Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Newbie - got infected with rdriv.sys - Need help [CLOSED]


  • This topic is locked This topic is locked

#1
huangrx

huangrx

    New Member

  • Member
  • Pip
  • 2 posts
Hi all,

I really hope someone can help. I currently have Norton AntiVirus installed with latest updates. But the rdriv.sys (Trojan.Cachecachekit) seems to keep spawning itself, even when Norton says that it has detected and automatically deleted the virus.

The log is as follows:

Logfile of HijackThis v1.99.1
Scan saved at 10:35:29 PM, on 8/17/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\CTsvcCDA.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINNT\System32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\BullGuard\BullGuard Communicator\xcommsvr.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\devldr32.exe
C:\WINNT\System32\P2P Networking\P2P Networking.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Oeix\Tzoa.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\qtask.exe
c:\progra~1\intern~1\iexplore.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\Nokia\PC Suite for Nokia N-Gage\connmngmntbox.exe
C:\Program Files\Nokia\PC Suite for Nokia N-Gage\ectaskscheduler.exe
C:\Program Files\mIRC\download\MEMTURBO.EXE
C:\PROGRA~1\Nokia\PCSUIT~1\Elogerr.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\Intuwave\Shared\mRouterRunTime\mRouterRuntime.exe
C:\PROGRA~1\Nokia\PCSUIT~1\BROADC~1.EXE
C:\PROGRA~1\Nokia\PCSUIT~1\SCRFS.exe
C:\Program Files\Trillian\trillian.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\13A.tmp

