how-to block ads
|
paulp757
join:2005-10-22
Maywood, NJ
| HJT Log...need tojan fix Help...I am unable to permanently remove Trojan.Cachecachekit virus (worm), file C:\WINNT\system32\rdriv.sys...I delete file (in safe mode) and modified REG but it keeps coming back. Unable to find what is regeneraing bug.
Have followed all recommendations per Symantec (and others) with no success.
As outlined in FAQ 8426, I completed Steps 1, 2, 3.3, 3.4 and 4.2...
Here's the HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 1:30:08 PM, on 10/22/2005
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\dbg32hlp.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\tp4mon.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\HJT\hijackthis.exe
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [time] time.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\RunServices: [time] time.exe
O4 - HKCU\..\Run: [time] time.exe
O4 - HKCU\..\Run: [Spyware Cleaner] "C:\Program Files\Spyware Cleaner\SpywareCleaner.Exe" /boot
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Msdebugsrv1 (Msdebugsrv) - Unknown owner - C:\WINNT\dbg32hlp.exe
O23 - Service: netinfo - Unknown owner - C:\WINNT\netinfo.exe (file missing)
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Remote Procedure Call (RPC) Client (RpcClient) - Unknown owner - C:\WINNT\System32\rpcclient.exe (file missing)
O23 - Service: Remote Procedure Call (RPC) Monitoring (Rpcmon) - Unknown owner - C:\WINNT\System32\Rpcmon.exe (file missing)
O23 - Service: SpywareCleanerService - Unknown owner - C:\Program Files\Spyware Cleaner\SCService.exe (file missing)
Any help would be deeply appreciated.
Thanks in advance.
Paul | |
|  
John2g
Qui Tacet Consentit
Premium
join:2001-08-10
England
1 edit | Re: HJT Log...need tojan fix rdriv.sys is a pseudo rootkit. That is why you are having problems to remove it.
This might do it.
»Can't Remove rdriv virus | |
| | 
CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL
| Re: HJT Log...need tojan fix said by John2g  :rdriv.sys is a pseudo rootkit. That is why you are having problems to remove it. This might do it. » Can't Remove rdriv virus No, the file names are going to be different for each victim.
paulp757, I'm writing this up now for you. You have a number of issues to address in addition to rdriv.sys as well.
Give me a few minutes as it takes a little while to put together for you.
--
It takes a disaster to make a woman out of a female
Microsoft MVP/Windows Security 2003-2006
Proud Member of ASAP (Alliance of Security Analysis Professionals) | |
| |
CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL
1 edit | You have at least 3 really bad backdoor trojans on that PC. These connect to a remote attacker who may have done anything they wanted on your PC, including stealing confidential information, lowering system security setting, downloading malicious software, among other things
Any security software you had on there has been disabled and possibly damaged.
Also changes made to the registry which many of these AV/AT/AS programs do not address or fix (you'll need to check them manually and fix)
My first recommendation, is not to try to clean this PC, but to reformat & reinstall after making backups of important data to removable media (and don't reinstall ANY of that until you have scanned it)
»Security »When should I re-format? How should I reinstall?
And you should definitely protect any accounts/sensitive info stored on that PC as passwords, credit cards, accounts, all may have been stolen
»Security »How to report ID theft, fraud, drive-by installs, hijacking and malware?
Here are the 3 I think you have and there are probably more
»www.sophos.com/virusinfo/analyse···otj.html
»www.sophos.com/virusinfo/analyse···otl.html
»www.sophos.com/virusinfo/analyse···ott.html
For example:
quote:
W32/Tilebot-J is a worm which attempts to spread to remote network shares. It also contains backdoor Trojan functionality, allowing unauthorized remote access to the infected computer via IRC channels.
W32/Tilebot-J spreads to network shares with weak passwords as a result of the backdoor Trojan element receiving the appropriate command from a remote user. The worm also spreads by exploiting the PnP operating system vulnerability (MS05-039).
