Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Can't delete "rdriv.sys"... (trojan) [RESOLVED]

Started by skatou , Aug 06 2005 02:56 AM

  • This topic is locked This topic is locked

#1
skatou
Posted 06 August 2005 - 02:56 AM

skatou

    New Member

  • Member
  • Pip
  • 6 posts
Hi, I can't delete this [bleep]ing "rdriv.sys"... my antivirus (AVG) cant delete it. I watched a lot of others topic, but it don't work (probably because they are others programs infected... i'm noob @ deleting virus!)

Logfile of HijackThis v1.99.1
Scan saved at 10:40:46, on 06/08/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\Winamp\winampa.exe
F:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
F:\Program Files\MessengerPlus! 3\MsgPlus.exe
F:\PROGRA~1\Grisoft\AVG7\avgemc.exe
F:\Program Files\MSN Messenger\MsnMsgr.Exe
F:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
F:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
F:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
F:\WINDOWS\System32\nvsvc32.exe
F:\Program Files\Fichiers communs\Softwin\BitDefender Communicator\xcommsvr.exe
F:\Program Files\Fichiers communs\Softwin\BitDefender Scan Server\bdss.exe
F:\Program Files\Mozilla Firefox\firefox.exe
F:\Program Files\ewido\security suite\ewidoctrl.exe
F:\DOCUMENTS AND SETTINGS\ADRIEN\BUREAU\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [MSConfig] F:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [WinampAgent] F:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] F:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [MessengerPlus3] "F:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [Jet Detection] "F:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [AVG7_EMC] F:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [AVG7_CC] F:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [MsnMsgr] "F:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - F:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - F:\WINDOWS\web\related.htm
O10 - Unknown file in Winsock LSP: f:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: f:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: f:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: f:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: f:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: f:\windows\system32\avgfwafu.dll
O20 - AppInit_DLLs: MsgPlusLoader.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - F:\Program Files\Fichiers communs\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: ewido security suite control - ewido networks - F:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - F:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Windows Configuration Loader - Unknown owner - F:\WINDOWS\svchost.exe
O23 - Service: BitDefender Communicator (XCOMM) - Softwin - F:\Program Files\Fichiers communs\Softwin\BitDefender Communicator\xcommsvr.exe

Thanks you! (I'm not english, so i speak it very bad :tazz:)
  • 0

Advertisements

#2
Trevuren
Posted 06 August 2005 - 11:25 AM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Hi skatoo and welcome to the Geeks to Go Forums.

My name is Trevuren and I will be helping you with your log.

1. If you haven't logged in go to Geeks to Go and do so. Then proceed to item a.

If you already have logged in, go directly to item a.

a. Click on My Controls at the top right hand corner of the window.
b. In the left hand column, click "View Topics"
c. If you click on the title of your post, you will be taken there

2. Also, while at the My Controls page, check the box to the right of your post and then scroll down.
.Where it says "unsubscribe" click the pull-down menu and select "immediate email notification"

3. Please DELETE your current HJT program from its present location.

4. Download and run the following HijackThis autoinstall program from Here HJT needs to be in its own folder so that the program itself isn't deleted by accident. Having the backups could be VITAL to restoring your system if something went wrong in the FIX process!

A. Close ALL windows except HJT

B. SCAN with HJT and SAVE LOG. (a notepad window will open with the log in it when you click Save Log) (Ctrl-A to'select all', Ctrl-C to 'copy')

C. POST the log in this thread using 'Add Reply' (Ctrl-V to 'paste')


DO NOT MAKE ANY CHANGES OR CLICK "FIX CHECKED" UNTIL WE CHECK THE LOG, AS MOST OF THE FILES ARE LEGIT AND VITAL TO THE FUNCTION OF YOUR COMPUTER


