# trojan.Cachecachekit



## ANNR

anybody care to take this on?  I tried everything I know but was still unable to remove it.

I deleted it my self when in safe mode but it just comes back when I restart my computer. and it is the same when I scan it with NAV 2005, it deleted it but it just came backback agian when i restart.  I also tried the tool from their site and follow their instruction on removing the registry but i can't find anything.


----------



## Byteman

Please run HijackThis and post a log.  Follow the tips in the sticky.  

Sounds like a dll or something that's getting missed, anyway since it keeps on reappearing, it should show it's ugly head in a HJT log.


----------



## ANNR

here is the hijack this log

o by the way I noticed that Norton is the only AV that has some information on this nasty little thing when I did a Google search.  but I don't think any of their (the so) called fixs works, at lest not the ones that I got from their site.  and the instruction on removing this thing given by norton does not halp me at all.

Logfile of HijackThis v1.99.1
Scan saved at 11:21:11 PM, on 6/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\lsass.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\MSN\MSNCoreFiles\msn.exe
C:\Documents and Settings\ShuFen Li\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://cgi.verizon.net/bookmarks/bmredir.asp?region=all&bw=dsl&cd=5.1.5&bm=ho_search
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.msn.co
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cgi.verizon.net/bookmarks/bmredir.asp?region=all&bw=dsl&cd=5.1.5&bm=ho_home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
O2 - BHO: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - C:\PROGRA~1\COMMON~1\VERIZO~1\SFP\vzbb.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - C:\PROGRA~1\COMMON~1\VERIZO~1\SFP\vzbb.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Verizon Online Dialer.lnk = C:\Program Files\Common Files\Verizon Online\ConnMgr\Verizon Online.exe
O8 - Extra context menu item: E&xport to Microsoft Office Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1119028541076
O17 - HKLM\System\CCS\Services\Tcpip\..\{81180156-BF02-40AE-AA82-D869E860A182}: NameServer = 141.154.0.68 151.202.0.85
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Windows lsass Service (lsass) - Unknown owner - C:\WINDOWS\lsass.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe


----------



## ANNR

ok it seems that I solved the problem after doing some research.  My NAV can't do anything beause the file rdriv.sys just keeps coming back.  

here is how I fixed my. hope it will help anybody who is having the same problem as i did. My OS is XP home with SP2

1:disable system restore.
2:boot in safe mode.
3:goto my computer and tools/Folder option/View/ and click on show hidden files and folder.  also uncheck hide protected operation system(recomanded)
4:goto C/WINDOWs/ find lsass.exe and cut it to the desktop. (I also made a .rar file out of it incase it runs) delete the original
5:goto C/WINDOWs/ and find the file called rdriv.sys or just rdriv and open it in wordpad.  deleted some or most of the comand lines and save it.  
6:restart your computer in normal mode and redo what you did on step 1 and 3

I did step 4 because I noticed that my Ginat Antispyware blocked a process called lsass.exe and saying it may be a trojin.(lsass.exe is a windows process but it can also be a spyware. google for it.) 

This worked for my computer but not sure if it will work in yours so good luck.


----------



## Byteman

Yup, you notice you had 2 instances of lsass, one prob legit the other bogus.

You can also get rid of a few lines:
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)

Also, if the lsass you deleted was in the windows directory, (the legit one runs in the system32, not windows directory), note it had a service tied to it as well, get rid of it.
O23 - Service: Windows lsass Service (lsass) - Unknown owner - C:\WINDOWS\lsass.exe

Do you recognize these DNS settings? if not get rid of them as well:
O17 - HKLM\System\CCS\Services\Tcpip\..\{81180156-BF02-40AE-AA82-D869E860A182}: NameServer = 141.154.0.68 151.202.0.85