W32/Tilebot-J copies itself to the Windows folder with the filename netinfo.exe and creates a service named "NETINFO" in order to run itself on system startup, to which it gives the fake description "Internet Info Service." The following registry branches are created:
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETINFO\
HKLM\SYSTEM\CurrentControlSet\Services\netinfo\
W32/Tilebot-J allows a remote user to perform a wide range of actions on the infected computer including downloading further files, setting registry entries and stealing information from the computer including from protected storage areas.
W32/Tilebot-J attempts to terminate services with the following names in order to disrupt various security processes including the Windows firewall and Windows critical updates:
Tlntsvr
RemoteRegistry
Messenger
SharedAccess
wscsvc
W32/Tilebot-J attempts to set the following registry entries to disrupt various security processes:
HKLM\SOFTWARE\Microsoft\Security Center
UpdatesDisableNotify
1
HKLM\SOFTWARE\Microsoft\Security Center
AntiVirusDisableNotify
1
HKLM\SOFTWARE\Microsoft\Security Center
FirewallDisableNotify
1
HKLM\SOFTWARE\Microsoft\Security Center
AntiVirusOverride
1
HKLM\SOFTWARE\Microsoft\Security Center
FirewallOverride
1
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
EnableFirewall
0
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile
EnableFirewall
0
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\
AutoUpdate
AUOptions
1
HKLM\SYSTEM\CurrentControlSet\Services\wscsvc
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\Messenger
Start
4
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restictanonymous
1
HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
AutoShareWks
0
HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
AutoShareServer
0
HKLM\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters
AutoShareWks
0
HKLM\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters
AutoShareServer
0
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
DoNotAlloxXPSP2
1
HKLM\SOFTWARE\Microsoft\OLE
EnableDCOM
"N"
W32/Tilebot-J may also set entries in the registry at the following locations:
HKLM\SYSTEM\CurrentControlSet\Control\
WaitToKillServiceTimeout
W32/Tilebot-J attempts to remove network shares from the infected computer, as well as changing the policy for SeNetworkLogonRight for the computer.
W32/Tilebot-J may create the file orans.sys and set up a service for it named ORANS. This file is currently detected Troj/Rootkit-AA. The following registry branches are created:
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ORANS\
HKLM\SYSTEM\CurrentControlSet\Services\orans\
The codbot worms are just as nasty but do different things. I suggest if you do not reformat/reinstall, look up those analysis as well to see what kind of changes have been made to your system that may need fixing.
................................
This is the fix I wrote before finding out what each of those worms were....if you choose to try to clean (but I don't recommend it). Note: This will not fix the all damage done to your PC by the worms above. It should only remove the active infections.
First, I see you have SpywareCleaner installed. I hope you didn't buy it as it is listed on the "Hall of Shame" list here:
Rogue/Suspect Anti-Spyware Products
»www.spywarewarrior.com/rogue_ant···ware.htm
It is recommended you remove the program via the Control Panel in Add/Remove programs.
......................
1. Please follow all instructions as specified.
Print these instructions to ensure all are followed.
2. Please download the following (free) programs, but do not run them yet:
A.: Download Rdriverem.zip
»www.atribune.org/downloads/rdrivrem.zip
Unzip it to your desktop.
B. Download the free trial version of Ewido Security Suite
»www.ewido.net/en/download/
Install ewido security suite
Open Ewido, there should be a big E icon on your desktop, double-click it.
You will need to update ewido to the latest definition files.
On the left hand side of the main screen click *update*
Click on *Start*
The updates download will start and a progress bar will show the updates being installed
After the updates are installed exit Ewido.
........................
3. Reboot your computer into Safe Mode.
How to start the computer in Safe mode
»service1.symantec.com/SUPPORT/ts···_doc_nam
And make sure your PC is configured to show hidden files:
How to Show Hidden Files
»www.xtra.co.nz/help/0,,4155-1916458,00.html
4. Please go into the rdrivrem folder and double-click rdrivRem.bat to run the program - follow the instructions on the screen. After it's complete, rdriv.txt will be created in the rdrivRem folder.
