Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Ntkrnl Trojan I Can't Stop Or Locate In Safe Mode

  • This topic is locked This topic is locked
4 replies to this topic

#1 allpdoff


  • Members
  • 2 posts
  • Local time:07:38 PM

Posted 15 January 2007 - 01:08 PM

Hi this is a win 2003 small business server with service pack 1 installed. Also. Sql server 2005, .net 2.1, iis 6.0 Imail V8, hardware is a Compaq proliant 1850 r dual 500 mhz 500 megs ram 180 gb raid level 5 array, 28 gig OS partition (c:) Dual network cards, public address and a private address, function is a hosted web server / email server. Norton antivirus corp edition fully up to date. Nod32 Trial version Fully up to date
I first noticed a DOS attack, effecting my entire network. Disabling the public network adaptor will stop the DOS on my network. When booted in safe mode all scans come up clean with no infections found? I have also ran ….. Stinger, Reg Cure, Spy Sweeper true sword XoftSpy and Bitdefender. All are clean in safe mode with no detection?
In normal windows desktop I have a popup every 20 seconds or so “NTKrnl secure suite” splash screen. Norton auto protect displays Trojan.CachecacheKit……………Count 2……….. deleted……..APQ59
Nod32 popup displays c:\windows\system32\rdriv.sys ………….Threat win32/rootkitI Trojan
Event occurred attempting to access the file by the application c:\windows\service.exe
I have re named the file c:\windows\service.exe to c:\windows\service.old, this has stopped the ntkrnl splash page from popping up. Norton still keeps finding “Trojan.CachecacheKit” in auto protect but not in manual scans. Attached is the hijackthis log, any help is really welcome. Thanks’ Peter…..

Logfile of HijackThis v1.99.1
Scan saved at 11:54:37 AM, on 1/14/2007
Platform: Windows 2003 SP1 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 SP1 (6.00.3790.1830)

Running processes:
C:\Program Files\config\svchost.exe
C:\Program Files\SAV\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe
C:\Program Files\Microsoft SQL Server\MSSQL.4\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL.5\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL.2\OLAP\bin\msmdsrv.exe
C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Microsoft SQL Server\MSSQL.3\Reporting Services\ReportServer\bin\ReportingServicesService.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\SAV\Rtvscan.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Exchsrvr\bin\mad.exe
C:\Program Files\Exchsrvr\bin\exmgmt.exe
C:\Program Files\Exchsrvr\bin\store.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Softwin\BitDefender8\bdmcon.exe
C:\Program Files\Softwin\BitDefender8\bdnagent.exe
C:\Program Files\Softwin\BitDefender8\bdswitch.exe
C:\Program Files\ESET\nod32kui.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\Peter\Tools Downloaded\Virus Tools\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://companyweb
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=54981
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [DWPersistentQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\DWTRIG20.EXE" -a
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SAV\VPTray.exe
O4 - HKLM\..\Run: [Windows Firewall Updater] cronos.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender8\bdmcon.exe"
O4 - HKLM\..\Run: [BDNewsAgent] "C:\Program Files\Softwin\BitDefender8\bdnagent.exe"
O4 - HKLM\..\RunServices: [Windows Firewall Updater] cronos.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Server Management.lnk = C:\Program Files\Microsoft Windows Small Business Server\Administration\LaunchConsole.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O14 - IERESET.INF: START_PAGE_URL=http://companyweb
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1144424385280
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1144424372687
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ProgressiveLivingSolutions.local
O17 - HKLM\Software\..\Telephony: DomainName = ProgressiveLivingSolutions.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{50B4654E-30F5-48BF-8518-D69C2220AAFE}: NameServer =
O17 - HKLM\System\CCS\Services\Tcpip\..\{58C16E59-34EE-4DE6-BCE3-98C9D4684375}: NameServer =
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ProgressiveLivingSolutions.local
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: dimsntfy - C:\WINDOWS\SYSTEM32\dimsntfy.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: reset5 - C:\WINDOWS\SYSTEM32\reset5.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Backup Server - Unknown owner - C:\PROGRA~1\NOVANE~3\BACKUP~2.EXE
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: CCProxy(C..Program Files.config.svchost.exe) - Unknown owner - C:\Program Files\config\svchost.exe" -service (file missing)
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\SAV\DefWatch.exe
O23 - Service: IMail FINGER Server (FINGRD32) - Ipswitch, Inc. - C:\IMail\FINGRD32.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: IMail IMAP4 Server (IMAP4D32) - Ipswitch, Inc. - C:\IMail\IMAP4D32.exe
O23 - Service: IMail Monitor Service (IMONITOR) - Ipswitch, Inc. - C:\IMail\IMonitor.exe
O23 - Service: IMUAZ - Sysinternals - www.sysinternals.com - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IMUAZ.exe
O23 - Service: Intel PDS - Intel® Corporation - C:\WINDOWS\system32\CBA\pds.exe
O23 - Service: IMail Web Calendar Service (IWEBCAL) - Ipswitch, Inc. - C:\IMail\IWebCal.exe
O23 - Service: IMail Web Service (IWEBMSG) - Ipswitch, Inc. - C:\IMail\iwebmsg.exe
O23 - Service: LU - Sysinternals - www.sysinternals.com - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\LU.exe
O23 - Service: SQL Server FullText Search (MSSQLSERVER) (msftesql) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe" -s:MSSQL.1 -f:MSSQLSERVER (file missing)
O23 - Service: SQL Server (ACT7) (MSSQL$ACT7) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.4\MSSQL\Binn\sqlservr.exe" -sACT7 (file missing)
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.5\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: SQL Server (MSSQLSERVER) (MSSQLSERVER) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSQLSERVER (file missing)
O23 - Service: SQL Server Analysis Services (MSSQLSERVER) (MSSQLServerOLAPService) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.2\OLAP\bin\msmdsrv.exe" -s "C:\Program Files\Microsoft SQL Server\MSSQL.2\OLAP\Config (file missing)
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: IMail LDAP Service (OpenLDAP-slapd) - Unknown owner - C:\IMail\OpenLDAP\bin\slapd.exe
O23 - Service: IMail POP3 Server (POP3D32) - Ipswitch, Inc. - C:\IMail\POP3D32.exe
O23 - Service: IMail PWD Server (PSERVE) - Ipswitch, Inc. - C:\IMail\PSERVE.exe
O23 - Service: IMail Queue Manager Service (QUEUEMGR) - Ipswitch, Inc. - C:\IMail\queuemgr.exe
O23 - Service: Reset 5 - Unknown owner - C:\WINDOWS\system32\srvany.exe
O23 - Service: service - Unknown owner - C:\WINDOWS\service.exe (file missing)
O23 - Service: IMail SMTP Server (SMTPD32) - Ipswitch, Inc. - C:\IMail\smtpd32.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SQL Server Agent (MSSQLSERVER) (SQLSERVERAGENT) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\SQLAGENT90.EXE" -i MSSQLSERVER (file missing)
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\SAV\Rtvscan.exe
O23 - Service: IMail Sys Logger Service (SYSLOGD) - Ipswitch, Inc. - C:\IMail\SYSLOGD.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: IMail WHOIS Server (WHOISD32) - Ipswitch, Inc. - C:\IMail\WHOISD32.exe
O23 - Service: Windows Internet Name Service (WINS) (WINS) - Unknown owner - C:\WINDOWS\System32\wins.exe (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

