Tech Support banner

Status
Not open for further replies.
1 - 4 of 4 Posts

·
Registered
Joined
·
2 Posts
Discussion Starter #1
Hello, I recently experienced a Norton AV alert with Trojan.Cachecachekit which is persistent on my desktop. I tried to follow some of the threads but I'm sure that I need more help comming from more professional consultants.
Please help me to get out of this nightmare. Thank you very much.
I ran HijackThis in Normal Mode and I obtained this log:

Logfile of HijackThis v1.99.1
Scan saved at 19:31:09, on 27.09.2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\igfxtray.exe
C:\WINNT\system32\hkcmd.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\system32\internat.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Documents and Settings\Administrator\Desktop\avirusi\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 172.16.2.13:8080
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Internet Explorer Web Content Catcher - {FFF4E223-7019-4ce7-BE03-D7D3C8CCE884} - C:\Program Files\DNS\Catcher.dll (file missing)
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: IEWebCatcher Class - {FFF4E223-7019-4CE7-BE03-D7D3C8CCE884} - C:\Program Files\DNS\Catcher.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Services] C:\WINNT\system32\22.tmp
O4 - HKLM\..\Run: [spoolax] C:\WINNT\system32\crcnnnu.exe
O4 - HKLM\..\Run: [stdlib] C:\WINNT\system32\ihmgij.exe
O4 - HKLM\..\Run: [Local Security Authority Service] C:\WINNT\system32\Isass.exe
O4 - HKLM\..\Run: [iserv] C:\WINNT\system32\gyhkzyg.exe
O4 - HKLM\..\Run: [SWn4YpL5] C:\WINNT\tlsrp.exe
O4 - HKLM\..\Run: [lux] C:\WINNT\system32\zwyufp.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [tgzmthj] C:\WINNT\system32\ywbglto.exe r
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-58-12-0000133.exe
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-58-12-0000133.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} - http://static.zangocash.com/cab/Zango/ie/bridge-c18.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = buc.cfr.ro
O17 - HKLM\System\CCS\Services\Tcpip\..\{5C964E79-EB1D-4F9A-AF7B-87789A0A23EC}: NameServer = 194.102.255.2,194.102.255.3
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = buc.cfr.ro
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = buc.cfr.ro
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Microsoft Windows Service - Unknown owner - C:\WINNT\mousesync.exe (file missing)
O23 - Service: Mouse Button Monitor (mousebm) - Unknown owner - C:\WINNT\system32\mousebm.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: sdktemp - Unknown owner - C:\WINNT\debughlp.exe
O23 - Service: Microsoft SSL (ssl) - Unknown owner - C:\WINNT\system32\ssl.exe (file missing)
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINNT\svcproc.exe (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

Best regards,
Tavitavis
 

·
Registered
Joined
·
6,574 Posts
Hi and Welcome to TSF!

Initially, I was going to attack everything. But I think this ones better done in stages. We'll take out the CacheCache trojan first - and let Ewido pick out what it can.

Please subscribe to this thread to be notified of fixes as soon as they are posted by our Team. To do this, please click the "Thread Tools" button located in the original thread line and selecting "Subscribe to this Thread".

Save the next instructions in notepad, because you also have to work in safe mode without networking support, so this page wouldn't be available then. You should not have any browsers on.

If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are carrying out the procedures below.

It is also important you don't miss a step and perform everything in the right order!!. .

~~~~~~~~~~~~~~

Please download these additional files/programs :- (Do not run them unless instructed to do so)
Unplug your computer from the Internet when you have finished downloading

CleanUp! - Install

Ewido Security Suite - Install & Update it’s database.

rdrivRem.zip - Unzip to Desktop.

Disconnect your computer from the Internet when you have finished downloading.

~~~~~~~~~~~~~~

Reboot to SafeMode
  • Shut Windows down, and then turn off the computer.
  • Restart the computer. The computer begins processing a set of instructions known as the Basic Input/Output System (BIOS). What is displayed depends on the BIOS manufacturer. Some computers display a progress bar that refers to the word BIOS, while others may not display any indication that this process is happening.
  • As soon as the BIOS has finished loading, begin tapping the F8 key on your keyboard. Continue to do so until the
    [Windows Advanced Options] menu appears.
  • Using the arrow keys on the keyboard, scroll to and select the Safe mode menu item, and then press Enter.

~~~~~~~~~~~~~~

Double-click rdrivRem.bat to run the program - follow the instructions on the screen.


** Please disable all other antivirus programs before proceeding.**

Run Ewido:
  • Click [Scanner]
  • Click [Complete System Scan] to begin scanning.
  • Click [OK] when prompted to clean files
  • With the first file it prompts to clean, select the option - "Perform action on all infections" - & choose clean and click [OK]
  • Once finished, click the [Save report] button
  • Save the report to your desktop
Close Ewido


