Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Trojan.cachecachekit [RESOLVED]

Started by chingwithbling , Jul 09 2005 06:13 PM

This topic is locked

#1
chingwithbling

Posted 09 July 2005 - 06:13 PM

Member

Member
24 posts

So yesterday I awoke to find that my computer had been infected with the Trojan.cachecachekit, at least according to Symantec Antivirus. I believe the reason it got in was because I had the Symantec Client Firewall off (its kind of stupid in that I can't get it to work with my cat-5 connected network, so I just turn it off now). The trojan blocked my internet access, and whenever my computer is on in normal mode the messages that Symatec Antivirus has found and deleted the trojan.cachecachekit, keep coming up every 5 seconds. For the last day, I've been looking for answers, but Symantec doesnt seem to have many. They say that trojan.cachecachekit is put there by w32.sypbot.nlx. However, after updating my Antivirus with the most recent intelligent update, w32.spybot.nlx was nowhere to be found when I did a full system scan in safe mode. It did, however, find two files and quarantine them, both in the system32 folder:syscfg.exe which had the w32.spyware.worm and rdriv.sys which had the trojan.cachecachekit. Relieved, I restarted my computer in normal mode only to have the blasted messages saying it had found trojan.cachecachekit come up again. The messages saying it had found w32.spyware.worm were nowhere to be seen now, so that was one down. When I followed Symantec's instructions on removing w32.spybot.nlx, I found two items in my registry which I promptly removed in safe mode:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rdriv and
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc. I then restarted the computer, but once again the messages came up and those two were back in the registry. Realizing that I had not turned off system restore, I did that and redeleted the two criminals again. However, the messages just kept coming up.
I then followed the instructions for completely removing w32.spybot.worm, and found some stuff, but it didnt help with the recurring messages. Please help me on this one, I would really like to have my primary computer back on the internet. Sorry if this was rediculously long.
Thanks,
James

Heres my hjt log:
Logfile of HijackThis v1.99.1
Scan saved at 4:51:58 PM, on 7/9/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Verizon Online\Visual IP InSight\IPClient.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Verizon Online\Visual IP InSight\IPMon32.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
F:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\CMS Peripherals\BounceBack Express\BBLauncher.exe
F:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Jimmy\Desktop\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dslstart.veri....htm?ver=14625
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\Verizon Online\Visual IP InSight\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\Verizon Online\Visual IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [iTunesHelper] "F:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [System Support] syscfg.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: BounceBack Launcher.lnk = ?
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Startup: Undelete 4 Professional Edition Registration.lnk = C:\Program Files\Executive Software\Undelete\ESIRegister.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: &Search - http://bar.mywebsear...?p=ZSYYYYYYYYUS
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://www.airsoftpa...sses/CFJava.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative....012/CTSUEng.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Service Client v.3.4) - http://ccon.futurema...lobal/msc34.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....15012/CTPID.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Microsoft Windows - Unknown owner - C:\WINDOWS\svchost.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
O23 - Service: SymWMI Service (SymWSC) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Edited by chingwithbling, 09 July 2005 - 06:15 PM.

#2
Trevuren

Posted 09 July 2005 - 07:24 PM

Old Dog

Retired Staff
18,699 posts

Hi chinkwithbling and welcome to the Geeks to Go Forums.

My name is Trevuren and I will be helping you with your log.

1. Go to Geeks to Go
. Click on My Controls at the top right hand corner of the window. (make sure you have signed in first)
. In the left hand column, click "View Topics"
. If you click on the title of your post, you will be taken there

2. Also, while at the My Controls page, check the box to the right of your post and then scroll down.
.Where it says "unsubscribe" click the pull-down menu and select "immediate email notification"

3. You have major problems. That rdiv thing is a rootkit problem. It cannot be seen in HJT logs but one of our specialists has come up with a fix that works if carried out to the letter. I will be back with your fix within the hour.

Regards,

Trevuren

#3
chingwithbling

Posted 09 July 2005 - 07:25 PM

Member

Topic Starter
Member
24 posts

Thanks.

#4
Trevuren

Posted 09 July 2005 - 07:37 PM

Old Dog

Retired Staff
18,699 posts

Please do a search for the following file and provide me with the full path of the file. It is required to prepare the fix for your system: i-e C:\Windows\.........

syscfg.exe

Thanks,

Trevuren

#5
chingwithbling

Posted 09 July 2005 - 11:33 PM

Member

Topic Starter
Member
24 posts

Syscfg.exe was originally in the C:\WINDOWS\system32\ folder, but it is currently in quarantine. Should I restore it?

#6
Trevuren

Posted 09 July 2005 - 11:48 PM

Old Dog

Retired Staff
18,699 posts

NO. That's good

Trevuren

#7
chingwithbling

Posted 10 July 2005 - 11:08 AM

Member

Topic Starter
Member
24 posts

Ok.

#8
Trevuren

Posted 10 July 2005 - 11:25 AM

Old Dog

Retired Staff
18,699 posts

1. Please run the Housecall online virus scan located at:
http://housecall.tre.../start_corp.asp
Follow the prompts to scan your hard drive for viruses. Select the "Autoclean" option so that Housecall will remove any viruses from your system.
When the scan is finished, please restart your computer.

2. Then please run the Panda scan here:
http://www.pandasoft...n_principal.htm
Choose to "Disinfect automatically," and follow the prompts. Delete any viruses found, and restart your computer.

