rdriv.sys

[DavidR]

If it is still there then you will have to repeat the exercise, once the other elements are removed that may stop it returning.

An fdisk, format and reinstall is likely to be the final option but that too is or can be a painful operation.

Have you tried the UnHackMe that Polonus gave the link for?
This is one of the only rootkit detectors that is able to actually remove rootkit infection, however, apparently it doesn't take much modification to create another variant and avoid both detection or removal.

[noahdfear]

There is a removal tool/procedure for rdriv.sys

Please download the following programs, but do not run them yet:

*rdrivRem.zip

• Unzip it to your desktop.

*Ewido Security Suite

• Install ewido security suite
• Launch ewido, there should be a big E icon on your desktop, double-click it.
• The program will prompt you to update click the OK button
• The program will now go to the main screen
• You will need to update ewido to the latest definition files.
• On the left hand side of the main screen click update
  
• Click on Start
  
• The update will start and a progress bar will show the updates being installed
• After the updates are installed exit Ewido.
  

Reboot your computer into Safe Mode.

Open the rdrivrem folder and double-click rdrivRem.bat to run the program - follow the instructions on the screen.  After it's complete, rdriv.txt will be created in the rdrivRem folder.

Double-click the Ewido Security Suite icon to run the program.

• Click on scanner
• Click Complete System Scan
  
• Let the program scan the machine

While the scan is in progress you will be prompted to clean the first infected file it finds.  Choose "remove", then put a check next to "Perform action on all infections" in the left corner of the box so you don't have to sit and watch Ewido the whole time. Click OK.

Once the scan has completed, there will be a button located on the bottom of the screen named Save report

• Click Save report
• Save the report to your desktop
• Exit Ewido

Post back with the contents of rdriv.txt, the Ewido log and a new HijackThis log.

[FreewheelinFrank]

Nice one!

Could you tell us something about rdriv.sys and what rdrivRem does? (If it's not a trade secret )

And also something about www.atribune.org? It looks like a useful site.

[noahdfear]

rdriv.sys is part an SDBot/Esbot infection. Some of the commonly seen associated entries in a HJT log are below.

O23 - Service: iTunes Music Service (iTunesMusic) - Apple - C:\WINDOWS\iTunesMusic.exe
O23 - Service: Windows lsass Service (lsass) - Unknown owner - C:\WINDOWS\lsass.exe
O23 - Service: Workstation Service Library (Microsoft Locator Service) - Unknown owner - C:\WINDOWS\wkssvc.exe
O23 - Service: Windows Management Construct (winmgmc) - Unknown owner - C:\WINDOWS\winmgc.exe
O23 - Service: Windows Update Service - Unknown owner - C:\WINDOWS\pwnsvc.exe
O23 - Service: AOL Instant Messanger (AIM) - Unknown owner - C:\WINDOWS\aim.exe
O23 - Service: AOL Instant Messenger - Unknown owner - C:\WINDOWS\aims.exe
O23 - Service: sdktemp - Unknown owner - C:\WINDOWS\sdktemp.exe

However, you might not see any indications at all. Only the AV detection of the file. You will also see this file in a HJT full startup report.

rdrivrem will remove all of the known registry entries and files to date. rdriv.sys is indeed a rootkit, and it's recommended by many to do a complete format and re-install once a system has been compromised by a rootkit. However, I'm not completely convinced that it's necessary. Once the files/regs are removed, it's impossible for it to continue to work, except that it may have allowed other malware to be installed. Making sure a system is free of any other malware should remove any risk the rootkit may have introduced.

www.atribune.org is a site run by fellow malware fighter Atribune, and yes, it's a very useful site.

[FreewheelinFrank]

Thanks noahdfear!

Is it possible to tackle such malware with either XP's SC command or HijackThis!'s delete an NT Service tool?

Would either of these methods kill the rootkit and allow avast!/Ewido to delete the malware?

As described here:

http://www.bleepingcomputer.com/forums/tutorial42.html

We've seen quite a few of these rootkit infections at the forum and it would be really useful to have some sort of generic method of tackling them,.

[noahdfear]

Yes, both the sc commands and Delete an NT Service methods will work to remove the registry entries. I'm not sure if HJT's Delete on Reboot will work on these rootkits since I've only seen Killbox used. Might be worth a shot though. Once the rootkit is removed, Ewido does effectively remove alot of malware, although some things still require specialized tools/methods, eg; Look2Me, Nail, Smitfraud, etc.

[FreewheelinFrank]

Many thanks for this and the msdirectx.sys posting!

[noahdfear]

You bet! 

[tachles]

noahdfear, thanks for the tips but I I think I have fixed the problem before reading your messages. I'm not really sure how, but I'll try to summarize.

First, in safe mode, I removed a few entries (even too much) with Hijackthis. Then, I found with regedit a suspect "key folder" (what is it called?) : "OLE" with a subfolder "Microsoft Intrenet Explorer" (written "re") containing data referring to the infected files (rdriv, msnmsdn and a few others...). I am sorry I have not kept a precise trace, but this is what I remember. I deleted the whole folder, and I guess this is what fixed the problem.

After the next reboots, Avast did not find anything. Ewido then found "only" spyware cookies and  TrojanDownloader.Agent.tv (on nt_hide65.dll and xud_65.dll). At the next reboot, both Avast and Ewido did not find anything.

A google search for "Intrenet Explorer" gives many hits, like postings of hijackthis logs, but it seems that many people overlook the misspelling... My impression is that this rootkit was in fact a family of rootkits, where if a member of a family was killed it was regenerated at the next reboot... is it a common feature of a rootkit?

I guess that rdriv.sys, msnmsdn.exe and may be "Intrenet Explorer" should be added to the Avast database: who takes care of this? Thanks to everybody.

[tachles]

It was not finished. There was still a stray svhosts.exe under the Windows directory. It was not detected by Avast (while rdriv.sys was).

The file was read-only, hidden and system, but it could be removed. I still see this  file in the registry, but I don't think these entries are dangerous.

Here is what the Kaspersky on-line file scanner says about this file:
Scanned file:   svhosts.exe
svhosts.exe - infected by Backdoor.Win32.Agobot.afk