~~~~~~~~~~~~~~

Enable the viewing of Hidden files
  1. Open Windows Explorer
  2. Go to Tools>Folder Options>View tab.
  3. enable the option for `Show hidden files and folder´
  4. disable the option for `Hide file extensions for known types´
  5. disable the option for `Hide protected operating system files´
  6. click "Yes" to confirm & then click "OK"

~~~~~~~~~~~~~~

Run Cleanup! & configure the program up as follows:
  • Click Options...
  • Move the arrow down to Custom CleanUp!
  • Put a check next to the following:
    • Empty Recycle Bins
    • Delete Cookies
    • Delete Prefetch files
    • [X]Scan local drives for temporary files (Please uncheck this option)
    • Cleanup! All Users
  • Click OK
  • Press the CleanUp! button to start the program. Reboot/logoff when prompted.
* CleanUp! will delete all the files in your temp folders without making a backup

~~~~~~~~~~~~~~

Reboot to Normal Mode

Do an online scan at Panda
Take note the names and locations of any file it detects but fails to clean.
* Turn off the real time scanner of any existing antivirus program while performing the online scan


In your next post, please include fresh copies of:
  • HiJackThis log
  • List of files that online scans failed to disinfect

Please provide details of any problems you encountered whilst performing the above steps.
Update us on how your computer behaves now
 

·
Registered
Joined
·
2 Posts
Discussion Starter #3
Hello again, and sorry for my long absence.
Except the internet online serach (the PC is still offline being in the maintenance place, not at home), I can send you the 'hijackthis', 'KRC HijackThis Analyzer result' and 'ewido scan report'.
Anyway, the NAV popup is not present anymore, and I think the system is safe, the problem was generated by this file, which was removed manually in safe mode:

O23 - Service: sdktemp - Unknown owner - C:\WINNT\debughlp.exe

Please take a look at the logs, I will sleep better after that.
So, the logs now:
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------
+ Created on: 12:41:03, 01.10.2005
+ Report-Checksum: 3ECABB25
+ Scan result:
No infected objects found.
::Report End
---------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 12:02:56, on 01.10.2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\userinit.exe
C:\WINNT\Explorer.EXE
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 172.16.2.13:8080
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Internet Explorer Web Content Catcher - {FFF4E223-7019-4ce7-BE03-D7D3C8CCE884} - C:\Program Files\DNS\Catcher.dll (file missing)
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: IEWebCatcher Class - {FFF4E223-7019-4CE7-BE03-D7D3C8CCE884} - C:\Program Files\DNS\Catcher.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Services] C:\WINNT\system32\22.tmp
O4 - HKLM\..\Run: [SWn4YpL5] C:\WINNT\tlsrp.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [tgzmthj] C:\WINNT\system32\ywbglto.exe r
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-58-12-0000133.exe
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-58-12-0000133.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} - http://static.zangocash.com/cab/Zango/ie/bridge-c18.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = buc.cfr.ro
O17 - HKLM\System\CCS\Services\Tcpip\..\{5C964E79-EB1D-4F9A-AF7B-87789A0A23EC}: NameServer = 194.102.255.2,194.102.255.3
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = buc.cfr.ro
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = buc.cfr.ro
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Microsoft Windows Service - Unknown owner - C:\WINNT\mousesync.exe (file missing)
O23 - Service: Mouse Button Monitor (mousebm) - Unknown owner - C:\WINNT\system32\mousebm.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Microsoft SSL (ssl) - Unknown owner - C:\WINNT\system32\ssl.exe (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

==========================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 8/4/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 12:02:56, on 01.10.2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\system32\userinit.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 172.16.2.13:8080
R3 - Default URLSearchHook is missing
O2 - BHO: Internet Explorer Web Content Catcher - {FFF4E223-7019-4ce7-BE03-D7D3C8CCE884} - C:\Program Files\DNS\Catcher.dll (file missing)
O3 - Toolbar: IEWebCatcher Class - {FFF4E223-7019-4CE7-BE03-D7D3C8CCE884} - C:\Program Files\DNS\Catcher.dll (file missing)
O4 - HKLM\..\Run: [Services] C:\WINNT\system32\22.tmp
O4 - HKLM\..\Run: [SWn4YpL5] C:\WINNT\tlsrp.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [tgzmthj] C:\WINNT\system32\ywbglto.exe r
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-58-12-0000133.exe
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-58-12-0000133.exe
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} - http://static.zangocash.com/cab/Zango/ie/bridge-c18.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = buc.cfr.ro
O17 - HKLM\System\CCS\Services\Tcpip\..\{5C964E79-EB1D-4F9A-AF7B-87789A0A23EC}: NameServer = 194.102.255.2,194.102.255.3
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = buc.cfr.ro
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = buc.cfr.ro
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Microsoft Windows Service - Unknown owner - C:\WINNT\mousesync.exe (file missing)
O23 - Service: Mouse Button Monitor (mousebm) - Unknown owner - C:\WINNT\system32\mousebm.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Microsoft SSL (ssl) - Unknown owner - C:\WINNT\system32\ssl.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

End of KRC HijackThis Analyzer Log.
=========================================================

Thank you very much, you done a great job !
Greetings from Romania !

Best regards,
Tavitavis
 

·
Registered
Joined
·
6,574 Posts
Greetings from UK :grin:

The NAV 023 you posted is the cachecache trojan. It still appears present, along with the Epolvy trojan. Can you confirm..

Did you run the rDriv step and the full ewido scan?? If not - please complete my instructions fully.
 
1 - 4 of 4 Posts
Status
Not open for further replies.
Top