Author Topic: Trojen in my comp... and I can't delete it >.<  (Read 9462 times)

0 Members and 1 Guest are viewing this topic.

Zorro123

  • Guest
Trojen in my comp... and I can't delete it >.<
« on: August 02, 2005, 04:44:56 PM »
I keep getting this

"A virus Was Found"

and when ever I hit delete the file just reappears, I've tried repairing the file, and I've tried moving it, nothing works.  I need help getting rid of this Trojen, it's really messing with my comp.

PLEASE HELP!

Name of the File in rdriv.sys

Located in C:\WINDOWS\system32

Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31078
  • Watching (over?) you
    • Malware removal, Biljart and other things.
Re: Trojen in my comp... and I can't delete it >.<
« Reply #1 on: August 02, 2005, 04:51:32 PM »
Visit THIS PAGE and follow the instructions there.

Zorro123

  • Guest
Re: Trojen in my comp... and I can't delete it >.<
« Reply #2 on: August 02, 2005, 08:14:57 PM »
Well, I did what that website said... But I still have a problem...

Win32.Efewe.E is a detection of the open source rootkit FU.

A rootkit is an application that allows an intruder to hide malicious activity on a previously compromised machine. Using a rootkit, an attacker can hide processes, files, registry keys and communication channels.

Win32.Efewe.E hides the attackers actions by changing data structures in the kernel. This rootkit only functions on Windows NT-based operating systems (i.e. - NT/2000/XP/2003).

Computer Associates have received reports from the wild of this rootkit's driver being used by other malware in order to hide their own processes. Examples of such malware include:

Win32.Petribot
Users should note that this detection most likely indicates further system compromise. Should this detection continue to be triggered even after the offending file is removed, (or in other words, the file keeps re-appearing) please contact technical support for additional guidance.


Is there anyone online that knows how to fix this virus... becasue it keeps appearing on my comp, and even booting safe mode, and running an anti virus... it doesnt show up... so it can't delete the file.

This is really frustrating, I hope someone knows what to do...

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67194
Re: Trojen in my comp... and I can't delete it >.<
« Reply #3 on: August 02, 2005, 08:23:59 PM »
Is there anyone online that knows how to fix this virus... becasue it keeps appearing on my comp, and even booting safe mode, and running an anti virus... it doesnt show up... so it can't delete the file.

If you find a virus keeps coming back after you delete it, it's most probably infected the System Restore folder, the best way to solve this is to disable System Restore, reboot your machine and then enable it again. After all, run a full avast! scanning. System Restore cannot be disabled on Windows 9x.

Enable/Disable System restore on Windows ME: http://support.microsoft.com/default.aspx?scid=kb;en-us;Q264887
Enable/Disable System restore on Windows XP: http://support.microsoft.com/default.aspx?scid=kb;%5BLN%5D;310405

Will it help?
The best things in life are free.

Zorro123

  • Guest
Re: Trojen in my comp... and I can't delete it >.<
« Reply #4 on: August 02, 2005, 08:31:44 PM »
System Restore is off....

It did nothing... the virus keeps comming back...

I need away to kill this problem WITHOUT reformatting...

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89349
  • No support PMs thanks
Re: Trojen in my comp... and I can't delete it >.<
« Reply #5 on: August 02, 2005, 10:05:03 PM »
I'm sure that this 'rdriv.sys' has been covered before in the forums.

If this is as you suspect a rootkit then there ate tools for detecting rootkits a google search for rootkit removal or words to that effect may reveal more than the one I give below.

RootKitRevealer from system internals - http://www.sysinternals.com/utilities/rootkitrevealer.html, this will check if there is in fact a rootkit type virus deeply hidden.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.5.6116 (build 24.5.9153.762) UI 1.0.808/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33935
  • malware fighter
Re: Trojen in my comp... and I can't delete it >.<
« Reply #6 on: August 02, 2005, 10:24:36 PM »
Hello Zorro123,

Go to this  site: http://www.invisiblethings.org/tools.html and  download flister.zip. Run and this will discover the rootkit for sure.

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

martiniqueeni

  • Guest
Re: Trojen in my comp... and I can't delete it >.<
« Reply #7 on: October 30, 2005, 11:34:22 PM »
We've just encountered this exact same Trojan (WIN32.efewe.E).  None of the ideas mentioned above worked for us.  The flister.zip just flashed on and off.  I couldn't see whether it did anything or not. 

The laptop at issue is at college with one of DBF's sons.  He is using EZArmor (from Computer Associates) along with a host of additional antispyware programs (Spybot, Ad-Aware, Stinger, etc.).  He's on Windows XP.

Has anyone tried the Microsoft Beta antispyware program on this?

Are there any new ideas for removing the Trojan (we know it's there)?

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: Trojen in my comp... and I can't delete it >.<
« Reply #8 on: October 30, 2005, 11:40:02 PM »
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

martiniqueeni

  • Guest
Re: Trojen in my comp... and I can't delete it >.<
« Reply #9 on: October 31, 2005, 12:41:56 AM »
Thanks.  I've sent the instructions to the college boy. 

Thanks!

Spiritsongs

  • Guest
Re: Trojen in my comp... and I can't delete it >.<
« Reply #10 on: October 31, 2005, 08:42:38 PM »
 :)  Zorro123 :

      For this "infection" you should seek assistance on the
      forums of your antiSPYWARE provider or
      www.landzdown.com .