Regards,

Trevuren
  • 0

#3
skatou
Posted 06 August 2005 - 02:31 PM

skatou

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Logfile of HijackThis v1.99.1
Scan saved at 22:31:17, on 06/08/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\Winamp\winampa.exe
F:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
F:\Program Files\MessengerPlus! 3\MsgPlus.exe
F:\PROGRA~1\Grisoft\AVG7\avgemc.exe
F:\PROGRA~1\Grisoft\AVG7\avgcc.exe
F:\Program Files\MSN Messenger\MsnMsgr.Exe
F:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
F:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
F:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
F:\Program Files\ewido\security suite\ewidoctrl.exe
F:\Program Files\ewido\security suite\ewidoguard.exe
F:\WINDOWS\System32\nvsvc32.exe
F:\Program Files\Fichiers communs\Softwin\BitDefender Communicator\xcommsvr.exe
F:\Program Files\Fichiers communs\Softwin\BitDefender Scan Server\bdss.exe
F:\Program Files\Internet Explorer\iexplore.exe
F:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [MSConfig] F:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [WinampAgent] F:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] F:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [MessengerPlus3] "F:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [Jet Detection] "F:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [AVG7_EMC] F:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [AVG7_CC] F:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [MsnMsgr] "F:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - F:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - F:\WINDOWS\web\related.htm
O10 - Unknown file in Winsock LSP: f:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: f:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: f:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: f:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: f:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: f:\windows\system32\avgfwafu.dll
O20 - AppInit_DLLs: MsgPlusLoader.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - F:\Program Files\Fichiers communs\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: ewido security suite control - ewido networks - F:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - F:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Windows Configuration Loader - Unknown owner - F:\WINDOWS\svchost.exe
O23 - Service: BitDefender Communicator (XCOMM) - Softwin - F:\Program Files\Fichiers communs\Softwin\BitDefender Communicator\xcommsvr.exe

Have fun :tazz:
TA!
  • 0

#4
Trevuren
Posted 06 August 2005 - 02:44 PM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.
  • First we need to make all files and folders VISIBLE:
    • Go to start>control panel>folder options>view (tab)
    • Choose to "show hidden files and folders,"
    • Uncheck the "hide protected operating system files" and the "hide extensions for know file types" boxes.
    • Close the window with ok
  • Please RUN HijackThis.
    . Click the SCAN button to produce a log.

  • Place a check mark beside each one of the following items:

    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - F:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - F:\WINDOWS\web\related.htm

  • Now with all the items selected, and all windows closed except for HJT, delete them by clicking the FIX checked button. Close the HijackThis window.

  • Reboot Your System in Safe Mode

    How to use the F8 method to Start Your Computer in Safe Mode
    • Restart the computer.
    • As soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
    • Use the arrow keys to select the Safe mode menu item
    • Press Enter.
  • Using Windows Explorer, locate the following files/folders, and DELETE them (if they are present):

    F:\WINDOWS\web<===Folder

  • Exit Explorer, and REBOOT BACK INTO NORMAL MODE

  • Finally, RUN Hijackthis again and produce a new HJT log. Post it in the forum so we can check how everything looks now.
Regards,

Trevuren
  • 0

#5
skatou
Posted 06 August 2005 - 03:10 PM

skatou

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Logfile of HijackThis v1.99.1
Scan saved at 23:08:49, on 06/08/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\Winamp\winampa.exe
F:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
F:\Program Files\MessengerPlus! 3\MsgPlus.exe
F:\PROGRA~1\Grisoft\AVG7\avgemc.exe
F:\PROGRA~1\Grisoft\AVG7\avgcc.exe
F:\Program Files\MSN Messenger\MsnMsgr.Exe
F:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
F:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
F:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
F:\Program Files\ewido\security suite\ewidoctrl.exe
F:\Program Files\ewido\security suite\ewidoguard.exe
F:\WINDOWS\System32\nvsvc32.exe
F:\Program Files\Fichiers communs\Softwin\BitDefender Communicator\xcommsvr.exe
F:\Program Files\Fichiers communs\Softwin\BitDefender Scan Server\bdss.exe
F:\Program Files\Hijackthis\HijackThis.exe
F:\WINDOWS\svchost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [MSConfig] F:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [WinampAgent] F:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] F:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [MessengerPlus3] "F:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [Jet Detection] "F:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [AVG7_EMC] F:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [AVG7_CC] F:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [MsnMsgr] "F:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O10 - Unknown file in Winsock LSP: f:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: f:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: f:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: f:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: f:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: f:\windows\system32\avgfwafu.dll
O20 - AppInit_DLLs: MsgPlusLoader.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - F:\Program Files\Fichiers communs\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: ewido security suite control - ewido networks - F:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - F:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Windows Configuration Loader - Unknown owner - F:\WINDOWS\svchost.exe
O23 - Service: BitDefender Communicator (XCOMM) - Softwin - F:\Program Files\Fichiers communs\Softwin\BitDefender Communicator\xcommsvr.exe

