I've tried the solutions given for the same trojan.cachecachekit / NAV popup issue and it hasn't fixed my infected PC yet. It is windows 2000 Server and was hit here over the past few days when the ESBOT worm hit. I have run Ad Aware, Spybot, The Cleaner, Trojan Remover in addition to having Symantec AV Corp 10 running on the pc. I now get the notification from Symantec over and over again about finding the trojan.cachecachekit and can't delete rdriv.sys. I may be able to recover my sanity if someone can help me clean the server.
Here is a copy of my Hijackthis.log and my Sysclean.log:
Logfile of HijackThis v1.99.1
Scan saved at 12:30:36 PM, on 8/24/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\userinit.exe
C:\WINNT\Explorer.EXE
C:\Documents and Settings\Administrator\Desktop\hijackthis\HijackThis.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1124296363694
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A06D2E1B-8207-4A3F-A641-B882B0C71A76}: NameServer = 207.114.0.130,207.114.0.140
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = abs.net,charm.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = abs.net,charm.net
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = abs.net,charm.net
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: emailer - Boardtown Corporation - C:\PROGRA~1\WOMBAT~1\emailer.exe
O23 - Service: mailpopper (Mailpopper) - Boardtown.com - C:\PROGRA~1\WOMBAT~1\MAILPO~1.EXE
O23 - Service: Windows System32 (mswin32) - Unknown owner - C:\WINNT\msupd~.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Retrospect Client - EMC Dantz - C:\Program Files\Dantz\Client\Remotsvc.exe
O23 - Service: Retrospect Helper - EMC Dantz - C:\Program Files\Dantz\Client\rthlpsvc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Microsoft SSL (ssl) - Unknown owner - C:\WINNT\system32\ssl.exe (file missing)
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: wombatsvc - Boardtown Corporation - C:\Program Files\WombatSvc\wombatsvc.exe
=====
/--------------------------------------------------------------\
| Trend Micro Sysclean Package |
| Copyright 2002, Trend Micro, Inc. |
| http://www.trendmicro.com |
\--------------------------------------------------------------/
2005-08-23, 16:53:54, Auto-clean mode specified.
2005-08-23, 16:53:54, Running scanner "C:\Documents and Settings\Administrator\Desktop\sysclean\TSC.BIN"...
2005-08-23, 16:55:42, Scanner "C:\Documents and Settings\Administrator\Desktop\sysclean\TSC.BIN" has finished running.
2005-08-23, 16:55:42, TSC Log:
Damage Cleanup Engine (DCE) 3.9(Build 1020)
Windows 2000(Build 2195: Service Pack 4)
Start time : Tue Aug 23 2005 16:53:57
Load Damage Cleanup Template (DCT) "C:\Documents and Settings\Administrator\Desktop\sysclean\tsc.ptn" (version 638) [success]
Complete time : Tue Aug 23 2005 16:55:42
Execute pattern count(4218), Virus found count(0), Virus clean count(0), Clean failed count(0)
2005-08-23, 16:55:44, An error occurred while scanning file "C:\Documents and Settings\Administrator\NTUSER.DAT": Access is denied.
2005-08-23, 16:55:44, An error occurred while scanning file "C:\Documents and Settings\Administrator\ntuser.dat.LOG": Access is denied.
2005-08-23, 16:55:53, An error occurred while scanning file "C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat": Access is denied.
2005-08-23, 16:55:53, An error occurred while scanning file "C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG": Access is denied.
2005-08-23, 16:57:01, Could not set file for reading on "C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\786999f5617b331428135848d30802a1_a1420a4f-1992-4efe-8ad3-db7f17d6ce7a": Access is denied.
2005-08-23, 16:57:01, Could not set file for reading on "C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\7a436fe806e483969f48a894af2fe9a1_a1420a4f-1992-4efe-8ad3-db7f17d6ce7a": Access is denied.
2005-08-23, 17:09:19, An error was detected on "C:\System Volume Information\*.*": Access is denied.
2005-08-23, 17:19:16, An error occurred while scanning file "C:\WINNT\system32\config\default": Access is denied.
2005-08-23, 17:19:16, An error occurred while scanning file "C:\WINNT\system32\config\default.LOG": Access is denied.
2005-08-23, 17:19:16, An error occurred while scanning file "C:\WINNT\system32\config\SAM": Access is denied.
2005-08-23, 17:19:16, An error occurred while scanning file "C:\WINNT\system32\config\SAM.LOG": Access is denied.
2005-08-23, 17:19:17, An error occurred while scanning file "C:\WINNT\system32\config\SECURITY": Access is denied.
2005-08-23, 17:19:17, An error occurred while scanning file "C:\WINNT\system32\config\SECURITY.LOG": Access is denied.
2005-08-23, 17:19:17, An error occurred while scanning file "C:\WINNT\system32\config\software": Access is denied.