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.shllrfgka...4UsbK_rlkEo.jpg
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.animesuki.com/
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O1 - Hosts: Botzor2005 Made By .... Greetz to good friend Coder. Based On HellBot3
O1 - Hosts: MSG to avs: the first av who detect this worm will be the first killed in the next 24hours!!!
O4 - HKLM\..\Run: [P2P Networking] C:\WINNT\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [msnmsgq32] C:\WINNT\msnmsgq.exe
O4 - HKLM\..\Run: [JVM0.12] C:\WINNT\system32\dgtxm.exe
O4 - HKLM\..\Run: [Preview AdService] C:\Program Files\Preview AdService\PrevAdServ.exe
O4 - HKLM\..\Run: [SvcH0st] C:\WINNT\shch.exe /i
O4 - HKLM\..\Run: [Lzxht] C:\Program Files\Oeix\Tzoa.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\NeroCheck.exe /i
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SheduIer] C:\WINNT\qttasks.exe /i
O4 - HKLM\..\Run: [ScheduIe] C:\WINNT\shch.exe /i
O4 - HKLM\..\Run: [resagnt] C:\WINNT\restun.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [Communicator] C:\WINNT\comm.exe /i
O4 - HKLM\..\Run: [hp Update 3300C] C:\sj650\hpupdate.exe 3300C+
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\Updreg.exe
O4 - HKLM\..\Run: [Windows PNP Server] pnpsrv.exe
O4 - HKLM\..\Run: [WINDOWS SYSTEM] botzor.exe
O4 - HKLM\..\Run: [64signtonsbone] C:\Documents and Settings\All Users\Application Data\MediaSend64Sign\NEWSETUP.exe
O4 - HKLM\..\Run: [Windows PNP] winpnp.exe
O4 - HKLM\..\Run: [Services] C:\WINNT\system32\13A.tmp
O4 - HKLM\..\Run: [Windows Update] qtask.exe
O4 - HKLM\..\Run: [Windows Help Service] winhlp.pif
O4 - HKLM\..\Run: [checkrun] C:\winnt\system32\eliterdw32.exe
O4 - HKLM\..\Run: [System service63] C:\WINNT\etb\pokapoka63.exe
O4 - HKLM\..\RunServices: [Windows PNP Server] pnpsrv.exe
O4 - HKLM\..\RunServices: [WINDOWS SYSTEM] botzor.exe
O4 - HKLM\..\RunServices: [Windows PNP] winpnp.exe
O4 - HKLM\..\RunServices: [Windows Update] qtask.exe
O4 - HKLM\..\RunServices: [Windows Help Service] winhlp.pif
O4 - HKCU\..\Run: [IDMan] C:\PROGRA~1\INTERN~2\IDMAN.EXE /onboot
O4 - HKCU\..\Run: [Chin Delete] C:\DOCUME~1\AthlonXP\APPLIC~1\HTMDUMB\RectDownload.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [Windows PNP] winpnp.exe
O4 - HKCU\..\Run: [Windows Help Service] winhlp.pif
O4 - HKCU\..\Run: [Windows Update] qtask.exe
O4 - HKCU\..\RunServices: [Windows PNP] winpnp.exe
O4 - HKCU\..\RunServices: [Windows Help Service] winhlp.pif
O4 - HKCU\..\RunServices: [Windows Update] qtask.exe
O4 - Startup: MemTurbo.lnk = C:\Program Files\mIRC\download\MEMTURBO.EXE
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O4 - Global Startup: PCSuiteForNokiaN-Gage Detect.lnk = C:\Program Files\Nokia\PC Suite for Nokia N-Gage\connmngmntbox.exe
O4 - Global Startup: PCSuiteForNokiaN-Gage TS.lnk = C:\Program Files\Nokia\PC Suite for Nokia N-Gage\ectaskscheduler.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download with IDM - C:\PROGRA~1\INTERN~2\IEExt.htm
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! MahJong - http://download.game...nts/y/ot0_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/potc_x.cab
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec....trl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec....trl/tgctlsr.cab
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - http://www.justis.com/j-net/smsx.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec....rl/LSSupCtl.cab
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://www.ea.com/do...atch/EARTPX.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.can.com.sg/mwf/mgaxctrl.cab
O16 - DPF: {6BB594E2-6E4D-4CC9-98B0-931C323F9165} (DepHlp Control) - http://mirror.worldw...ared/dephlp.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://mirror.worldw...ed/wwlaunch.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....rl/SymAData.cab
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - http://guard.gunboun...Crypt/npkcx.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...321/mcfscan.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (&Yahoo! Companion) - http://us.dl1.yimg.c...ebio5_1_1_0.cab
O16 - DPF: {FAE74270-E5EE-49C3-B816-EA8B4D55F38F} (H2hPool Control) - http://mirror.worldw...ool/h2hpool.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A7BEB27E-CB0F-41ED-B1BB-1347EFC12EA7}: NameServer = 192.169.34.181 203.120.90.40
O20 - Winlogon Notify: -mtypxuyb - C:\WINNT\system32\phqghu.dll
O20 - Winlogon Notify: nwprovau - C:\WINNT\SYSTEM32\nwprovau.dll
O23 - Service: BullGuard Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\BullGuard\BullGuard Scan Server\bdss.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINNT\system32\npkcsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: BullGuard Virus Shield (VSSERV) - Unknown owner - C:\Program Files\BullGuard\vsserv.exe (file missing)
O23 - Service: Windows Kernel - Unknown owner - C:\WINNT\svchost.exe
O23 - Service: Windows Product Activation (wpa) - Unknown owner - C:\WINNT\system32\wpa.exe
O23 - Service: BullGuard Communicator (XCOMM) - Softwin - C:\Program Files\Common Files\BullGuard\BullGuard Communicator\xcommsvr.exe

Best regards,
Ray
  • 0

Advertisements


#2
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Hi and welcome to GeeksToGo! My name is Sam and I will be helping you. :tazz:

I apologize for the delay getting to your log, the helpers here are very busy.
If you still need help, please post a fresh Hijack log, in this thread, so I can help you with your Malware Problems.

If you have resolved this issue please let us know.
  • 0

#3
huangrx

huangrx

    New Member

  • Topic Starter
  • Member
  • Pip
  • 2 posts

Hi and welcome to GeeksToGo! My name is Sam and I will be helping you. :tazz:

I apologize for the delay getting to your log, the helpers here are very busy.
If you still need help, please post a fresh Hijack log, in this thread, so I can help you with your Malware Problems.