(as you can see, the virus isn't deleted yet :tazz:)
HF! and.. a big thanks if u can help me deleting this shite!
  • 0

#6
Trevuren
Posted 06 August 2005 - 05:18 PM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Please follow all instructions as specified. Print these instructions to ensure all are followed.

Please download/update the following programs, but do not run them yet:

* rdrivRem.zip
  • Unzip it to your desktop.
* Update Ewido Security Suite
  • You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Click on Start
  • The update will start and a progress bar will show the updates being installed
  • After the updates are installed exit Ewido.
* CleanUp!
  • Install it.
* Killbox by Option^Explicit
  • Save it to your desktop.
Save the following to a Notepad file and name it Killbox_items. This is the Notepad text that we will need later on.

F:\WINDOWS\svchost.exe
==============================

We want to stop and disable an added service (023)

A. To stop a service and set to 'disabled'
  • Go to Start > Run and type in Services.msc then click OK
  • Click the Extended tab.
  • Scroll down until you find the service.
    ===>Windows Configuration Loader
  • Click once on the service to highlight it.
  • Click Stop
  • Right-Click on the service.
  • Click on 'Properties'
  • Select the 'General' tab
  • Click the Arrow-down tab on the right-hand side on the 'Start-up Type' box
  • From the drop-down menu, click on 'Disabled'
  • Click the 'Apply' tab, then click 'OK'
The service is now stopped and disabled.
===================================

We will now delete the service:

1. Open HJT

2. Click on Config>>Misc Tools>>Delete an NT Service

3. Copy/Paste Windows Configuration Loader in the space provided and click OK

4. The program will ask you to REBOOT --- Accept



Reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight "Safe Mode" then hit enter.

1.) Please double-click rdrivRem.bat to run the program - follow the instructions on the screen. After it's complete, rdriv.txt will be created in the rdrivRem folder.

2.) Double-click the Ewido Security Suite icon to run the program.
  • Click on scanner
  • Click Complete System Scan
  • Let the program scan the machine
While the scan is in progress you will be prompted to clean the first infected file it finds. Choose "clean", then put a check next to "Perform action on all infections" in the left corner of the box so you don't have to sit and watch Ewido the whole time. Click OK.

Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report
  • Save the report to your desktop
  • Exit Ewido
3.) Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.

4.) After Cleanup! is finished, run HijackThis. Place a check next to the following items, if found, and click FIX CHECKED:

O23 - Service: Windows Configuration Loader - Unknown owner - F:\WINDOWS\svchost.exe

Close HiJackThis.

5.) Run Killbox.exe.

* Select "Delete on Reboot".

* Open the notepad you saved earlier. Press CTRL + A to select all file paths in the notepad, then press CTRL + C which will copy all of them to the clipboard.

* Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

* Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "OK" at any "PendingRenameOperation" prompt. If your computer does not restart automatically, please restart it manually.

After computer has restarted continue with the rest of the instructions:

6.) Make sure your firewall is on. Make sure you can turn it off then turn it back on and that nothing is greyed out.
Also, Make sure your Anti-Virus program is working properly - you can turn on and off auto-protect, etc.

7.) Run BOTH of these online virus scans (NOT at the same time!):
ActiveScan
TrendMicro's HouseCall - check "Auto Clean"

Save the results from ActiveScan.

I need you to post the contents of rdriv.txt, the log from Ewido, the log from ActiveScan, and a new HiJackThis log into this topic. :tazz:


Regards,

Trevuren
  • 0

#7
skatou
Posted 07 August 2005 - 06:26 AM

skatou

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
~~~~~~~~~~~~~ Pre-run File Check ~~~~~~~~~~~~~

rdriv.sys PRESENT!
ItunesMusic.exe NOT PRESENT!
wkssvc.exe NOT PRESENT!