2005-08-23, 17:19:17, An error occurred while scanning file "C:\WINNT\system32\config\software.LOG": Access is denied.
2005-08-23, 17:19:17, An error occurred while scanning file "C:\WINNT\system32\config\system": Access is denied.
2005-08-23, 17:19:17, An error occurred while scanning file "C:\WINNT\system32\config\SYSTEM.ALT": Access is denied.
2005-08-23, 17:23:42, Running scanner "C:\Documents and Settings\Administrator\Desktop\sysclean\VSCANTM.BIN"...
2005-08-23, 18:12:29, Files Detected:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 8/23/2005 17:23:42
VSAPI Engine Version : 7.510-1002
VSCANTM Version : 1.1-1001
Virus Pattern Version : 795 (106812 Patterns) (2005/08/22) (279500)
Command Line: C:\Documents and Settings\Administrator\Desktop\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Documents and Settings\Administrator\Desktop\sysclean
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\54EBXG96\p5[1].jpg [WORM_ESBOT.D]
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\5CSW94W9\socks11[1].exe [TROJ_PROXY.BO]
C:\WINNT\system32\394.tmp [TROJ_PROXY.BO]
C:\WINNT\system32\ssl.exe [WORM_ESBOT.D]
26750 files have been read.
26750 files have been checked.
24321 files have been scanned.
38564 files have been scanned. (including files in archived)
4 files containing viruses.
Found 4 viruses totally.
Maybe 0 viruses totally.
Stop At : 8/23/2005 18:12:29
---------*---------*---------*---------*---------*---------*---------*---------*
2005-08-23, 18:12:29, Files Clean:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 8/23/2005 17:23:42
VSAPI Engine Version : 7.510-1002
VSCANTM Version : 1.1-1001
Virus Pattern Version : 795 (106812 Patterns) (2005/08/22) (279500)
Command Line: C:\Documents and Settings\Administrator\Desktop\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Documents and Settings\Administrator\Desktop\sysclean
Success Clean [ WORM_ESBOT.D]( 1) from C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\54EBXG96\p5[1].jpg
Success Clean [ TROJ_PROXY.BO]( 1) from C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\5CSW94W9\socks11[1].exe
Success Clean [ TROJ_PROXY.BO]( 1) from C:\WINNT\system32\394.tmp
26750 files have been read.
26750 files have been checked.
24321 files have been scanned.
38564 files have been scanned. (including files in archived)
4 files containing viruses.
Found 4 viruses totally.
Maybe 0 viruses totally.
Stop At : 8/23/2005 18:12:29 48 minutes 45 seconds (2924.47 seconds) has elapsed.
---------*---------*---------*---------*---------*---------*---------*---------*
2005-08-23, 18:12:29, Clean Fail:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 8/23/2005 17:23:42
VSAPI Engine Version : 7.510-1002
VSCANTM Version : 1.1-1001
Virus Pattern Version : 795 (106812 Patterns) (2005/08/22) (279500)
Command Line: C:\Documents and Settings\Administrator\Desktop\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Documents and Settings\Administrator\Desktop\sysclean
26750 files have been read.
26750 files have been checked.
24321 files have been scanned.
38564 files have been scanned. (including files in archived)
4 files containing viruses.
Found 4 viruses totally.
Maybe 0 viruses totally.
Stop At : 8/23/2005 18:12:29 48 minutes 45 seconds (2924.47 seconds) has elapsed.
---------*---------*---------*---------*---------*---------*---------*---------*
2005-08-23, 18:12:29, Scanner "C:\Documents and Settings\Administrator\Desktop\sysclean\VSCANTM.BIN" has finished running.
/--------------------------------------------------------------\
| Trend Micro Sysclean Package |
| Copyright 2002, Trend Micro, Inc. |
| http://www.trendmicro.com |
\--------------------------------------------------------------/
2005-08-24, 10:44:43, Auto-clean mode specified.
2005-08-24, 10:44:43, Running scanner "C:\Documents and Settings\Administrator\Desktop\sysclean\TSC.BIN"...
2005-08-24, 10:45:10, Scanner "C:\Documents and Settings\Administrator\Desktop\sysclean\TSC.BIN" has finished running.
2005-08-24, 10:45:10, TSC Log:
Damage Cleanup Engine (DCE) 3.9(Build 1020)
Windows 2000(Build 2195: Service Pack 4)
Start time : Wed Aug 24 2005 10:44:43
Load Damage Cleanup Template (DCT) "C:\Documents and Settings\Administrator\Desktop\sysclean\tsc.ptn" (version 638) [success]
Complete time : Wed Aug 24 2005 10:45:10
Execute pattern count(4218), Virus found count(0), Virus clean count(0), Clean failed count(0)
2005-08-24, 10:45:13, An error occurred while scanning file "C:\Documents and Settings\Administrator\NTUSER.DAT": Access is denied.
2005-08-24, 10:45:13, An error occurred while scanning file "C:\Documents and Settings\Administrator\ntuser.dat.LOG": Access is denied.