5. Double-click the Ewido Security Suite icon to run the program.
Click on *scanner*
Click *Complete System Scan*
Wait for the program scan the machine, this could take a little while
While the scan is in progress you will be prompted to clean the first infected file it finds. Choose "remove", then put a check next to "Perform action on all infections" in the left corner of the box so you don't have to sit and watch Ewido the whole time. Click OK.
Once the scan has completed, there will be a button located on the bottom of the screen named Save report[list]
Click Save report
Save the report to your desktop
Exit Ewido
6. Go to Start / Run and type in the box: cleanmgr
Windows will scan your system for files to delete to free up disk space. When finished it will present a list of files to delete. Make sure these three are checkmarked and press *ok*
Temporary Files
Temporary Internet Files
Recycle Bin
7.Open HijackThis. Choose *Do a system scan only*
Place a check next to the following items, if found, and click FIX CHECKED:
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [time] time.exe
O4 - HKLM\..\RunServices: [time] time.exe
O4 - HKCU\..\Run: [time] time.exe
O23 - Service: Msdebugsrv1 (Msdebugsrv) - Unknown owner - C:\WINNT\dbg32hlp.exe
O23 - Service: Remote Procedure Call (RPC) Client (RpcClient) - Unknown owner - C:\WINNT\System32\rpcclient.exe (file missing)
O23 - Service: Remote Procedure Call (RPC) Monitoring (Rpcmon) - Unknown owner - C:\WINNT\System32\Rpcmon.exe (file missing)
Don't forget to press the *fix checked* button, then close HiJackThis.
......................
8. Delete these files (if found)
C:\WINNT\dbg32hlp.exe
C:\WINNT\System32\rpcclient.exe
C:\WINNT\System32\Rpcmon.exe
9. Search for this file:
time.exe ---rename to time.old
If found, rename it by changing the extension to .old instead of .exe so it can't run, then please get it scanned at the site listed in the next step after you get back into normal mode
10. Reboot your computer into normal mode.
11. Scan the file you renamed above to Time.old at this site:
Jotti Malware Scan
»virusscan.jotti.org/
or here:
Virus Total
»www.virustotal.com/
Copy and past the results of the scan back here, please.
12. Make sure your firewall, is on. Make sure you can turn it off then turn it back on and that nothing is greyed out.
Also, Make sure your Anti-Virus program is working properly - you can turn on and off auto-protect, etc.
13. Run BOTH of these online virus scans (NOT at the same time!):
»www.pandasoftware.com/products/a···scan.htm
»housecall.trendmicro.com/ - check "Auto Clean"
14. Save the results from ActiveScan.
15. I need you to post the contents of rdriv.txt, the log from Ewido, the log from ActiveScan, and a new HiJackThis log into this topic. (Also the scan logs from Jotti Malware or Virus Total)
Edit Typos
--
It takes a disaster to make a woman out of a female
Microsoft MVP/Windows Security 2003-2006
Proud Member of ASAP (Alliance of Security Analysis Professionals) | |
| | paulp757
join:2005-10-22
Maywood, NJ
| Re: HJT Log...need tojan fix Calamity Jane,
Thank you for taking the time to research and reply with such a comprehensive and thorough post. Fortunately, I have very little sensative/personal information on this particular computer.
I will reformat and reinstall the OS (Windows 2000) as you recommend. It should be too much of a hassle as I only used this computer, a laptop, for accessing the Internet and picking-up email while on the road
I run Symantic AV, Spybot and Lavasoft's AdAware. Do you have any other security software recommendations that I should consider installing (once I reformat and reinstall the OS) to help avoid a repeat?
Again, I deeply appreciate your assistance.
Regards,
Paul | |
| | |
CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL
| Re: HJT Log...need tojan fix Hello Paul,
Glad to hear that's a limited use PC.
Make sure all your security software is up to date. Get the most current versions of Adaware and Spybot and, of course, update your AV frequently.
