-08-24, 10:44:43, Running scanner "C:\Documents and Settings\Administrator\Desktop\sysclean\TSC.BIN"...
2005-08-24, 10:45:10, Scanner "C:\Documents and Settings\Administrator\Desktop\sysclean\TSC.BIN" has finished running.
2005-08-24, 10:45:10, TSC Log:

Damage Cleanup Engine (DCE) 3.9(Build 1020)
Windows 2000(Build 2195: Service Pack 4)

Start time : Wed Aug 24 2005 10:44:43

Load Damage Cleanup Template (DCT) "C:\Documents and Settings\Administrator\Desktop\sysclean\tsc.ptn" (version 638) [success]

Complete time : Wed Aug 24 2005 10:45:10
Execute pattern count(4218), Virus found count(0), Virus clean count(0), Clean failed count(0)

2005-08-24, 10:45:13, An error occurred while scanning file "C:\Documents and Settings\Administrator\NTUSER.DAT": Access is denied.
2005-08-24, 10:45:13, An error occurred while scanning file "C:\Documents and Settings\Administrator\ntuser.dat.LOG": Access is denied.
2005-08-24, 10:45:33, An error occurred while scanning file "C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat": Access is denied.
2005-08-24, 10:45:33, An error occurred while scanning file "C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG": Access is denied.
2005-08-24, 10:45:37, Could not set file for reading on "C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\786999f5617b331428135848d30802a1_a1420a4f-1992-4efe-8ad3-db7f17d6ce7a": Access is denied.
2005-08-24, 10:45:37, Could not set file for reading on "C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\7a436fe806e483969f48a894af2fe9a1_a1420a4f-1992-4efe-8ad3-db7f17d6ce7a": Access is denied.
2005-08-24, 10:53:02, An error was detected on "C:\System Volume Information\*.*": Access is denied.
2005-08-24, 11:00:44, An error occurred while scanning file "C:\WINNT\system32\config\default": Access is denied.
2005-08-24, 11:00:44, An error occurred while scanning file "C:\WINNT\system32\config\default.LOG": Access is denied.
2005-08-24, 11:00:44, An error occurred while scanning file "C:\WINNT\system32\config\SAM": Access is denied.
2005-08-24, 11:00:44, An error occurred while scanning file "C:\WINNT\system32\config\SAM.LOG": Access is denied.
2005-08-24, 11:00:45, An error occurred while scanning file "C:\WINNT\system32\config\SECURITY": Access is denied.
2005-08-24, 11:00:45, An error occurred while scanning file "C:\WINNT\system32\config\SECURITY.LOG": Access is denied.
2005-08-24, 11:00:45, An error occurred while scanning file "C:\WINNT\system32\config\software": Access is denied.
2005-08-24, 11:00:45, An error occurred while scanning file "C:\WINNT\system32\config\software.LOG": Access is denied.
2005-08-24, 11:00:45, An error occurred while scanning file "C:\WINNT\system32\config\system": Access is denied.
2005-08-24, 11:00:45, An error occurred while scanning file "C:\WINNT\system32\config\SYSTEM.ALT": Access is denied.
2005-08-24, 11:02:30, Running scanner "C:\Documents and Settings\Administrator\Desktop\sysclean\VSCANTM.BIN"...
2005-08-24, 11:27:52, Files Detected:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 8/24/2005 11:02:31
VSAPI Engine Version : 7.510-1002
VSCANTM Version : 1.1-1001
Virus Pattern Version : 795 (106812 Patterns) (2005/08/22) (279500)
Command Line: C:\Documents and Settings\Administrator\Desktop\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Documents and Settings\Administrator\Desktop\sysclean

C:\Documents and Settings\Administrator\Desktop\ssl.exe [WORM_ESBOT.D]
24170 files have been read.
24170 files have been checked.
22107 files have been scanned.
34668 files have been scanned. (including files in archived)
1 files containing viruses.
Found 1 viruses totally.
Maybe 0 viruses totally.
Stop At : 8/24/2005 11:27:52
---------*---------*---------*---------*---------*---------*---------*---------*
2005-08-24, 11:27:52, Files Clean:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 8/24/2005 11:02:31
VSAPI Engine Version : 7.510-1002
VSCANTM Version : 1.1-1001
Virus Pattern Version : 795 (106812 Patterns) (2005/08/22) (279500)
Command Line: C:\Documents and Settings\Administrator\Desktop\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Documents and Settings\Administrator\Desktop\sysclean

Success Clean [ WORM_ESBOT.D]( 1) from C:\Documents and Settings\Administrator\Desktop\ssl.exe
24170 files have been read.
24170 files have been checked.
22107 files have been scanned.
34668 files have been scanned. (including files in archived)
1 files containing viruses.
Found 1 viruses totally.
Maybe 0 viruses totally.
Stop At : 8/24/2005 11:27:52 25 minutes 15 seconds (1515.12 seconds) has elapsed.

---------*---------*---------*---------*---------*---------*---------*---------*
2005-08-24, 11:27:52, Clean Fail:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 8/24/2005 11:02:31
VSAPI Engine Version : 7.510-1002
VSCANTM Version : 1.1-1001
Virus Pattern Version : 795 (106812 Patterns) (2005/08/22) (279500)
Command Line: C:\Documents and Settings\Administrator\Desktop\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Documents and Settings\Administrator\Desktop\sysclean

24170 files have been read.
24170 files have been checked.
22107 files have been scanned.
34668 files have been scanned. (including files in archived)
1 files containing viruses.
Found 1 viruses totally.
Maybe 0 viruses totally.
Stop At : 8/24/2005 11:27:52 25 minutes 15 seconds (1515.12 seconds) has elapsed.