2005-08-24, 10:45:33, An error occurred while scanning file "C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat": Access is denied.
2005-08-24, 10:45:33, An error occurred while scanning file "C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG": Access is denied.
2005-08-24, 10:45:37, Could not set file for reading on "C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\786999f5617b331428135848d30802a1_a1420a4f-1992-4efe-8ad3-db7f17d6ce7a": Access is denied.
2005-08-24, 10:45:37, Could not set file for reading on "C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\7a436fe806e483969f48a894af2fe9a1_a1420a4f-1992-4efe-8ad3-db7f17d6ce7a": Access is denied.
2005-08-24, 10:53:02, An error was detected on "C:\System Volume Information\*.*": Access is denied.
2005-08-24, 11:00:44, An error occurred while scanning file "C:\WINNT\system32\config\default": Access is denied.
2005-08-24, 11:00:44, An error occurred while scanning file "C:\WINNT\system32\config\default.LOG": Access is denied.
2005-08-24, 11:00:44, An error occurred while scanning file "C:\WINNT\system32\config\SAM": Access is denied.
2005-08-24, 11:00:44, An error occurred while scanning file "C:\WINNT\system32\config\SAM.LOG": Access is denied.
2005-08-24, 11:00:45, An error occurred while scanning file "C:\WINNT\system32\config\SECURITY": Access is denied.
2005-08-24, 11:00:45, An error occurred while scanning file "C:\WINNT\system32\config\SECURITY.LOG": Access is denied.
2005-08-24, 11:00:45, An error occurred while scanning file "C:\WINNT\system32\config\software": Access is denied.
2005-08-24, 11:00:45, An error occurred while scanning file "C:\WINNT\system32\config\software.LOG": Access is denied.
2005-08-24, 11:00:45, An error occurred while scanning file "C:\WINNT\system32\config\system": Access is denied.
2005-08-24, 11:00:45, An error occurred while scanning file "C:\WINNT\system32\config\SYSTEM.ALT": Access is denied.
2005-08-24, 11:02:30, Running scanner "C:\Documents and Settings\Administrator\Desktop\sysclean\VSCANTM.BIN"...
2005-08-24, 11:27:52, Files Detected:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 8/24/2005 11:02:31
VSAPI Engine Version : 7.510-1002
VSCANTM Version : 1.1-1001
Virus Pattern Version : 795 (106812 Patterns) (2005/08/22) (279500)
Command Line: C:\Documents and Settings\Administrator\Desktop\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Documents and Settings\Administrator\Desktop\sysclean
C:\Documents and Settings\Administrator\Desktop\ssl.exe [WORM_ESBOT.D]
24170 files have been read.
24170 files have been checked.
22107 files have been scanned.
34668 files have been scanned. (including files in archived)
1 files containing viruses.
Found 1 viruses totally.
Maybe 0 viruses totally.
Stop At : 8/24/2005 11:27:52
---------*---------*---------*---------*---------*---------*---------*---------*
2005-08-24, 11:27:52, Files Clean:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 8/24/2005 11:02:31
VSAPI Engine Version : 7.510-1002
VSCANTM Version : 1.1-1001
Virus Pattern Version : 795 (106812 Patterns) (2005/08/22) (279500)
Command Line: C:\Documents and Settings\Administrator\Desktop\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Documents and Settings\Administrator\Desktop\sysclean
Success Clean [ WORM_ESBOT.D]( 1) from C:\Documents and Settings\Administrator\Desktop\ssl.exe
24170 files have been read.
24170 files have been checked.
22107 files have been scanned.
34668 files have been scanned. (including files in archived)
1 files containing viruses.
Found 1 viruses totally.
Maybe 0 viruses totally.
Stop At : 8/24/2005 11:27:52 25 minutes 15 seconds (1515.12 seconds) has elapsed.
---------*---------*---------*---------*---------*---------*---------*---------*
2005-08-24, 11:27:52, Clean Fail:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 8/24/2005 11:02:31
VSAPI Engine Version : 7.510-1002
VSCANTM Version : 1.1-1001
Virus Pattern Version : 795 (106812 Patterns) (2005/08/22) (279500)
Command Line: C:\Documents and Settings\Administrator\Desktop\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Documents and Settings\Administrator\Desktop\sysclean
24170 files have been read.
24170 files have been checked.
22107 files have been scanned.
34668 files have been scanned. (including files in archived)
1 files containing viruses.
Found 1 viruses totally.
Maybe 0 viruses totally.
Stop At : 8/24/2005 11:27:52 25 minutes 15 seconds (1515.12 seconds) has elapsed.
---------*---------*---------*---------*---------*---------*---------*---------*
2005-08-24, 11:27:52, Scanner "C:\Documents and Settings\Administrator\Desktop\sysclean\VSCANTM.BIN" has finished running.
Thanks in advance for any advice you may have.
David