Author Topic: rdriv.sys (Read 21540 times)

tachles · « **on:** October 06, 2005, 11:14:44 AM »

My machine was rebooting unexpectedly. So I started the avast scanner, which found:
Rbot-akk on the file expl0rer.pif.

This was one was apparently fixed by avast. But then, avast found a Troj-gen on driv.sys. When moving it to the chest, avast was keeping asking what to do with the file... I think because the trojan was installed as a service, so I had to reboot in safe mode and remove all occurrencies in the registry. I found also entries with ssprotecter, which is bad.

The trojan is also known as TROJ_ROTKIT.E by Trend Micro.

Now, I am running again the scanner, not sure the machine is clean though.

I have: Win 2000 SP4, Avast 4.6, VPS 0540-3 6-10-2005.

tachles · « **Reply #1 on:** October 06, 2005, 11:28:10 AM »

No! Now avast says:
"The process cannot access the file because it is being used by another process"
D:\WINNT\system32\rdriv.sys

!!!

FreewheelinFrank · « **Reply #2 on:** October 06, 2005, 11:41:41 AM »

You have a rootkit running as a Windows service. You will have to disable the service before you can remove the malware. avast! cannot do this for you. Pleas see these threads:

http://forum.avast.com/index.php?topic=16580.0

http://forum.avast.com/index.php?topic=14618.0

tachles · « **Reply #3 on:** October 06, 2005, 04:44:37 PM »

I have done a reboot scan as described by one of your links, I have removed rdriv.sys with regedit... Nothing to do: it keeps coming back!!! Also another file under system32 is suspect:
msnmsdn.exe (registry name: MsnAutostart).

DavidR · « **Reply #4 on:** October 06, 2005, 05:58:01 PM »

It will keep coming back unless you follow the instructions fully. Print out the threads so you can follow the relevant points step by step when you are off-line.

Start here because that is where the main actions start.
http://forum.avast.com/index.php?topic=16580.msg141543#msg141543

tachles · « **Reply #5 on:** October 07, 2005, 10:37:11 AM »

I read the thread. Tried:
1) uninstalled rdriv in the device manager
2) in safe mode manually deleted from system32
3) in safe mode manually deleted from registry

It is still there. Also the TrendMicro online scan claims it has removed it, but it keeps coming back...

What's the bottom line here?

DavidR · « **Reply #6 on:** October 07, 2005, 02:33:13 PM »

I don't see any reference to having run hijackthis, these rootkits don't just come as a single file there is often other elements to ensure that it is restored.

The problem is the nature of rootkit infections they are able to hide below system level to hide processes, which could in theory restore the file.
http://forum.avast.com/index.php?topic=16580.msg141670#msg141670

Have you done a google search on rdriv.sys there is lots of hits on it and one that would appear relevant indicates "Added by the W32.Spybot.NLX worm. This is the rootkit element of this infection." Which is exploiting vulnerabilities long ago patched by MS so you need to ensure your OS is updated.
http://www.bleepingcomputer.com/startups/rdriv.sys-8753.html
Follow that on to the information about the W32.Spybot.NLX worm.

polonus · « **Reply #7 on:** October 07, 2005, 02:37:31 PM »

Hi tachles,

This is a program to have a go at these rootkits,
download the full working evaluation version here:
http://greatis.com/unhackme/download.htm.

greets,

polonus

tachles · « **Reply #8 on:** October 07, 2005, 06:02:45 PM »

DavidR, I cannot post from the infected machine. Anyway, the first run of hijackthis found 'svhosts' which is known to be 'undesirable' by bleepingcomputer. It was not enough to remove it: the rootkit was still there... The next suspect entry looks like this:
04 - HKLM\..\RunServices: [MsnAutostart] msnmsdn.exe

But msnmsdn is not listed by bleepingcomputer.

Polonus, next step should be to to go to greatis.

Thanks.

FreewheelinFrank · « **Reply #9 on:** October 07, 2005, 07:00:49 PM »

Hi tachles,

Areyou sure you have the name right? Could it be MSNMSGR.EXE?

Even if the name is right, it's almost certainly malware, as it doesn't come up on Google, and an unknown service is highly suspect.