~~~~~~~~~~~~~ Post run File Check ~~~~~~~~~~~~~

rdriv.sys NOT PRESENT!
ItunesMusic.exe NOT PRESENT!
wkssvc.exe NOT PRESENT!

___________________________________________________________________

Logfile of HijackThis v1.99.1
Scan saved at 13:21:33, on 07/08/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [MSConfig] F:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [WinampAgent] F:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] F:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [MessengerPlus3] "F:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [Jet Detection] "F:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [AVG7_EMC] F:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [AVG7_CC] F:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [MsnMsgr] "F:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O10 - Unknown file in Winsock LSP: f:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: f:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: f:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: f:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: f:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: f:\windows\system32\avgfwafu.dll
O20 - AppInit_DLLs: MsgPlusLoader.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - F:\Program Files\Fichiers communs\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: ewido security suite control - ewido networks - F:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - F:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\System32\nvsvc32.exe
O23 - Service: BitDefender Communicator (XCOMM) - Softwin - F:\Program Files\Fichiers communs\Softwin\BitDefender Communicator\xcommsvr.exe

___________________________________________________________________

---------------------------------------------------------
ewido security suite - Rapport de scan
---------------------------------------------------------

+ Créé le: 13:06:06, 07/08/2005
+ Somme de contrôle: A9EFBE8B

+ Résultats du scan:

C:\Program Files\Kazaa\TopSearch.dll -> Spyware.Altnet : Nettoyer et sauvegarder
:mozilla.9:F:\Documents and Settings\Adrien\Application Data\Mozilla\Firefox\Profiles\17dcxt7o.default\cookies.txt -> Spyware.Cookie.Doubleclick : Nettoyer et sauvegarder
:mozilla.23:F:\Documents and Settings\Adrien\Application Data\Mozilla\Firefox\Profiles\17dcxt7o.default\cookies.txt -> Spyware.Cookie.Mediaplex : Nettoyer et sauvegarder
:mozilla.24:F:\Documents and Settings\Adrien\Application Data\Mozilla\Firefox\Profiles\17dcxt7o.default\cookies.txt -> Spyware.Cookie.Bluestreak : Nettoyer et sauvegarder
:mozilla.25:F:\Documents and Settings\Adrien\Application Data\Mozilla\Firefox\Profiles\17dcxt7o.default\cookies.txt -> Spyware.Cookie.Adtech : Nettoyer et sauvegarder
:mozilla.26:F:\Documents and Settings\Adrien\Application Data\Mozilla\Firefox\Profiles\17dcxt7o.default\cookies.txt -> Spyware.Cookie.Adtech : Nettoyer et sauvegarder
:mozilla.29:F:\Documents and Settings\Adrien\Application Data\Mozilla\Firefox\Profiles\17dcxt7o.default\cookies.txt -> Spyware.Cookie.Smartadserver : Nettoyer et sauvegarder
:mozilla.30:F:\Documents and Settings\Adrien\Application Data\Mozilla\Firefox\Profiles\17dcxt7o.default\cookies.txt -> Spyware.Cookie.Smartadserver : Nettoyer et sauvegarder
:mozilla.31:F:\Documents and Settings\Adrien\Application Data\Mozilla\Firefox\Profiles\17dcxt7o.default\cookies.txt -> Spyware.Cookie.Smartadserver : Nettoyer et sauvegarder
:mozilla.32:F:\Documents and Settings\Adrien\Application Data\Mozilla\Firefox\Profiles\17dcxt7o.default\cookies.txt -> Spyware.Cookie.Smartadserver : Nettoyer et sauvegarder
:mozilla.33:F:\Documents and Settings\Adrien\Application Data\Mozilla\Firefox\Profiles\17dcxt7o.default\cookies.txt -> Spyware.Cookie.Smartadserver : Nettoyer et sauvegarder
:mozilla.41:F:\Documents and Settings\Adrien\Application Data\Mozilla\Firefox\Profiles\17dcxt7o.default\cookies.txt -> Spyware.Cookie.Googleadservices : Nettoyer et sauvegarder
:mozilla.44:F:\Documents and Settings\Adrien\Application Data\Mozilla\Firefox\Profiles\17dcxt7o.default\cookies.txt -> Spyware.Cookie.Weborama : Nettoyer et sauvegarder
:mozilla.45:F:\Documents and Settings\Adrien\Application Data\Mozilla\Firefox\Profiles\17dcxt7o.default\cookies.txt -> Spyware.Cookie.Weborama : Nettoyer et sauvegarder
:mozilla.46:F:\Documents and Settings\Adrien\Application Data\Mozilla\Firefox\Profiles\17dcxt7o.default\cookies.txt -> Spyware.Cookie.Weborama : Nettoyer et sauvegarder
:mozilla.47:F:\Documents and Settings\Adrien\Application Data\Mozilla\Firefox\Profiles\17dcxt7o.default\cookies.txt -> Spyware.Cookie.Weborama : Nettoyer et sauvegarder
:mozilla.50:F:\Documents and Settings\Adrien\Application Data\Mozilla\Firefox\Profiles\17dcxt7o.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Nettoyer et sauvegarder
:mozilla.51:F:\Documents and Settings\Adrien\Application Data\Mozilla\Firefox\Profiles\17dcxt7o.default\cookies.txt -> Spyware.Cookie.Sexcounter : Nettoyer et sauvegarder
:mozilla.52:F:\Documents and Settings\Adrien\Application Data\Mozilla\Firefox\Profiles\17dcxt7o.default\cookies.txt -> Spyware.Cookie.Sexcounter : Nettoyer et sauvegarder
:mozilla.53:F:\Documents and Settings\Adrien\Application Data\Mozilla\Firefox\Profiles\17dcxt7o.default\cookies.txt -> Spyware.Cookie.Serving-sys : Nettoyer et sauvegarder
:mozilla.54:F:\Documents and Settings\Adrien\Application Data\Mozilla\Firefox\Profiles\17dcxt7o.default\cookies.txt -> Spyware.Cookie.Serving-sys : Nettoyer et sauvegarder
:mozilla.55:F:\Documents and Settings\Adrien\Application Data\Mozilla\Firefox\Profiles\17dcxt7o.default\cookies.txt -> Spyware.Cookie.Serving-sys : Nettoyer et sauvegarder
:mozilla.56:F:\Documents and Settings\Adrien\Application Data\Mozilla\Firefox\Profiles\17dcxt7o.default\cookies.txt -> Spyware.Cookie.Serving-sys : Nettoyer et sauvegarder
:mozilla.57:F:\Documents and Settings\Adrien\Application Data\Mozilla\Firefox\Profiles\17dcxt7o.default\cookies.txt -> Spyware.Cookie.Serving-sys : Nettoyer et sauvegarder
:mozilla.75:F:\Documents and Settings\Adrien\Application Data\Mozilla\Firefox\Profiles\17dcxt7o.default\cookies.txt -> Spyware.Cookie.Tradedoubler : Nettoyer et sauvegarder
:mozilla.76:F:\Documents and Settings\Adrien\Application Data\Mozilla\Firefox\Profiles\17dcxt7o.default\cookies.txt -> Spyware.Cookie.Tradedoubler : Nettoyer et sauvegarder
:mozilla.77:F:\Documents and Settings\Adrien\Application Data\Mozilla\Firefox\Profiles\17dcxt7o.default\cookies.txt -> Spyware.Cookie.Tradedoubler : Nettoyer et sauvegarder
:mozilla.78:F:\Documents and Settings\Adrien\Application Data\Mozilla\Firefox\Profiles\17dcxt7o.default\cookies.txt -> Spyware.Cookie.Tradedoubler : Nettoyer et sauvegarder
