Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Trojan.cachecachekit / Trojan Horse Generic.gm


  • Please log in to reply
9 replies to this topic

#1 z-man

z-man

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:19 AM

Posted 27 December 2005 - 12:38 PM

Hi Guys,

I've had a virus on my computer for 2 months now but can't remove it. Norton says it's trojan.cachecachekit and AVG says it's trojan horse Generic.GM. I've done scans with Panda, AVG, Ewido, Stinger, Spybot, Ad-Aware SE, CCleaner in both safe mode and normal mode but nothing seems to work. It SEEMS once the system boots up it re-installs itself. The popups are so bad I can't even work on the computer. If I wanna work then I need to disable my anti-virus shield. My laptop is a dual boot system (win 2000 pro and win xp). So far I only see problem with win 2000. Win XP seems to be fine. I have a wireless network at home but this virus was caught while I was away from home.

I have tried suggestions from other forums and Symantec but so far nothing has worked. Now either it's re-formatting the HD or you guys. Pleaaaaaaaaaase don't make me re-format my HD. Thanks for all you help in advance.


Here is the most recent Hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 12:15:40 AM, on 12/27/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINNT\System32\smss.exe
D:\WINNT\system32\winlogon.exe
D:\WINNT\system32\services.exe
D:\WINNT\system32\lsass.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\System32\svchost.exe
D:\WINNT\system32\spoolsv.exe
D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
D:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
D:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
D:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
D:\Program Files\ewido anti-malware\ewidoctrl.exe
D:\Program Files\ewido anti-malware\ewidoguard.exe
D:\WINNT\System32\nvsvc32.exe
D:\WINNT\system32\MSTask.exe
D:\WINNT\System32\WBEM\WinMgmt.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\Explorer.EXE
D:\WINNT\SOUNDMAN.EXE
D:\WINNT\AGRSMMSG.exe
D:\Program Files\ltmoh\Ltmoh.exe
D:\Program Files\Synaptics\SynTP\SynTPLpr.exe
D:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Launch Manager\LaunchAp.exe
C:\Program Files\Launch Manager\PanelICON.exe
C:\Program Files\Launch Manager\OSD.exe
D:\WINNT\System32\LVCOMSX.EXE
D:\Program Files\Logitech\Video\LogiTray.exe
D:\WINNT\system32\rundll32.exe
D:\Program Files\FacetCorp\FacetWin\fwagent.exe
D:\Program Files\Citrix\ICA Client\pnagent.exe
D:\Program Files\Logitech\Video\FxSvr2.exe
D:\WINNT\System32\SCardSvr.exe
D:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
D:\Documents and Settings\Zia Mirza\Desktop\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LtMoh] D:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [SynTPLpr] D:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] D:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LaunchAp] C:\Program Files\Launch Manager\LaunchAp.exe
O4 - HKLM\..\Run: [HotkeyApp] C:\Program Files\Launch Manager\HotkeyApp.exe
O4 - HKLM\..\Run: [LMgrPanelICON] C:\Program Files\Launch Manager\PanelICON.exe
O4 - HKLM\..\Run: [LMgrOSD] C:\Program Files\Launch Manager\OSD.exe
O4 - HKLM\..\Run: [Wbutton] "C:\Program Files\Launch Manager\Wbutton.exe"
O4 - HKLM\..\Run: [AVManager] "D:\Program Files\Wistron\AVManager\AVManager.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Microsoft IIS] D:\WINNT\system32\syshost.exe
O4 - HKLM\..\Run: [NeroCheck] D:\WINNT\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [LVCOMSX] D:\WINNT\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] D:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] D:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [Microsoft Windows Autowxckn] autowxckn.exe
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\RunServices: [Microsoft Windows Autowxckn] autowxckn.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [Yahoo! Pager] D:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Microsoft Windows Autowxckn] autowxckn.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = D:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: FacetWin Agent.lnk = D:\Program Files\FacetCorp\FacetWin\fwagent.exe
O4 - Global Startup: Program Neighborhood Agent.lnk = D:\Program Files\Citrix\ICA Client\pnagent.exe
O8 - Extra context menu item: &Yahoo! Search - file:///D:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///D:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///D:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - D:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - D:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\PROGRA~1\Yahoo!\Common\yhexbmesus.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\PROGRA~1\Yahoo!\Common\yhexbmesus.dll
O9 - Extra button: (no name) - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - (no file)
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - D:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1131083306859
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1134601355890
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Belkin 54g Wireless USB Network Adapter (Belkin 54g Wireless USB Network Adapter Service) - Unknown owner - D:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: File copy caching service (cpy) - Unknown owner - D:\WINNT\cpy.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - D:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - D:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - D:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Mod Libary (modlb) - Unknown owner - D:\WINNT\modlb.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - D:\WINNT\System32\nvsvc32.exe

BC AdBot (Login to Remove)

 


#2 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:11:19 AM

Posted 28 December 2005 - 01:25 PM

Fix these with HJT – mark them, close IE, click fix checked

O4 - HKLM\..\Run: [Microsoft IIS] D:\WINNT\system32\syshost.exe

O4 - HKLM\..\Run: [Microsoft Windows Autowxckn] autowxckn.exe

O4 - HKLM\..\RunServices: [Microsoft Windows Autowxckn] autowxckn.exe

O4 - HKCU\..\Run: [Microsoft Windows Autowxckn] autowxckn.exe

O23 - Service: File copy caching service (cpy) - Unknown owner - D:\WINNT\cpy.exe

O23 - Service: Mod Libary (modlb) - Unknown owner - D:\WINNT\modlb.exe (file missing)
=================

Click Start > Run > and type in:

services.msc

Click OK.

In the services window find

File copy caching service

Rightclick and choose "Properties". On the "General" tab under "Service Status" click the "Stop" button to stop the service. Beside "Startup Type" in the dropdown menu select "Disabled". Click Apply then OK. File-Exit the Services utility.

Repeat for - Mod Libary
=============

DownLoad http://www.downloads.subratam.org/KillBox.zip

Restart your computer into safe mode now. (Tapping F8 at the first black screen) Perform the following steps in safe mode:

Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

D:\WINNT\system32\syshost.exe

Note: It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.

START – RUN – type in %temp% OK - Edit – Select all – File – Delete

Delete everything in the C:\Windows\Temp folder or C:\WINNT\temp

Empty the recycle bin
Boot and post a new log from normal NOT safe mode

Please give feedback on what worked/didn’t work and the current status of your system
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#3 z-man

z-man
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:19 AM

Posted 28 December 2005 - 05:43 PM

Thank you so much MFDnSC. It seems to have worked. I rebooted the machine and the AVG shield is on but no popups have come up. I am running some scans now just to be sure that no one picks up anything. I'll keep you posted.

BTW, I could not delete the following file thru KillBox: D:\WINNT\system32\syshost.exe

It said file not found. Did you mean 'syshost' or svchost'?

Everything else worked perfectly.

#4 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:11:19 AM

Posted 28 December 2005 - 06:01 PM

That is normal and yes I meant syshost.exe

See this that we removed

O4 - HKLM\..\Run: [Microsoft IIS] D:\WINNT\system32\syshost.exe

Typical malware that tries to look right
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#5 z-man

z-man
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:19 AM

Posted 28 December 2005 - 08:59 PM

I've done a scan with AVG, Panda, Ewido and Spybot and none of them reported Trojan.cachecachekit or trojan horse Generic.GM but panda did report 2 suspicious files which it did not disinfect.

Once again thanks for all you help MFDnSC.

#6 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:11:19 AM

Posted 29 December 2005 - 11:25 AM

What is Panda finding

Delete the contents of C:\!Killbox

Turn off restore points, boot, turn them back on – here’s how

XP
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#7 z-man

z-man
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:19 AM

Posted 29 December 2005 - 03:57 PM

Here are the files that Panda considers suspicious:


Incident Status Location

Possible Virus. Not desinfected D:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\2WPX6038\cpy[1].exe
Possible Virus. Not desinfected D:\WINNT\cpy.exe
I'll carry out your other instructions and get back to you ASAP. Once again thanks for all your help.

#8 z-man

z-man
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:19 AM

Posted 29 December 2005 - 04:07 PM

I have deleted the contents of !KillBox but did not do anything with the system restore points since I am using Windows 2000 pro.

#9 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:11:19 AM

Posted 29 December 2005 - 04:28 PM

Ooooops, I knew that but its so easy these days to assume XP

Use killbox to get this one

D:\WINNT\cpy.exe

Use the delete on reboot option

DownLoad EasyCleaner http://www.majorgeeks.com/download414.html

Use the clear files and Unnecessary files buttons – I do not recommend
using the Duplicates files button
as many dupes are there on purpose.

Not all files will delete – that is normal.

In the unnecessary button I check the top 4 entries
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#10 z-man

z-man
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:19 AM

Posted 30 December 2005 - 12:52 PM

I carried out your instructions plus some of my own stuff and now the system is clean.

Thank you for all you help. You've been a great helper.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users