If you have resolved this issue please let us know.

View Post


Thanks Sam.
Yes, I still need help. Here's my fresh Hijack log:

Logfile of HijackThis v1.99.1
Scan saved at 6:22:17 PM, on 8/22/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\CTsvcCDA.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINNT\System32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\BullGuard\BullGuard Communicator\xcommsvr.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\devldr32.exe
C:\WINNT\System32\P2P Networking\P2P Networking.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\WINNT\system32\qtask.exe
C:\Program Files\The Cleaner\tca.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\Nokia\PC Suite for Nokia N-Gage\connmngmntbox.exe
C:\Program Files\Nokia\PC Suite for Nokia N-Gage\ectaskscheduler.exe
C:\PROGRA~1\Nokia\PCSUIT~1\Elogerr.exe
C:\Program Files\mIRC\download\MEMTURBO.EXE
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\Intuwave\Shared\mRouterRunTime\mRouterRuntime.exe
C:\PROGRA~1\Nokia\PCSUIT~1\BROADC~1.EXE
C:\PROGRA~1\Nokia\PCSUIT~1\SCRFS.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\BitTorrent\btdownloadgui.exe
C:\Program Files\BitTorrent\btdownloadgui.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trillian\trillian.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.eadpochya...UsbK_rlkEo.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.animesuki.com/
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O1 - Hosts: Botzor2005 Made By .... Greetz to good friend Coder. Based On HellBot3
O1 - Hosts: MSG to avs: the first av who detect this worm will be the first killed in the next 24hours!!!
O2 - BHO: (no name) - {AD3785FC-527D-BF61-0314-959F06616F3A} - C:\DOCUME~1\DEFAUL~1\APPLIC~1\TONSRD~1\sendiso.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINNT\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [msnmsgq32] C:\WINNT\msnmsgq.exe
O4 - HKLM\..\Run: [JVM0.12] C:\WINNT\system32\dgtxm.exe
O4 - HKLM\..\Run: [Preview AdService] C:\Program Files\Preview AdService\PrevAdServ.exe
O4 - HKLM\..\Run: [SvcH0st] C:\WINNT\shch.exe /i
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\NeroCheck.exe /i
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SheduIer] C:\WINNT\qttasks.exe /i
O4 - HKLM\..\Run: [ScheduIe] C:\WINNT\shch.exe /i
O4 - HKLM\..\Run: [resagnt] C:\WINNT\restun.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [Communicator] C:\WINNT\comm.exe /i
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\Updreg.exe
O4 - HKLM\..\Run: [Windows PNP Server] pnpsrv.exe
O4 - HKLM\..\Run: [Windows PNP] winpnp.exe
O4 - HKLM\..\Run: [Services] C:\WINNT\system32\13A.tmp
O4 - HKLM\..\Run: [Windows Update] qtask.exe
O4 - HKLM\..\Run: [Windows Help Service] winhlp.pif
O4 - HKLM\..\Run: [checkrun] C:\winnt\system32\eliterdw32.exe
O4 - HKLM\..\Run: [System service63] C:\WINNT\etb\pokapoka63.exe
O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe
O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe
O4 - HKLM\..\Run: [64signtonsbone] C:\Documents and Settings\All Users\Application Data\MediaSend64Sign\List Info.exe
O4 - HKLM\..\RunServices: [Windows PNP Server] pnpsrv.exe
O4 - HKLM\..\RunServices: [Windows PNP] winpnp.exe
O4 - HKLM\..\RunServices: [Windows Update] qtask.exe
