trojan.cachecachekit HEEEEELP!!!!

erik1927 · 08-19-2005, 11:23 AM

Hello! My laptop (running Windows 2000) has been infected with trojan.cachecachekit. I have tried removing it according to the instructions on the Symantec website, but it didn't work. I have just run Hijackthis. Here is the log. Please - can anyone help me?????

Logfile of HijackThis v1.99.1
Scan saved at 20:08:24, on 19-Aug-05
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\System32\mqsvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\tp4mon.exe
C:\WINNT\system32\ltcm000c.exe
C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\stickies\stickies.exe
C:\Program Files\Symantec AntiVirus\DoScan.exe
C:\Program Files\Netscape\Netscape Browser\netscape.exe
C:\Documents and Settings\Administrator\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tau.ac.il/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tau.ac.il/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www.tau.ac.il/tau.pac
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.tau.ac.il:8080
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://lewislazar.ssr.be/"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\o8yt50br.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\o8yt50br.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PRONoMgrWired] c:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [XircWinModem4] ltcm000c.exe 9
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: Stickies.lnk = C:\Program Files\stickies\stickies.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: ???? - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1118158394300
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINNT\System32\ibmpmsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - c:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINNT\system32\PsaSrv.exe (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe

Ried · 08-19-2005, 07:32 PM

Hello erik1927 and welcome to TSF,

This trojan is not showing in your log, however, based on your description, let's begin with these procedures:

Please print out or copy this page to Notepad since you will not have any of browsers open while you are fixing this. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. Again, you should not have any open browsers when you are following the procedures below.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. If you have Windows XP, the search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that 'Search system folders', 'Search hidden files and folders', and 'Search subfolders' are checked.

Please download the following programs, but do not run them yet:

rdrivRem.zip - http://www.geekstogo.com/forum/index...e=post&id=1778
* Unzip it to your desktop.

Ewido Security Suite - http://www.ewido.net/en/download/

* Install Ewido Security Suite.
* Launch Ewido. There should be a big E icon on your desktop. Double click on it.
* The program will prompt you to update. Click the OK button.
* The program will now go to the main screen.
* You will need to update Ewido to the latest definition files.
* On the left hand side of the main screen click update.
* Click on Start.
* The update will start and a progress bar will show the updates being installed.
* After the updates are installed exit Ewido.

* CleanUp! - http://www.greyknight17.com/spy/CleanUp.exe
* Install it.

* Killbox by Option^Explicit - http://www.greyknight17.com/spy/KillBox.exe
* Save it to your desktop. We may need it later.

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work.

1.) Please double click rdrivRem.bat to run the program - follow the instructions on the screen. After it's complete, rdriv.txt will be created in the rdrivRem folder.

2.) Double click the Ewido Security Suite icon to run the program.

* Click on scanner.
* Click Complete System Scan.
* Let the program scan the machine.

While the scan is in progress you will be prompted to clean the first infected file it finds. Choose 'Remove', then put a check next to 'Perform action on all infections' in the left corner of the box so you don't have to sit and watch Ewido the whole time. Click OK.

Once the scan has completed, there will be a button located on the bottom of the screen named Save report.

* Click Save report.
* Save the report to your desktop.
* Exit Ewido.

3.) CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp!. Run CleanUp! and click on the Options button. Uncheck 'Scan local drives for temporary files'. Also uncheck those two Newsgroup entries if you don't want to delete them. Click OK and then click on the CleanUp! button. Let it run. After it's done, choose Yes to logoff.

4.) After CleanUp! is finished, run HijackThis. Place a check next to the following items, if found, and click FIX CHECKED (after you checked the last entry below):

N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csea rchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\o8yt50br.slt\prefs.j s)

Note: N3 - Netscape ... 5CSBWeb_01.src (or) 5CSBWeb_02.src
The actual entry is ok, and won't be deleted, it's the java wrapper marked in red that needs to be removed.

Close HijackThis.

After computer has restarted continue with the rest of the instructions:

5.) Make sure your firewall is on. Make sure you can turn it off then turn it back on and that nothing is greyed out. Also, make sure your anti-virus program is working properly - you can turn on and off auto-protect, etc.