3. Finally, please run the WindowSecurity trojan scan here:
http://www.windowsec...com/trojanscan/
Remove any trojans found, and restart your computer

4. Finally, run HijackThis, click SCAN, produce a LOG and POST it in this thread for review.

Regards,

Trevuren

#9
chingwithbling

Posted 10 July 2005 - 01:58 PM

Member

Topic Starter
Member
24 posts

Unfortunately, I don't think I can run any of those online scans, because it appears that the trojan is blocking my internet. When I connect my modem, it just gives me the message that there is limited or no connectivity. I am currently using a different computer for the internet. Are there any ways around this?

#10
Trevuren

Posted 10 July 2005 - 02:15 PM

Old Dog

Retired Staff
18,699 posts

What you have here is a "rootkit" type infection. They are relatively new on the street and often extremely difficult to get rid of. I am providing you with a fix that you must folllow to the letter if you want any chance of saving your system.

Please follow all instructions as specified. Print these instructions to ensure all are followed.

Please download the following programs, but do not run them yet:

* rdrivRem.zip

Unzip it to your desktop.

* Ewido Security Suite

Install ewido security suite
Launch ewido, there should be a big E icon on your desktop, double-click it.
The program will prompt you to update click the OK button
The program will now go to the main screen
You will need to update ewido to the latest definition files.
On the left hand side of the main screen click update
Click on Start
The update will start and a progress bar will show the updates being installed
After the updates are installed exit Ewido.

* CleanUp!

Install it.

* Killbox by Option^Explicit

Save it to your desktop.

Open Notepad and copy all the following files to this new file and save it asKillboxfiles.txt. These will be the files that I will be asking you to paste into Killbox later:

C:\Windows\System32\syscfg.exe
C:\WINDOWS\svchost.exe

Reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight "Safe Mode" then hit enter.

1.) Please double-click rdrivRem.bat to run the program - follow the instructions on the screen. After it's complete, rdriv.txt will be created in the rdrivRem folder.

2.) Double-click the Ewido Security Suite icon to run the program.

Click on scanner
Click Complete System Scan
Let the program scan the machine

While the scan is in progress you will be prompted to clean the first infected file it finds. Choose "clean", then put a check next to "Perform action on all infections" in the left corner of the box so you don't have to sit and watch Ewido the whole time. Click OK.

Once the scan has completed, there will be a button located on the bottom of the screen named Save report

Click Save report
Save the report to your desktop
Exit Ewido

3.) Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):

Empty Recycle Bins
Delete Cookies
Delete Prefetch files
Cleanup! All Users

Click OK
Press the CleanUp! button to start the program.

4.) After Cleanup! is finished, run HijackThis. Place a check next to the following items, if found, and click FIX CHECKED:

O4 - HKLM\..\Run: [System Support] syscfg.exe
O8 - Extra context menu item: &Search - http://bar.mywebsear...?p=ZSYYYYYYYYUS
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O23 - Service: Microsoft Windows - Unknown owner - C:\WINDOWS\svchost.exe

Close HiJackThis.

5.) Run Killbox.exe.

* Select "Delete on Reboot".

* Open the notepad you saved earlier. Press CTRL + A to select all file paths in the notepad, then press CTRL + C which will copy all of them to the clipboard.

* Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

* Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "OK" at any "PendingRenameOperation" prompt. If your computer does not restart automatically, please restart it manually.

After computer has restarted continue with the rest of the instructions:

6.) Make sure your firewall is on. Make sure you can turn it off then turn it back on and that nothing is greyed out.
Also, Make sure your Anti-Virus program is working properly - you can turn on and off auto-protect, etc.

7.) Run BOTH of these online virus scans (NOT at the same time!):
ActiveScan
TrendMicro's HouseCall - check "Auto Clean"

Save the results from ActiveScan.

I need you to post the contents of rdriv.txt, the log from Ewido, the log from ActiveScan, and a new HiJackThis log into this topic.

Regards and Good Luck,

Trevuren

#11
chingwithbling

Posted 10 July 2005 - 03:14 PM

Member

Topic Starter
Member
24 posts

Since the computer doesnt have access to the internet, I separately downloaded the security database from ewido, and also, where you said to copy the files into notepad, it is only the locations of the files that you had there, right?

#12
Trevuren

Posted 10 July 2005 - 03:39 PM

Old Dog

Retired Staff
18,699 posts

Yep!!! Just the text in bold. I probably could have saved you the trouble and put them there right off but I'm lazy,

Trevuren

#13
chingwithbling

Posted 10 July 2005 - 03:50 PM

Member

Topic Starter
Member
24 posts

While ewido was scanning, it came across several spyware/adware files, but the only option was to remove. I didnt think that any of these were connected with the infection, so I had ewido remove them. Most of them were in the registry and temporary internet files folder.

Edit: Also, it seems like all of the stuff that ewido has found so far can only be left alone or removed. Is this normal?

Edited by chingwithbling, 10 July 2005 - 04:51 PM.

#14
Trevuren

Posted 10 July 2005 - 06:19 PM

Old Dog

Retired Staff
18,699 posts

Yes it is normal. Would you please send me e new HJT log. Thanks.

Trevuren

#15
chingwithbling

Posted 11 July 2005 - 08:13 PM

Member

Topic Starter
Member
24 posts

After I ran all the programs I was having trouble connecting through my usb ports, but for some reason now it works just fine, so I'm about to do the two online scans you wanted, and then I'll post up the logs.