----------



## ANNR

Thanks Byteman


----------



## ANNR

here is my new log

Logfile of HijackThis v1.99.1
Scan saved at 5:57:27 PM, on 6/18/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\MSN\MSNCoreFiles\msn.exe
C:\Documents and Settings\ShuFen Li\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://cgi.verizon.net/bookmarks/bmredir.asp?region=all&bw=dsl&cd=5.1.5&bm=ho_search
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.msn.co
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cgi.verizon.net/bookmarks/bmredir.asp?region=all&bw=dsl&cd=5.1.5&bm=ho_home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
O2 - BHO: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - C:\PROGRA~1\COMMON~1\VERIZO~1\SFP\vzbb.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - C:\PROGRA~1\COMMON~1\VERIZO~1\SFP\vzbb.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Verizon Online Dialer.lnk = C:\Program Files\Common Files\Verizon Online\ConnMgr\Verizon Online.exe
O8 - Extra context menu item: E&xport to Microsoft Office Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1119028541076
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Windows lsass Service (lsass) - Unknown owner - C:\WINDOWS\lsass.exe (file missing)
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

I noticed that this is still there after fixing it 3 times. it says file missing  can the reason that it is comeing back after fixing it everytime do to the fact that I deleted it my self instead of useing HijackThis, and the fact that it says file missing does that mean it is ok just to leave there? anyway, how can I deleted or fix it? if can't because teh file is already gone, it is ok..

O23 - Service: Windows lsass Service (lsass) - Unknown owner - C:\WINDOWS\lsass.exe (file missing)


----------



## Buzz1927

Try this. Open Hijackthis. Go to the Misc Tools section. Open the Process Manager. Look for this line - C:\WINDOWS\lsass.exe. If it's there, kill the process. Then go to Delete NT Service. Type in C:\WINDOWS\lsass.exe and hit OK. Reboot and see if that's done it.


----------



## ANNR

it says C:\WINDOWS\lsass.exe was not found in the registry. I guess this mean it is gone for good even though it still show up on the hijack scan.  anyway what do you think Buzz1927?


----------



## Buzz1927

Yes, it sounds like its gone, just some leftovers HJT is seeing.


----------



## ANNR

Nice.  once agian thanks for your help.

BY the way, I think it would be nice if there is a system on this forum that allows members to give rating to other members.  Like giveing them stars for helping out.


----------



## mikemast

I am having the same problem, and I dont have 2 instances of lsass running. Antivirus is popping up the rdrive.sys has been deleted because of the Trojan.cachecachekit.
Any help on this issue?