6.) Run BOTH of these online virus scans (NOT at the same time!):
ActiveScan - http://www.pandasoftware.com/activescan/
TrendMicro 's Housecall (http://uk.trendmicro-europe.com/ente...all_launch.php) - check 'Auto Clean'

Save the results from Panda ActiveScan.

I need you to post the contents of rdriv.txt, the log from Ewido, the log from ActiveScan, and a new HijackThis log into this topic.

erik1927 · 08-21-2005, 11:24 AM

Hi Ried
First - I would just like to say thanks for helping me out!! I really appreciate you time and effort.
I did what you asked. I had some problems running the online scans and my computer crashed about half way through the "Activescan" after it discovered 7 viruses. I ran it again and it found 3 more, which you can see from the log. Here are the logs you asked for:
rdriv.txt

~~~~~~~~~~~~~ Pre-run File Check ~~~~~~~~~~~~~
rdriv.sys NOT PRESENT!
ItunesMusic.exe NOT PRESENT!
wkssvc.exe NOT PRESENT!
~~~~~~~~~~~~~ Post run File Check ~~~~~~~~~~~~~
rdriv.sys NOT PRESENT!
ItunesMusic.exe NOT PRESENT!
wkssvc.exe NOT PRESENT!

Ewido

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 22:20:57, 20-Aug-05
+ Report-Checksum: DA8011C0

+ Scan result:

:mozilla.9:C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\o8yt50br.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.10:C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\o8yt50br.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.11:C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\o8yt50br.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.12:C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\o8yt50br.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.14:C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\o8yt50br.slt\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.15:C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\o8yt50br.slt\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.16:C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\o8yt50br.slt\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
::Report End

ActiveScan

Incident Status Location

Virus:Exploit/iFrame Disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\o8yt50br.slt\Mail\luna.tau.ac.il\Trash[~000896.@x@]
Virus:W32/Bugbear Disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\o8yt50br.slt\Mail\luna.tau.ac.il\Trash[DeltaList.txt.exe]
Virus:W32/Sdbot.ftp Disinfected C:\WINNT\system32\i

HijackThis

Logfile of HijackThis v1.99.1
Scan saved at 20:07:31, on 21-Aug-05
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\System32\mqsvc.exe
C:\WINNT\system32\tp4mon.exe
C:\WINNT\system32\ltcm000c.exe
C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Symantec AntiVirus\DoScan.exe
C:\Program Files\stickies\stickies.exe
C:\Documents and Settings\Administrator\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tau.ac.il/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tau.ac.il/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.tau.ac.il:8080
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://lewislazar.ssr.be/"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\o8yt50br.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\o8yt50br.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PRONoMgrWired] c:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [XircWinModem4] ltcm000c.exe 9
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: Stickies.lnk = C:\Program Files\stickies\stickies.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: ???? - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1118158394300
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINNT\System32\ibmpmsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - c:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINNT\system32\PsaSrv.exe (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe

greyknight17 · 08-21-2005, 03:29 PM

Your log is clean.

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If not, you should be set to go.

erik1927 · 08-23-2005, 06:06 AM

Everything seems to be working ok. Thanks!!!!!!

08-19-2005, 11:23 AM	#1 (permalink)
erik1927 Registered User Join Date: Aug 2005 Posts: 3 OS: win2000	trojan.cachecachekit HEEEEELP!!!! Hello! My laptop (running Windows 2000) has been infected with trojan.cachecachekit. I have tried removing it according to the instructions on the Symantec website, but it didn't work. I have just run Hijackthis. Here is the log. Please - can anyone help me????? Logfile of HijackThis v1.99.1 Scan saved at 20:08:24, on 19-Aug-05 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\System32\ibmpmsvc.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\System32\msdtc.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\WINNT\system32\MSTask.exe C:\WINNT\System32\tcpsvcs.exe C:\WINNT\System32\snmp.exe C:\WINNT\system32\stisvc.exe C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\inetsrv\inetinfo.exe C:\WINNT\System32\mqsvc.exe C:\WINNT\Explorer.EXE C:\WINNT\system32\tp4mon.exe C:\WINNT\system32\ltcm000c.exe C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\PROGRA~1\SYMANT~1\VPTray.exe C:\WINNT\system32\ctfmon.exe C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe C:\Program Files\stickies\stickies.exe C:\Program Files\Symantec AntiVirus\DoScan.exe C:\Program Files\Netscape\Netscape Browser\netscape.exe C:\Documents and Settings\Administrator\Desktop\hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tau.ac.il/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tau.ac.il/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www.tau.ac.il/tau.pac R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.tau.ac.il:8080 N3 - Netscape 7: user_pref("browser.startup.homepage", "http://lewislazar.ssr.be/"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\o8yt50br.slt\prefs.js) N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\o8yt50br.slt\prefs.js) O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [PRONoMgrWired] c:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe O4 - HKLM\..\Run: [XircWinModem4] ltcm000c.exe 9 O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet O4 - Startup: Stickies.lnk = C:\Program Files\stickies\stickies.exe O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html O9 - Extra button: ???? - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1118158394300 O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINNT\System32\ibmpmsvc.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - c:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINNT\system32\PsaSrv.exe (file missing) O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe

08-19-2005, 07:32 PM	#2 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,596 OS: WinXP and Vista	Hello erik1927 and welcome to TSF, This trojan is not showing in your log, however, based on your description, let's begin with these procedures: Please print out or copy this page to Notepad since you will not have any of browsers open while you are fixing this. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. Again, you should not have any open browsers when you are following the procedures below. Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. If you have Windows XP, the search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that 'Search system folders', 'Search hidden files and folders', and 'Search subfolders' are checked. Please download the following programs, but do not run them yet: rdrivRem.zip - http://www.geekstogo.com/forum/index...e=post&id=1778 * Unzip it to your desktop. Ewido Security Suite - http://www.ewido.net/en/download/ * Install Ewido Security Suite. * Launch Ewido. There should be a big E icon on your desktop. Double click on it. * The program will prompt you to update. Click the OK button. * The program will now go to the main screen. * You will need to update Ewido to the latest definition files. * On the left hand side of the main screen click update. * Click on Start. * The update will start and a progress bar will show the updates being installed. * After the updates are installed exit Ewido. * CleanUp! - http://www.greyknight17.com/spy/CleanUp.exe * Install it. * Killbox by Option^Explicit - http://www.greyknight17.com/spy/KillBox.exe * Save it to your desktop. We may need it later. Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. 1.) Please double click rdrivRem.bat to run the program - follow the instructions on the screen. After it's complete, rdriv.txt will be created in the rdrivRem folder. 2.) Double click the Ewido Security Suite icon to run the program. * Click on scanner. * Click Complete System Scan. * Let the program scan the machine. While the scan is in progress you will be prompted to clean the first infected file it finds. Choose 'Remove', then put a check next to 'Perform action on all infections' in the left corner of the box so you don't have to sit and watch Ewido the whole time. Click OK. Once the scan has completed, there will be a button located on the bottom of the screen named Save report. * Click Save report. * Save the report to your desktop. * Exit Ewido. 3.) CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp!. Run CleanUp! and click on the Options button. Uncheck 'Scan local drives for temporary files'. Also uncheck those two Newsgroup entries if you don't want to delete them. Click OK and then click on the CleanUp! button. Let it run. After it's done, choose Yes to logoff. 4.) After CleanUp! is finished, run HijackThis. Place a check next to the following items, if found, and click FIX CHECKED (after you checked the last entry below): N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csea rchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\o8yt50br.slt\prefs.j s) Note: N3 - Netscape ... 5CSBWeb_01.src (or) 5CSBWeb_02.src The actual entry is ok, and won't be deleted, it's the java wrapper marked in red that needs to be removed. Close HijackThis. After computer has restarted continue with the rest of the instructions: 5.) Make sure your firewall is on. Make sure you can turn it off then turn it back on and that nothing is greyed out. Also, make sure your anti-virus program is working properly - you can turn on and off auto-protect, etc. 6.) Run BOTH of these online virus scans (NOT at the same time!): ActiveScan - http://www.pandasoftware.com/activescan/ TrendMicro 's Housecall (http://uk.trendmicro-europe.com/ente...all_launch.php) - check 'Auto Clean' Save the results from Panda ActiveScan. I need you to post the contents of rdriv.txt, the log from Ewido, the log from ActiveScan, and a new HijackThis log into this topic. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