Watch out for IMs in Chat programs that come from out of the blue with a link for you to click! And beware links in email you didn't expect and do watch what you download (sounds like you don't do much downloading on that computer though). Some additional tips are here:
»Security »How do I prevent browser hijacks and spyware?
Some extensive security precautions here:
»Security »How to Secure (and Keep Secure) My (New) Computer(s): A Layered Approach:
Keep Windows Up to Date with the latest critical security updates (they come out once a month, usually on the second Tuesday of each month).
Microsoft's MBSA is a handy free tool to check the overall security of your PC, I highly recommend it:
Microsoft Baseline Security Analyzer (MBSA) from Microsoft to analyze your PC security for prevention purposes.
MBSA Version 2.0 will scan for common system misconfigurations on Windows 2000, Windows XP, and Windows Server 2003 systems. This program will identify the system security weaknesses in your browser and operating system and provides easy instructions to correct them. This includes any missing critical Windows security updates, system vulnerabilities and your IE Browser security settings. Get the download here:
Microsoft Baseline Security Analyzer
»www.microsoft.com/technet/securi···ome.mspx
Choose MBSAsetup-EN.msi = (English Version) or the language appropriate for you.
--
It takes a disaster to make a woman out of a female
Microsoft MVP/Windows Security 2003-2006
Proud Member of ASAP (Alliance of Security Analysis Professionals) | |
| | | | paulp757
join:2005-10-22
Maywood, NJ | Re: HJT Log...need tojan fix Calamity Jane.
New OS installed (upgraded to XP Pro) and working great. Installation of security software in progress.
Thanks again.
Paul | |
| | | | | | | | | | | paulp757
join:2005-10-22
Maywood, NJ
| Re: HJT Log...need tojan fix Calamity Jane,
After installing all MS Windows XP (critical) Security Updates, including SP2, the computer is running MUCH slower...3 minutes to boot-up and slow to open programs, particularly Internet Explorer.
Start-up services: tp4mon, avgcc, gscasServ, msmgs...that's it.
As already mentioned, prior to installing MS Windows updates, the system was running great.
System Specifics: Dell Latitude LS, Intel Pent III 398 MHz, 128 RAM (not ideal, I know).
Spybot S&D, MS AntiSpyware and AVG all show nothing.
The HJT log file follows...any thoughts?
Logfile of HijackThis v1.99.1
Scan saved at 10:16:43 AM, on 10/24/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HJT\HijackThis.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - »go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - »update.microsoft.com/microsoftup···80887460
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - »update.microsoft.com/microsoftup···80869043
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
| |
| | | | | | |
CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL
| Re: HJT Log...need tojan fix Oh dear  Well, we solved the malware problems, and your HijackThis log is clean, as expected. I would suggest you start a new topic on the problems after SP2 in the Microsoft Help forum here:
»Microsoft Help
I would also suggest this help line from MS.
Microsoft also has a free support service regarding difficulties with Security updates (such as SP2)for home users.
1-866-PCSAFETY
or
1-866-727-2338
This phone number is for virus and other security-related support. It is available 24 hours a day for the U.S. and Canada.
For support outside the United States and Canada, please contact your Microsoft Help and Support worldwide.
--
It takes a disaster to make a woman out of a female
Microsoft MVP/Windows Security 2003-2006
Proud Member of ASAP (Alliance of Security Analysis Professionals) | |
| | | | | | | | paulp757
join:2005-10-22
Maywood, NJ | Re: HJT Log...need tojan fix Thanks CJ. I wanted to ensure the malware problem was completely resolved. I'll follow through on the slowdown as you suggest.
Regards,
Paul | |
| | | | | | | | |
CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL | Re: HJT Log...need tojan fix Yes, the malware problem is resolved...so it's down to a problem with the updates. Good luck! Let us know how you make out. | |
| | | paulp757
join:2005-10-22
Maywood, NJ | Re: HJT Log...need tojan fix LoPhatPhuud,
I understand. The slow operating speed is more disconcerting than the extended boot-up time. The security updates really slowed it down.
Thanks.
Paul | |
| | | |
|
?
Re: HJT Log...need tojan fix
·
·