Thanks Mike



Logfile of HijackThis v1.99.1
Scan saved at 6:28:36 PM, on 7/18/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
c:\winnt\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
D:\Micros\RES\POS\Bin\3700d.exe
E:\Panera\Util\AutoTask.exe
E:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\WINNT\Explorer.exe
D:\MICROS\RES\GSS\Bin\CIService.exe
D:\Micros\RES\POS\Bin\DbUpdateServer.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\WINNT\System32\llssrv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
D:\MICROS\COMMON\Bin\CALSrv.exe
D:\MICROS\res\pos\Bin\resdbs.exe
D:\MICROS\COMMON\Bin\RunDBMS.exe
D:\Micros\COMMON\Bin\DSM.exe
D:\MICROS\COMMON\Bin\MicrosDsk.exe
C:\WINNT\system32\MSTask.exe
D:\MICROS\res\pos\Bin\ConnAdvisor.exe
D:\MICROS\res\pos\Bin\MDSHTTPService.exe
D:\MICROS\COMMON\Bin\CMS.exe
D:\MICROS\COMMON\Bin\ComScheduler.exe
C:\WINNT\System32\SVSw32.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
D:\MICROS\COMMON\Bin\CMSC.exe
D:\MICROS\DATABASE\SYBASE\Adaptive Server Anywhere 6.0\Win32\dbsrv6.exe
D:\Micros\Res\Pos\bin\OPS.exe
D:\Micros\Res\Pos\bin\IFS.exe
D:\Micros\Res\Pos\bin\PControl.exe
D:\MICROS\COMMON\Bin\AutoSeqServ.exe
D:\Micros\Res\Pos\bin\CCS.exe
C:\kp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://63.165.2.34:8383/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
F2 - REG:system.ini: Shell=D:\MICROS\COMMON\BIN\MicrosExplorer.exe
O1 - Hosts: 204.95.114.131 euro
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {aa44da02-7f61-11d4-a3e1-00c04fa32518} - 
O17 - HKLM\System\CCS\Services\Tcpip\..\{3AE5603F-1BCE-4D9B-A83B-A7C6C839D0CB}: NameServer = 209.244.0.3 209.244.0.4
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: MICROS 3700 System (3700d) - MICROS Systems, Inc. - D:\Micros\RES\POS\Bin\3700d.exe
O23 - Service: Auto Task (AutoTask) - Panera, LLC - E:\Panera\Util\AutoTask.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - E:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: MICROS Caller ID Service (CISERVICE) - MICROS Systems, Inc. - D:\MICROS\RES\GSS\Bin\CIService.exe
O23 - Service: MICROS DB Update Service (DbUpdateServer) - MICROS Systems, Inc. - D:\Micros\RES\POS\Bin\DbUpdateServer.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: MICROS Backup Server - MICROS Systems, Inc. - D:\MICROS\res\pos\Bin\resbsm.exe
O23 - Service: MICROS CAL Service - Unknown owner - D:\MICROS\COMMON\Bin\CALSrv.exe
O23 - Service: MICROS Database Service - MICROS Systems, Inc. - D:\MICROS\res\pos\Bin\resdbs.exe
O23 - Service: MICROS Distributed Service Manager - MICROS Systems, Inc. - D:\Micros\COMMON\Bin\DSM.exe
O23 - Service: MICROS Cash Management COM Server (MicrosCashManagementComServer) - MICROS Systems, Inc. - D:\MICROS\COMMON\Bin\CMSC.exe
O23 - Service: MICROS Secure Desktop (MicrosDesk) - MICROS Systems, Inc. - D:\MICROS\COMMON\Bin\MicrosDsk.exe
O23 - Service: OracleClientCache80 - Unknown owner - E:\orant\BIN\ONRSD80.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: sqlCAFEXXX (SQLANYs_sqlCAFEXXX) - Sybase, Inc. - D:\MICROS\DATABASE\SYBASE\Adaptive Server Anywhere 6.0\Win32\dbsrv6.exe
O23 - Service: sqlNTSERVER4325 (SQLANYs_sqlNTSERVER4325) - Sybase, Inc. - D:\MICROS\DATABASE\SYBASE\Adaptive Server Anywhere 6.0\Win32\dbsrv6.exe
O23 - Service: MICROS Connection Advisor (srvConnAdvisor) - MICROS Systems, Inc. - D:\MICROS\res\pos\Bin\ConnAdvisor.exe
O23 - Service: MICROS MDS HTTP Service (srvMDSHTTPService) - MICROS Systems, Inc. - D:\MICROS\res\pos\Bin\MDSHTTPService.exe
O23 - Service: MICROS Cash Management (svcCashManager) - MICROS Systems, Inc. - D:\MICROS\COMMON\Bin\CMS.exe
O23 - Service: MICROS LM COM Scheduler (svcCOMScheduler) - MICROS Systems, Inc. - D:\MICROS\COMMON\Bin\ComScheduler.exe
O23 - Service: svsw32 - MICROS Systems, Inc. - C:\WINNT\System32\SVSw32.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Ati Management (Winconfig32) - Unknown owner - C:\WINNT\scvhost.exe


----------



## Buzz1927

Hi Mike.
Could you please run the scans in the Sticky, reboot, and post a new Hijackthis log.


----------



## mikemast

Allthat has been done, ad-aware, spybot, tendmicro, booted into safe mode and ran the scans, had them fix all problems.
And still the problem persists, tried a few removals I found on the web and still keeps comming back.
I havent done the pandasoftware scan, but I will do that also, and let you know.


----------



## Buzz1927

Ok Mike.
After that, download Ewido. Update it, then boot to safemode. Run Ewido, do a full scan, and post a new Hijackthis log.


----------



## billybobjoe

go to pcsafe.com and download and buy the anti spyware software and it should remove it


----------