:mozilla.79:F:\Documents and Settings\Adrien\Application Data\Mozilla\Firefox\Profiles\17dcxt7o.default\cookies.txt -> Spyware.Cookie.Tradedoubler : Nettoyer et sauvegarder
:mozilla.101:F:\Documents and Settings\Adrien\Application Data\Mozilla\Firefox\Profiles\17dcxt7o.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Nettoyer et sauvegarder
:mozilla.102:F:\Documents and Settings\Adrien\Application Data\Mozilla\Firefox\Profiles\17dcxt7o.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Nettoyer et sauvegarder
:mozilla.103:F:\Documents and Settings\Adrien\Application Data\Mozilla\Firefox\Profiles\17dcxt7o.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Nettoyer et sauvegarder
:mozilla.104:F:\Documents and Settings\Adrien\Application Data\Mozilla\Firefox\Profiles\17dcxt7o.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Nettoyer et sauvegarder
:mozilla.105:F:\Documents and Settings\Adrien\Application Data\Mozilla\Firefox\Profiles\17dcxt7o.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Nettoyer et sauvegarder
:mozilla.106:F:\Documents and Settings\Adrien\Application Data\Mozilla\Firefox\Profiles\17dcxt7o.default\cookies.txt -> Spyware.Cookie.Casalemedia : Nettoyer et sauvegarder
:mozilla.107:F:\Documents and Settings\Adrien\Application Data\Mozilla\Firefox\Profiles\17dcxt7o.default\cookies.txt -> Spyware.Cookie.Casalemedia : Nettoyer et sauvegarder
:mozilla.108:F:\Documents and Settings\Adrien\Application Data\Mozilla\Firefox\Profiles\17dcxt7o.default\cookies.txt -> Spyware.Cookie.Casalemedia : Nettoyer et sauvegarder
:mozilla.116:F:\Documents and Settings\Adrien\Application Data\Mozilla\Firefox\Profiles\17dcxt7o.default\cookies.txt -> Spyware.Cookie.Valueclick : Nettoyer et sauvegarder
:mozilla.122:F:\Documents and Settings\Adrien\Application Data\Mozilla\Firefox\Profiles\17dcxt7o.default\cookies.txt -> Spyware.Cookie.Advertising : Nettoyer et sauvegarder
:mozilla.123:F:\Documents and Settings\Adrien\Application Data\Mozilla\Firefox\Profiles\17dcxt7o.default\cookies.txt -> Spyware.Cookie.Pointroll : Nettoyer et sauvegarder
:mozilla.124:F:\Documents and Settings\Adrien\Application Data\Mozilla\Firefox\Profiles\17dcxt7o.default\cookies.txt -> Spyware.Cookie.Pointroll : Nettoyer et sauvegarder
:mozilla.125:F:\Documents and Settings\Adrien\Application Data\Mozilla\Firefox\Profiles\17dcxt7o.default\cookies.txt -> Spyware.Cookie.Pointroll : Nettoyer et sauvegarder
:mozilla.126:F:\Documents and Settings\Adrien\Application Data\Mozilla\Firefox\Profiles\17dcxt7o.default\cookies.txt -> Spyware.Cookie.Pointroll : Nettoyer et sauvegarder
:mozilla.133:F:\Documents and Settings\Adrien\Application Data\Mozilla\Firefox\Profiles\17dcxt7o.default\cookies.txt -> Spyware.Cookie.Atdmt : Nettoyer et sauvegarder
:mozilla.134:F:\Documents and Settings\Adrien\Application Data\Mozilla\Firefox\Profiles\17dcxt7o.default\cookies.txt -> Spyware.Cookie.Advertising : Nettoyer et sauvegarder
:mozilla.135:F:\Documents and Settings\Adrien\Application Data\Mozilla\Firefox\Profiles\17dcxt7o.default\cookies.txt -> Spyware.Cookie.Advertising : Nettoyer et sauvegarder
:mozilla.136:F:\Documents and Settings\Adrien\Application Data\Mozilla\Firefox\Profiles\17dcxt7o.default\cookies.txt -> Spyware.Cookie.Advertising : Nettoyer et sauvegarder
:mozilla.141:F:\Documents and Settings\Adrien\Application Data\Mozilla\Firefox\Profiles\17dcxt7o.default\cookies.txt -> Spyware.Cookie.2o7 : Nettoyer et sauvegarder
:mozilla.142:F:\Documents and Settings\Adrien\Application Data\Mozilla\Firefox\Profiles\17dcxt7o.default\cookies.txt -> Spyware.Cookie.2o7 : Nettoyer et sauvegarder
F:\Documents and Settings\Adrien\Cookies\[email protected][2].txt -> Spyware.Cookie.2o7 : Nettoyer et sauvegarder
F:\Documents and Settings\Adrien\Cookies\adrien@advertising[1].txt -> Spyware.Cookie.Advertising : Nettoyer et sauvegarder
F:\Documents and Settings\Adrien\Cookies\adrien@atdmt[2].txt -> Spyware.Cookie.Atdmt : Nettoyer et sauvegarder
F:\Documents and Settings\Adrien\Cookies\[email protected][1].txt -> Spyware.Cookie.Advertising : Nettoyer et sauvegarder
F:\Documents and Settings\Adrien\Cookies\adrien@weborama[2].txt -> Spyware.Cookie.Weborama : Nettoyer et sauvegarder
F:\Documents and Settings\Adrien\Cookies\[email protected][2].txt -> Spyware.Cookie.Smartadserver : Nettoyer et sauvegarder
F:\Documents and Settings\Gérald\Cookies\gérald@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Nettoyer et sauvegarder
F:\Documents and Settings\Gérald\Cookies\gé[email protected][1].txt -> Spyware.Cookie.Smartadserver : Nettoyer et sauvegarder