08-21-2005, 11:24 AM	#3 (permalink)
erik1927 Registered User Join Date: Aug 2005 Posts: 3 OS: win2000	trojan.cachecachekit HEEEEELP!!!! - take 2 Hi Ried First - I would just like to say thanks for helping me out!! I really appreciate you time and effort. I did what you asked. I had some problems running the online scans and my computer crashed about half way through the "Activescan" after it discovered 7 viruses. I ran it again and it found 3 more, which you can see from the log. Here are the logs you asked for: rdriv.txt ~~~~~~~~~~~~~ Pre-run File Check ~~~~~~~~~~~~~ rdriv.sys NOT PRESENT! ItunesMusic.exe NOT PRESENT! wkssvc.exe NOT PRESENT! ~~~~~~~~~~~~~ Post run File Check ~~~~~~~~~~~~~ rdriv.sys NOT PRESENT! ItunesMusic.exe NOT PRESENT! wkssvc.exe NOT PRESENT! Ewido --------------------------------------------------------- ewido security suite - Scan report --------------------------------------------------------- + Created on: 22:20:57, 20-Aug-05 + Report-Checksum: DA8011C0 + Scan result: :mozilla.9:C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\o8yt50br.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup :mozilla.10:C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\o8yt50br.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup :mozilla.11:C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\o8yt50br.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup :mozilla.12:C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\o8yt50br.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup :mozilla.14:C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\o8yt50br.slt\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup :mozilla.15:C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\o8yt50br.slt\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup :mozilla.16:C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\o8yt50br.slt\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup ::Report End ActiveScan Incident Status Location Virus:Exploit/iFrame Disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\o8yt50br.slt\Mail\luna.tau.ac.il\Trash[~000896.@x@] Virus:W32/Bugbear Disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\o8yt50br.slt\Mail\luna.tau.ac.il\Trash[DeltaList.txt.exe] Virus:W32/Sdbot.ftp Disinfected C:\WINNT\system32\i HijackThis Logfile of HijackThis v1.99.1 Scan saved at 20:07:31, on 21-Aug-05 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\System32\ibmpmsvc.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\System32\msdtc.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\Program Files\ewido\security suite\ewidoctrl.exe C:\Program Files\ewido\security suite\ewidoguard.exe C:\WINNT\system32\MSTask.exe C:\WINNT\Explorer.EXE C:\WINNT\System32\tcpsvcs.exe C:\WINNT\System32\snmp.exe C:\WINNT\system32\stisvc.exe C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\inetsrv\inetinfo.exe C:\WINNT\System32\mqsvc.exe C:\WINNT\system32\tp4mon.exe C:\WINNT\system32\ltcm000c.exe C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\PROGRA~1\SYMANT~1\VPTray.exe C:\WINNT\system32\ctfmon.exe C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe C:\Program Files\Symantec AntiVirus\DoScan.exe C:\Program Files\stickies\stickies.exe C:\Documents and Settings\Administrator\Desktop\hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tau.ac.il/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tau.ac.il/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.tau.ac.il:8080 N3 - Netscape 7: user_pref("browser.startup.homepage", "http://lewislazar.ssr.be/"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\o8yt50br.slt\prefs.js) N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\o8yt50br.slt\prefs.js) O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [PRONoMgrWired] c:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe O4 - HKLM\..\Run: [XircWinModem4] ltcm000c.exe 9 O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet O4 - Startup: Stickies.lnk = C:\Program Files\stickies\stickies.exe O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html O9 - Extra button: ???? - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1118158394300 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINNT\System32\ibmpmsvc.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - c:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINNT\system32\PsaSrv.exe (file missing) O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe

08-21-2005, 03:29 PM	#4 (permalink)
greyknight17 Analyst, Security Team Join Date: Jul 2004 Location: New York Posts: 14,331 OS: Windows 98 & Windows XP Home/Pro My System	Your log is clean. To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools provided. Are there any problems now? If not, you should be set to go. __________________ Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. Adaware :: CWShredder :: HijackThis :: Panda ActiveScan :: Spybot S&D Anti-Spyware Tutorial :: Spyware Prevention Tools

08-23-2005, 06:06 AM	#5 (permalink)
erik1927 Registered User Join Date: Aug 2005 Posts: 3 OS: win2000	trojan.cachecachekit HEEEEELP!!!! Everything seems to be working ok. Thanks!!!!!!