---------*---------*---------*---------*---------*---------*---------*---------*
2005-08-24, 11:27:52, Scanner "C:\Documents and Settings\Administrator\Desktop\sysclean\VSCANTM.BIN" has finished running.


Thanks in advance for any advice you may have.

David

2
Contributors
4
Replies
5
Views
12 Years
Discussion Span
Last Post by charm
0

Hi,
Download Ewido and install it. Then run, you will receive a warning message saying "Database not found", click "OK" for this. Next in the main screen, click "Update" and click "Start Update". After the update process, exit from Ewido.

Download CCleaner and install it. Download ESBot Removal tool from Symantec.


Make Windows to show all files:-
Go to Start > My Computer.
Go to Tools menu, click Folder Options (Folder Option will be in View Menu in Win98).
Uncheck Hide protected operating system files.
Then, click to select the option Show hidden files and folders.
Click Apply and then click OK to exit.


Reboot in Safe Mode:-
Restart (or switch ON) the PC.
Then, keep tapping the F8 Key.
From the menu that will be displayed, out of which choose Safe Mode and press Enter.


Go to Start > Run and type services.msc and press ENTER. Here navigate to the service named Microsoft SSL (ssl) and click "Properties". Here, under the "Status" dialog box, click "Stop". Next, under the "Startup type" dialog box, select "Disabled". Click "Apply" and "OK".
Similarly, "Stop" and "Disable" this service too --> Windows System32 (mswin32)


Run HijackThis and click Do only a System scan.
Then put a check mark infront of below listed entries:-

O23 - Service: Windows System32 (mswin32) - Unknown owner - C:\WINNT\msupd~.exe
O23 - Service: Microsoft SSL (ssl) - Unknown owner - C:\WINNT\system32\ssl.exe (file missing)

Close all other open programs except Hijackthis and click the button Fix Checked in HijackThis.


Exit from HijackThis, and delete these files:-
C:\WINNT\msupd~.exe (Do NOT delete the file msupd.exe, look for msupd~.exe)
C:\WINNT\system32\ssl.exe

Run CCleaner, click "Options" button and here go to "Advanced" tab and uncheck the option "Only delete files in Windows Temp folder older than 48 hours". Click OK to exit from the Options. Finally click "Run Cleaner" and click "OK" to continue cleaning.

Run Ewido, click on the "Scanner" button in the left menu, then click on the "Start" button.
If ewido finds anything, it will pop up a notification. You can select "Clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.
When the scan finishes, click on "Save Report". This will create a text file.


Run the removal tool from Symantec, and click "Start" to start the scan.


Reboot to Normal Mode, and run HijackThis to get a fresh log. Post it, along with Ewido log. Also, post back whether Removal Tool from Symantec found anything or not.

0

OK, no more Symantec Popups! Thanks so much!! I'm tacking on the new and improved HijackThis log and the ewido log per your request. The symantec tool did not find any esbot (though it did a couple of days ago, but the tool removed it then).

Logfile of HijackThis v1.99.1
Scan saved at 5:24:47 PM, on 8/24/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\PROGRA~1\WOMBAT~1\emailer.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINNT\System32\llssrv.exe
C:\PROGRA~1\WOMBAT~1\MAILPO~1.EXE
C:\WINNT\System32\nvsvc32.exe
C:\Program Files\Dantz\Client\Remotsvc.exe
C:\Program Files\Dantz\Client\retroclient.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\Program Files\WombatSvc\wombatsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\System32\msdtc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Symantec AntiVirus\DoScan.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Documents and Settings\Administrator\Desktop\hijackthis\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - [url]http://go.microsoft.com/fwlink/?linkid=39204[/url]
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [url]http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1124296363694[/url]
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - [url]http://www.windowsecurity.com/trojanscan/axscan.cab[/url]
O17 - HKLM\System\CCS\Services\Tcpip\..\{A06D2E1B-8207-4A3F-A641-B882B0C71A76}: NameServer = 207.114.0.130,207.114.0.140
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = abs.net,charm.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = abs.net,charm.net
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = abs.net,charm.net
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: emailer - Boardtown Corporation - C:\PROGRA~1\WOMBAT~1\emailer.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: mailpopper (Mailpopper) - Boardtown.com - C:\PROGRA~1\WOMBAT~1\MAILPO~1.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Retrospect Client - EMC Dantz - C:\Program Files\Dantz\Client\Remotsvc.exe
O23 - Service: Retrospect Helper - EMC Dantz - C:\Program Files\Dantz\Client\rthlpsvc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: wombatsvc - Boardtown Corporation - C:\Program Files\WombatSvc\wombatsvc.exe

==============
---------------------------------------------------------
 ewido security suite - Scan report
---------------------------------------------------------

 + Created on:          4:56:31 PM, 8/24/2005
 + Report-Checksum:     98BB9321

 + Scan result:

    C:\WINNT\msupd~.exe -> Backdoor.SdBot.xd : Cleaned with backup
    C:\WINNT\system32\rdriv.sys -> Trojan.Rootkit.k : Cleaned with backup


::Report End

Edited by mike_2000_17: Fixed formatting

0

Hi,
Log looks clean :D Please post back, if you experience any problems. If you find no other problems, this thread can be marked as "Solved"!

0

Everything seems great, so I'd say the thread may be marked as solved. Thanks again for your help! I've learned about some new and useful tools as well.

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.