O4 - HKLM\..\RunServices: [Windows Help Service] winhlp.pif
O4 - HKCU\..\Run: [IDMan] C:\PROGRA~1\INTERN~2\IDMAN.EXE /onboot
O4 - HKCU\..\Run: [Chin Delete] C:\DOCUME~1\AthlonXP\APPLIC~1\HTMDUMB\RectDownload.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [Windows PNP] winpnp.exe
O4 - HKCU\..\Run: [Windows Help Service] winhlp.pif
O4 - HKCU\..\Run: [Windows Update] qtask.exe
O4 - HKCU\..\RunServices: [Windows PNP] winpnp.exe
O4 - HKCU\..\RunServices: [Windows Help Service] winhlp.pif
O4 - HKCU\..\RunServices: [Windows Update] qtask.exe
O4 - Startup: MemTurbo.lnk = C:\Program Files\mIRC\download\MEMTURBO.EXE
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O4 - Global Startup: PCSuiteForNokiaN-Gage Detect.lnk = C:\Program Files\Nokia\PC Suite for Nokia N-Gage\connmngmntbox.exe
O4 - Global Startup: PCSuiteForNokiaN-Gage TS.lnk = C:\Program Files\Nokia\PC Suite for Nokia N-Gage\ectaskscheduler.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download with IDM - C:\PROGRA~1\INTERN~2\IEExt.htm
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! MahJong - http://download.game...nts/y/ot0_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/potc_x.cab
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec....trl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec....trl/tgctlsr.cab
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - http://www.justis.com/j-net/smsx.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec....rl/LSSupCtl.cab
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://www.ea.com/do...atch/EARTPX.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.can.com.sg/mwf/mgaxctrl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1124539049781
O16 - DPF: {6BB594E2-6E4D-4CC9-98B0-931C323F9165} (DepHlp Control) - http://mirror.worldw...ared/dephlp.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://mirror.worldw...ed/wwlaunch.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....rl/SymAData.cab
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - http://guard.gunboun...Crypt/npkcx.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...321/mcfscan.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (&Yahoo! Companion) - http://us.dl1.yimg.c...ebio5_1_1_0.cab
O16 - DPF: {FAE74270-E5EE-49C3-B816-EA8B4D55F38F} (H2hPool Control) - http://mirror.worldw...ool/h2hpool.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A7BEB27E-CB0F-41ED-B1BB-1347EFC12EA7}: NameServer = 192.169.34.181 203.120.90.40
O20 - Winlogon Notify: -mtypxuyb - C:\WINNT\system32\phqghu.dll
O20 - Winlogon Notify: nwprovau - C:\WINNT\SYSTEM32\nwprovau.dll
O23 - Service: BullGuard Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\BullGuard\BullGuard Scan Server\bdss.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINNT\system32\npkcsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: BullGuard Virus Shield (VSSERV) - Unknown owner - C:\Program Files\BullGuard\vsserv.exe (file missing)
O23 - Service: Windows Kernel - Unknown owner - C:\WINNT\svchost.exe
O23 - Service: Windows Product Activation (wpa) - Unknown owner - C:\WINNT\system32\wpa.exe (file missing)
O23 - Service: BullGuard Communicator (XCOMM) - Softwin - C:\Program Files\Common Files\BullGuard\BullGuard Communicator\xcommsvr.exe


Cheers,
Ray
  • 0

#4
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
This is a fairly lengthy fix, but we should be able to take care of many of your issues with this step.

Please follow all instructions as specified. Print these instructions to ensure all are followed.

Please download the following programs, but do not run them yet:

* rdrivRem.zip
  • Unzip it to your desktop.
* Ewido Security Suite
  • Install ewido security suite
  • Launch ewido, there should be a big E icon on your desktop, double-click it.
  • The program will prompt you to update click the OK button
  • The program will now go to the main screen
  • You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Click on Start
  • The update will start and a progress bar will show the updates being installed
  • After the updates are installed exit Ewido.
* CleanUp!
  • Install it.

Reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight "Safe Mode" then hit enter.

1.) Please double-click rdrivRem.bat to run the program - follow the instructions on the screen. After it's complete, rdriv.txt will be created in the rdrivRem folder.

2.) Double-click the Ewido Security Suite icon to run the program.
  • Click on scanner
  • Click Complete System Scan
  • Let the program scan the machine
While the scan is in progress you will be prompted to clean the first infected file it finds. Choose "remove", then put a check next to "Perform action on all infections" in the left corner of the box so you don't have to sit and watch Ewido the whole time. Click OK.

Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report
  • Save the report to your desktop
  • Exit Ewido
3.) Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.

4.) After Cleanup! is finished, run HijackThis. Place a check next to the following items, if found, and click FIX CHECKED:


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.eadpochya...UsbK_rlkEo.html
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O1 - Hosts: Botzor2005 Made By .... Greetz to good friend Coder. Based On HellBot3
O1 - Hosts: MSG to avs: the first av who detect this worm will be the first killed in the next 24hours!!!
O2 - BHO: (no name) - {AD3785FC-527D-BF61-0314-959F06616F3A} - C:\DOCUME~1\DEFAUL~1\APPLIC~1\TONSRD~1\sendiso.exe
O4 - HKLM\..\Run: [msnmsgq32] C:\WINNT\msnmsgq.exe
O4 - HKLM\..\Run: [JVM0.12] C:\WINNT\system32\dgtxm.exe
O4 - HKLM\..\Run: [Preview AdService] C:\Program Files\Preview AdService\PrevAdServ.exe
O4 - HKLM\..\Run: [SvcH0st] C:\WINNT\shch.exe /i
O4 - HKLM\..\Run: [SheduIer] C:\WINNT\qttasks.exe /i
O4 - HKLM\..\Run: [ScheduIe] C:\WINNT\shch.exe /i
O4 - HKLM\..\Run: [resagnt] C:\WINNT\restun.exe
O4 - HKLM\..\Run: [Communicator] C:\WINNT\comm.exe /i
O4 - HKLM\..\Run: [Windows PNP Server] pnpsrv.exe
O4 - HKLM\..\Run: [Windows PNP] winpnp.exe
O4 - HKLM\..\Run: [Services] C:\WINNT\system32\13A.tmp
O4 - HKLM\..\Run: [Windows Update] qtask.exe
O4 - HKLM\..\Run: [Windows Help Service] winhlp.pif
O4 - HKLM\..\Run: [checkrun] C:\winnt\system32\eliterdw32.exe
O4 - HKLM\..\Run: [System service63] C:\WINNT\etb\pokapoka63.exe
O4 - HKLM\..\Run: [64signtonsbone] C:\Documents and Settings\All Users\Application Data\MediaSend64Sign\List Info.exe
O4 - HKLM\..\RunServices: [Windows PNP Server] pnpsrv.exe
O4 - HKLM\..\RunServices: [Windows PNP] winpnp.exe
O4 - HKLM\..\RunServices: [Windows Update] qtask.exe
O4 - HKLM\..\RunServices: [Windows Help Service] winhlp.pif
O4 - HKCU\..\Run: [Chin Delete] C:\DOCUME~1\AthlonXP\APPLIC~1\HTMDUMB\RectDownload.exe
O4 - HKCU\..\Run: [Windows PNP] winpnp.exe
O4 - HKCU\..\Run: [Windows Help Service] winhlp.pif
O4 - HKCU\..\Run: [Windows Update] qtask.exe
O4 - HKCU\..\RunServices: [Windows PNP] winpnp.exe
O4 - HKCU\..\RunServices: [Windows Help Service] winhlp.pif
O4 - HKCU\..\RunServices: [Windows Update] qtask.exe
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O23 - Service: Windows Kernel - Unknown owner - C:\WINNT\svchost.exe
O23 - Service: Windows Product Activation (wpa) - Unknown owner - C:\WINNT\system32\wpa.exe (file missing)


Close HiJackThis.


6.) Make sure your firewall is on. Make sure you can turn it off then turn it back on and that nothing is greyed out.
Also, Make sure your Anti-Virus program is working properly - you can turn on and off auto-protect, etc.

7.) Run BOTH of these online virus scans (NOT at the same time!):
ActiveScan
TrendMicro's HouseCall - check "Auto Clean"

Save the results from ActiveScan.

I need you to post the contents of rdriv.txt, the log from Ewido, the log from ActiveScan, and a new HiJackThis log into this topic.
  • 0

#5
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP