Marco95
join:2005-10-05
95100
| Can't Remove rdriv virus
Hello,
I tried to remove rdriv virus with norton, troyen remover, rdriv rem, spybot, ad-aware but it's still present. If someone can help me to remove rdriv. Please find here hijackthis.log :
Logfile of HijackThis v1.99.1
Scan saved at 12:16:52, on 03/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe
C:\Program Files\Fichiers communs\Symantec Shared\SNDSrvc.exe
C:\Program Files\Fichiers communs\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Fichiers communs\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\SMARTD~1\SDPhotoBar.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Fichiers communs\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\ntsys32.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Documents and Settings\Charly Sarfati\Bureau\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = »www.free.fr/search/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = »home.free.fr/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = »www.searchtheworld4you.com/sp2.php
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;localhost;
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [system service69] C:\WINDOWS\\etb\pokapoka69.exe
O4 - HKLM\..\Run: [system service70] C:\WINDOWS\\\etb\\pokapoka70.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Fichiers communs\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [EPSON Stylus C44 Series (Copie 1)] C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P33 "EPSON Stylus C44 Series (Copie 1)" /O6 "USB001" /M "Stylus C44"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [SDPhotoBar.exe] C:\SMARTD~1\SDPhotoBar.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_01\bin\npjpi141_01.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_01\bin\npjpi141_01.dll
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://home.free.fr/
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - »update.microsoft.com/windowsupda···09128859
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - »messenger.msn.com/download/MsnMe···ader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Fichiers communs\EPSON\EBAPI\SAgent2.exe
O23 - Service: Service Norton AntiVirus Auto-Protect (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FICHIE~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\sysTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: NTsystem (system) - Unknown owner - C:\WINDOWS\ntsys32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe |
|
CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL
| Hi Marco,
Have you followed the steps here?:
»Security »I think my computer is infected or hijacked. What should I do?
I can't tell from your post and it is a required step.
You are going to need Ewido, as detailed in Step 4.1, installed, updated and run in safe mode.
You'll also need the newest copy of rdrivrem (It was updated today for new variants)
»www.atribune.org/downloads/rdrivrem.zip
The service you need to disable and remove is this one:
O23 - Service: NTsystem (system) - Unknown owner - C:\WINDOWS\ntsys32.exe
And you'll need to follow up with online AV scans at Trend-Micro and Panda as detailed in the FAQ
»Security »I think my computer is infected or hijacked. What should I do?
--
It takes a disaster to make a woman out of a female
Microsoft MVP/Windows Security 2003-2005
Proud Member of ASAP (Alliance of Security Analysis Professionals) |
|
IloveNOD32
@chello.sk
| reply to Marco95
rdrive.sys is known to be a rootkit and you might need to use rootkitrevealer or another tool to get rid of it. also, i strongly recommend that you have your disk checked with nod32 by carrying out an in-depth analysis. |
|
windtalker6
join:2005-09-11
1 edit | reply to Marco95
Hi, Marco95,
The rdriv.sys file is related to Troj/Rootkit-W (in Sophos classification) trojan. I suggest using good antivirus program like Kaspersky AV to remove the file. Unfortunately, I cannot recommend some specific rootkit removal tools, as I'm not familiar with any of them.
In your HJT log I have found another infection: EliteBar trojan. These entries belong to the parasite:
O4 - HKLM\..\Run: [system service69] C:\WINDOWS\\etb\pokapoka69.exe
O4 - HKLM\..\Run: [system service70] C:\WINDOWS\\\etb\\pokapoka70.exe
Let HijackThis! fixed them. You may also need LQFix utility designed especially to get rid of EliteBar.
If this doesn't help, try EliteBar manual removal instructions. EliteBar installs a lot of files that need to be removed, as they are able to reinstall the pest.
To kill pokapoka xx.exe processes and delete related files you should use the KillBox utility.
You also need to fix this entry:
O23 - Service: NTsystem (system) - Unknown owner - C:\WINDOWS\ntsys32.exe
It is related to W32/Sdbot-LN worm (in Sophos classification). |
|
John2g
Qui Tacet Consentit
Premium
join:2001-08-10
England
1 edit | reply to Marco95
»Security »I think my computer is infected or hijacked. What should I do?
- The format of your post must be exactly as follows with no deviation or your post will be locked or deleted. This is to ensure you have followed the steps correctly and thoroughly, and to provide our helpful members as much information as possible, so they can help you faster and more effectively.
Start your own thread. Do not interrupt other similar threads with your problem.
i) Start the title of your post with "HJT Log" followed by a short remark regarding your problem.
ii) The first paragraph of your post should explain exactly what the problem is. For example, is it a system slow down? Is it Pop ups or ads? Is your computer trying to call out or send emails? etc...
iii) The second paragraph should tell us in detail, which one of the above steps you followed and what the results were. Which steps you had to skip and why, etc... Please note the phrase "in detail". "I've followed all the steps.", may not be enough information for those who are here to help.
iv) The third paragraph should contain the HijackThis log you copied in step
5.e.
--
Better to remain silent and be thought a fool, than to speak and remove all doubt.
|
|