::Fin du rapport

_________________________________________________________


Incident Status Location

Hacktool:HackTool/Flood No disinfected C:\Adrien\EmpScripT3\script\nHTMLn.dll
Hacktool:HackTool/Flood No disinfected C:\Adrien\EmpScripT3.11.exe[nHTMLn.dll]
Hacktool:HackTool/Flood No disinfected C:\Adrien\mIRC\EmpScripT3\script\nHTMLn.dll
Hacktool:HackTool/Flood No disinfected C:\Program Files\Empereur Script 3\EmpScripT3\script\nHTMLn.dll
Hacktool:HackTool/Flood No disinfected C:\Program Files\Save\EmpScripT3.12.exe[nHTMLn.dll]
Hacktool:HackTool/Flood No disinfected F:\Adrien\Empereur Script 3\EmpScripT3\script\nHTMLn.dll
Adware:adware/yyqu No disinfected F:\WINDOWS\smss.exe
Virus:W32/Sdbot.ftp Disinfected F:\WINDOWS\system32\i

:tazz: rdriv has been deleted i think! ;)
  • 0

#8
Trevuren
Posted 07 August 2005 - 09:34 AM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Your log looks good. If you have no more malware-related problems that you are aware of, just give me the OK and we can start the final but essential cleanup procedures.

Trevuren
  • 0

#9
skatou
Posted 07 August 2005 - 12:05 PM

skatou

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Aye, we can start the final procedure ;)
:tazz:
  • 0

#10
Trevuren
Posted 07 August 2005 - 12:23 PM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Congratulations, your log shows that your SYSTEM IS CLEAN

There are a few things you must do once you are completely clean:

1. Re-hide your System Files and Folders to prevent any future accidents.

2. Cleanup the leftovers. Download CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.

3. Reset and Re-enable your System Restore to remove bad files from the backup that Windows makes as no program is able to clean those files:

TO DISABLE SYSTEM RESTORE
  • Right-click "My Computer", and then left click "Properties".
  • Left click on "System Restore Tab"
  • Check box beside "Turn Off System Restore"
  • Left click on "Apply"
TO ENABLE SYSTEM RESTORE
  • Remove check mark from "Turn Off System Restore"
  • Click on "Apply"
Here are some tips to reduce the potential for spyware infection in the future:

Make sure you keep your Windows OS current by visiting Windows update
regularly to download and install any critical updates and service packs. With out these you are leaving the backdoor open.

I strongly recommend installing the following applications:
  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
  • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
  • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
To protect yourself further:
  • Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
And also see TonyKlein's good advice
So how did I get infected in the first place? (My Favorite)

Regards,

Trevuren
  • 0

#11
skatou
Posted 07 August 2005 - 01:27 PM

skatou

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Thank you very much... and good luck! (added your forum in my favorite <3)
  • 0

#12
Trevuren
Posted 07 August 2005 - 01:54 PM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP