Scan type: Auto-Protect Scan
Event: Threat Found!
Threat: Trojan.Cachecachekit
File: C:\WINNT\system32\rdriv.sys
Location: C:\WINNT\system32
Computer: ###########
User: SYSTEM
Action taken: Clean failed : Quarantine failed : Delete succeeded : Access denied
Date found: Tuesday, November 08, 2005 9:10:24 AM
Please help me clean this. It is on an important server that I have unplugged from the network. Log file is below.
THANKS!!
Brian
Logfile of HijackThis v1.99.1
Scan saved at 9:55:36 AM, on 11/8/2005
Platform: Windows 2003 SP1 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 SP1 (6.00.3790.1830)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Dell\SysMgt\dataeng\bin\dcevt32.exe
C:\Program Files\Dell\SysMgt\dataeng\bin\dcstor32.exe
C:\Program Files\SAV\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\WINNT\system32\cba\pds.exe
C:\Program Files\Dell\SysMgt\sm\mr2kserv.exe
C:\PROGRA~1\MICROS~1\MSSQL\binn\sqlservr.exe
C:\Program Files\Shavlik Technologies\NetChk Patch\5.1.0.237\HfNetChkProService.exe
E:\Monitoring\NSClient\pNSClient.exe
C:\PROGRA~1\Symantec\SYMANT~1\NSCTOP.EXE
C:\Program Files\Dell\SysMgt\oma\bin\omsad32.exe
C:\Program Files\Dell\OpenManage\Drac\client\RacAddrs.exe
C:\Program Files\Dell\SysMgt\iws\bin\win32\omaws32.exe
C:\WINNT\System32\snmp.exe
C:\Program Files\SAV\Rtvscan.exe
C:\Program Files\Dell\SysMgt\Array Manager\VxSvc.exe
C:\Program Files\Artisoft\WinBEEP 32\Shared\WirelessServer.exe
C:\Program Files\VERITAS\Backup Exec\RANT\beremote.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\ams_ii\hndlrsvc.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\system32\ams_ii\iao.exe
C:\WINNT\system32\cba\xfr.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\Program Files\Raxco\PerfectDisk\PDSched.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Dell\OpenManage\Drac\client\CmdSrvr.exe
C:\PROGRA~1\SAV\VPTray.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Documents and Settings\mcneillp\Desktop\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdoclc.dll/hardAdmin.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O4 - HKLM\..\Run: [CYBERRAC] C:\Program Files\Dell\OpenManage\Drac\client\CmdSrvr.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SAV\VPTray.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: WinBEEP 32 Paging Server Startup.lnk = C:\Program Files\Artisoft\WinBEEP 32\Shared\Islaunch.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1121176552945
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1124385201831
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = oec.oeconnection.com
O17 - HKLM\Software\..\Telephony: DomainName = oec.oeconnection.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{C48DBA7D-0B46-4D3E-B16A-82C888CD10A0}: NameServer = 172.17.17.20,172.17.17.21
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = oec.oeconnection.com
O20 - Winlogon Notify: dimsntfy - C:\WINNT\SYSTEM32\dimsntfy.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: Backup Exec Remote Agent for Windows Servers (BackupExecAgentAccelerator) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\RANT\beremote.exe
O23 - Service: Systems Management Event Manager (dcevt32) - Dell Inc. - C:\Program Files\Dell\SysMgt\dataeng\bin\dcevt32.exe
O23 - Service: Systems Management Data Manager (dcstor32) - Dell Inc. - C:\Program Files\Dell\SysMgt\dataeng\bin\dcstor32.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\SAV\DefWatch.exe
O23 - Service: Intel Alert Handler - Intel® Corporation - C:\WINNT\system32\ams_ii\hndlrsvc.exe
O23 - Service: Intel Alert Originator - Intel® Corporation - C:\WINNT\system32\ams_ii\iao.exe
O23 - Service: Intel File Transfer - Intel® Corporation - C:\WINNT\system32\cba\xfr.exe
O23 - Service: Intel PDS - Intel® Corporation - C:\WINNT\system32\cba\pds.exe
O23 - Service: Chong3 Me (MlCR0SOFTS UPDATEe) - Unknown owner - C:\WINNT\N0rtan.exe
O23 - Service: mr2kserv - LSI Logic Corporation - C:\Program Files\Dell\SysMgt\sm\mr2kserv.exe
O23 - Service: NetChk Patch Service (NetChkPatch) - Unknown owner - C:\Program Files\Shavlik Technologies\NetChk Patch\5.1.0.237\HfNetChkProService.exe
O23 - Service: Nagios Agent (NSClient) - ClearCentral Software Inc - E:\Monitoring\NSClient\pNSClient.exe
O23 - Service: Symantec System Center Discovery Service (NSCTOP) - Symantec Corporation - C:\PROGRA~1\Symantec\SYMANT~1\NSCTOP.EXE
O23 - Service: OM Common Services (omsad) - Dell Inc. - C:\Program Files\Dell\SysMgt\oma\bin\omsad32.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe
O23 - Service: DRAC AddressBook Server (RacAddrBook) - American Megatrends Inc. - C:\Program Files\Dell\OpenManage\Drac\client\RacAddrs.exe
O23 - Service: DRAC CardObject Server (RacObject) - American Megatrends Inc. - C:\Program Files\Dell\OpenManage\Drac\client\MStation.exe
O23 - Service: Secure Port Server (Server Administrator) - Dell Computer Corporation - C:\Program Files\Dell\SysMgt\iws\bin\win32\omaws32.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\SAV\Rtvscan.exe
O23 - Service: Disk Management Service (vxsvc) - VERITAS Software Corp. - C:\Program Files\Dell\SysMgt\Array Manager\VxSvc.exe
O23 - Service: WinBEEP 32 Paging Server - Artisoft, Inc. - C:\Program Files\Artisoft\WinBEEP 32\Shared\WirelessServer.exe