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_RBOT.KX&VSect=T

Could you post your full HijackThis! log? The 023 entries at the end are especially important. Then we can offer you better advice.

tachles · « **Reply #10 on:** October 07, 2005, 07:13:34 PM »

The name is msnmsdn.exe. There is only 1 hit with google on this name, and it's an old page. I'm going to delete it now.

Here is the end of the log:
O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - D:\WINNT\System32\dmadmin.exe
O23 - Service: Host Services - Unknown owner - D:\WINNT\svhosts.exe
O23 - Service: Iomega App Services - Unknown owner - D:\PROGRA~1\Iomega\System32\AppServices.exe (file missing)
O23 - Service: MGABGEXE - Matrox Graphics Inc. - D:\WINNT\System32\mgabg.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - D:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated - D:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
O23 - Service: TSMService - T-Systems Nova, Berkom - D:\Program Files\T-DSL SpeedManager\tsmsvc.exe

tachles · « **Reply #11 on:** October 07, 2005, 07:20:08 PM »

O2 - BHO: iFinger plugin / Browser helper object - {A114D52B-870C-4F15-8021-B6D7F91A054B} - D:\PROGRA~1\iFinger\plugins\IE.ifp
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] D:\Program Files\Iomega HotBurn\Autolaunch.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Jet Detection] D:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [WinampAgent] D:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [OpwareSE2] D:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SmcService] D:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [MsnAutostart] msnmsdn.exe
O4 - HKLM\..\RunServices: [MsnAutostart] msnmsdn.exe
O8 - Extra context menu item: &WordWeb... - res://D:\WINNT\wweb32.dll/lookup.html

DavidR · « **Reply #12 on:** October 07, 2005, 07:25:26 PM »

I would fix this in HJT, it does backup stuff that it will remove so it can be restored (check and ensure this default action is still set).

O23 - Service: Host Services - Unknown owner - D:\WINNT\svhosts.exe

Are you running two AVs as indicated by this entry, it often causes conflict and doesn't provide twice the protection?
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated - D:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe

The others you will have to check (ignore the entries for avast obviously) are they programs that you have installed or do they relate to hardware that you installed, etc.

DavidR · « **Reply #13 on:** October 07, 2005, 07:39:00 PM »

Quote from: tachles on October 07, 2005, 07:20:08 PM

O2 - BHO: iFinger plugin / Browser helper object - {A114D52B-870C-4F15-8021-B6D7F91A054B} - D:\PROGRA~1\iFinger\plugins\IE.ifp
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] D:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [MsnAutostart] msnmsdn.exe
O4 - HKLM\..\RunServices: [MsnAutostart] msnmsdn.exe

Assuming that you know the BHO iFinger then no problem?
Do you use the extra toolbar for windows media player?
You don't need really need Quicktime or winamp to start at boot-up, they will start automatically according to the file associations for them when you click on a media file link.

The two entries for msnmsdn.exe should be fixed in HJT and the service will also need to be disabled. The fact that there is only one hit on google is suspicious as if it were anything to do with microsoft msn or msdn there would be lots of hits. Th single hit on google isn't old 22/9/2005 you can click the translate this page to the right of the google hit (not that there is much of use, but the google translate is handy for the future).

tachles · « **Reply #14 on:** October 07, 2005, 07:45:44 PM »

Removed svhosts and msnmsdn, but rdriv.sys is still there!!!

I had disabled PC-Cillin, but apparently this does not stop the service. I'll try to do more clean-up. iFinger is not a problem.

I am curious to solve this, but I think in this case it would be easier to reinstall w2k... this installation is pretty old.

Author Topic: rdriv.sys (Read 21540 times)

tachles

rdriv.sys

tachles

Re: rdriv.sys

FreewheelinFrank

Re: rdriv.sys

tachles

Re: rdriv.sys

DavidR

Re: rdriv.sys

tachles

Re: rdriv.sys

DavidR

Re: rdriv.sys

polonus

Re: rdriv.sys

tachles

Re: rdriv.sys

FreewheelinFrank

Re: rdriv.sys

tachles

Re: rdriv.sys

tachles

Re: rdriv.sys

DavidR

Re: rdriv.sys

DavidR

Re: rdriv.sys

tachles

Re: rdriv.sys