BC AdBot (Login to Remove)


#2 Whisperer


  • Members
  • 405 posts
  • Local time:02:38 AM

Posted 24 January 2007 - 07:31 AM

Hi allpdoff and welcome to the Bleeping Computer forums. My name is Whisperer and I will be helping you with your problem. Although I am experienced with computers, I am currently a Trainee in Malware removal and, as such, any fixes will be checked by malware experts. I am sorry for the delay in answering your problem but things are pretty hectic in the anti-malware world. If you still need help then please read on.

I note that you have Nod32, BitDefender and Nortons running – it is most important that you do not run more than one antivirus solution at any one time, Norton’s is extremely intolerant of other systems! It could well be that stopping 2 of them will solve your problem, either way it is a start.

If you have not done so already, please do the initial cleanup steps in the following instructions and then post a new log: Preparation Guide For Use Before Posting a HijackThis Log

To assist me in any cleanup, I would like you to produce a list of installed programs.
  • To do this open yourHijackThis
    • Click on Open the Misc Tools section or Config… button, depending on how you are set up.
    • If you used the Config... option then click the Misc Tools tab
    • Select Open Uninstall Manager , a list of your installed programs will be displayed.
    • Select the Save List… button and save the file to your desktop.
  • Please post a copy of this list and an up-to-date HijackThis log in your reply
GT :thumbsup:

#3 allpdoff

  • Topic Starter

  • Members
  • 2 posts
  • Local time:07:38 PM

Posted 24 January 2007 - 04:35 PM

Hi Thanks for the input, I was able to resolve this by installing IE7 and security tools this cought and stopped whatever it was. I will research this when i get time to go through the logs and post it here FYI, again thanks for your time. Peter..... :thumbsup:

#4 Whisperer


  • Members
  • 405 posts
  • Local time:02:38 AM

Posted 24 January 2007 - 05:25 PM

Hi Peter,

Thank you for the information. I am glad that you have resolved your problem and I look forward to a follow up if available later.

Best wishes

GT :thumbsup:

#5 illukka


    retar.. erm retired!

  • Security Colleague
  • 2,858 posts
  • Gender:Male
  • Location:The Pits Of Hell
  • Local time:03:38 AM

Posted 24 February 2007 - 01:59 PM

as the problem here seems to be resolved this topic is now closed
to get it reopened PM a staff member with the address of this thread.
this applies to the topic starter only, everyone else with similar problems start a new topic.

glad we could help :thumbsup:

thank you Whisperer :flowers:
To Ride, Shoot Straight And Speak The Truth

a retired malware fighter/teacher/advisor

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users