Author Topic: rdriv.sys  (Read 20995 times)

0 Members and 1 Guest are viewing this topic.

tachles

  • Guest
rdriv.sys
« on: October 06, 2005, 11:14:44 AM »
My machine was rebooting unexpectedly. So I started the avast scanner, which found:
Rbot-akk on the file expl0rer.pif.

This was one was apparently fixed by avast. But then, avast found a Troj-gen on driv.sys. When moving it to the chest, avast was keeping asking what to do with the file... I think because the trojan was installed as a service, so I had to reboot in safe mode and remove all occurrencies in the registry. I found also entries with ssprotecter, which is bad.

The trojan is also known as TROJ_ROTKIT.E by Trend Micro.

Now, I am running again the scanner, not sure the machine is clean though.

I have: Win 2000 SP4, Avast 4.6, VPS 0540-3 6-10-2005.

tachles

  • Guest
Re: rdriv.sys
« Reply #1 on: October 06, 2005, 11:28:10 AM »
No! Now avast says:
"The process cannot access the file because it is being used by another process"
D:\WINNT\system32\rdriv.sys

!!!

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: rdriv.sys
« Reply #2 on: October 06, 2005, 11:41:41 AM »
You have a rootkit running as a Windows service. You will have to disable the service before you can remove the malware. avast! cannot do this for you. Pleas see these threads:

http://forum.avast.com/index.php?topic=16580.0

http://forum.avast.com/index.php?topic=14618.0
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

tachles

  • Guest
Re: rdriv.sys
« Reply #3 on: October 06, 2005, 04:44:37 PM »
I have done a reboot scan as described by one of your links, I have removed rdriv.sys with regedit... Nothing to do: it keeps coming back!!! Also another file under system32 is suspect:
msnmsdn.exe (registry name: MsnAutostart).

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88736
  • No support PMs thanks
Re: rdriv.sys
« Reply #4 on: October 06, 2005, 05:58:01 PM »
It will keep coming back unless you follow the instructions fully. Print out the threads so you can follow the relevant points step by step when you are off-line.

Start here because that is where the main actions start.
http://forum.avast.com/index.php?topic=16580.msg141543#msg141543
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.1.6099 (build 24.1.8821.762) UI 1.0.796/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

tachles

  • Guest
Re: rdriv.sys
« Reply #5 on: October 07, 2005, 10:37:11 AM »
I read the thread. Tried:
1) uninstalled rdriv in the device manager
2) in safe mode manually deleted from system32
3) in safe mode manually deleted from registry

It is still there. Also the TrendMicro online scan claims it has removed it, but it keeps coming back...  :o  :(  >:( What's the bottom line here?

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88736
  • No support PMs thanks
Re: rdriv.sys
« Reply #6 on: October 07, 2005, 02:33:13 PM »
I don't see any reference to having run hijackthis, these rootkits don't just come as a single file there is often other elements to ensure that it is restored.

The problem is the nature of rootkit infections they are able to hide below system level to hide processes, which could in theory restore the file.
http://forum.avast.com/index.php?topic=16580.msg141670#msg141670

Have you done a google search on rdriv.sys there is lots of hits on it and one that would appear relevant indicates "Added by the W32.Spybot.NLX worm. This is the rootkit element of this infection." Which is exploiting vulnerabilities long ago patched by MS so you need to ensure your OS is updated.
http://www.bleepingcomputer.com/startups/rdriv.sys-8753.html
Follow that on to the information about the W32.Spybot.NLX worm.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.1.6099 (build 24.1.8821.762) UI 1.0.796/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33866
  • malware fighter
Re: rdriv.sys
« Reply #7 on: October 07, 2005, 02:37:31 PM »
Hi tachles,

This is a program to have a go at these rootkits,
download the full working evaluation version here:
http://greatis.com/unhackme/download.htm.

greets,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

tachles

  • Guest
Re: rdriv.sys
« Reply #8 on: October 07, 2005, 06:02:45 PM »
DavidR, I cannot post from the infected machine. Anyway, the first run of hijackthis found 'svhosts' which is known to be 'undesirable' by bleepingcomputer. It was not enough to remove it: the rootkit was still there... The next suspect entry looks like this:
04 - HKLM\..\RunServices: [MsnAutostart] msnmsdn.exe

But msnmsdn is not listed by bleepingcomputer.

Polonus, next step should be to to go to greatis.

Thanks.

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: rdriv.sys
« Reply #9 on: October 07, 2005, 07:00:49 PM »
Hi tachles,

Areyou sure you have the name right? Could it be MSNMSGR.EXE?

Even if the name is right, it's almost certainly malware, as it doesn't come up on Google, and an unknown service is highly suspect.

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_RBOT.KX&VSect=T

Could you post your full HijackThis! log? The 023 entries at the end are especially important. Then we can offer you better advice.
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

tachles

  • Guest
Re: rdriv.sys
« Reply #10 on: October 07, 2005, 07:13:34 PM »
The name is msnmsdn.exe. There is only 1 hit with google on this name, and it's an old page. I'm going to delete it now.

Here is the end of the log:
O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - D:\WINNT\System32\dmadmin.exe
O23 - Service: Host Services - Unknown owner - D:\WINNT\svhosts.exe
O23 - Service: Iomega App Services - Unknown owner - D:\PROGRA~1\Iomega\System32\AppServices.exe (file missing)
O23 - Service: MGABGEXE - Matrox Graphics Inc. - D:\WINNT\System32\mgabg.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - D:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated - D:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
O23 - Service: TSMService - T-Systems Nova, Berkom - D:\Program Files\T-DSL SpeedManager\tsmsvc.exe

tachles

  • Guest
Re: rdriv.sys
« Reply #11 on: October 07, 2005, 07:20:08 PM »
O2 - BHO: iFinger plugin / Browser helper object - {A114D52B-870C-4F15-8021-B6D7F91A054B} - D:\PROGRA~1\iFinger\plugins\IE.ifp
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] D:\Program Files\Iomega HotBurn\Autolaunch.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Jet Detection] D:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [WinampAgent] D:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [OpwareSE2] D:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SmcService] D:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [MsnAutostart] msnmsdn.exe
O4 - HKLM\..\RunServices: [MsnAutostart] msnmsdn.exe
O8 - Extra context menu item: &WordWeb... - res://D:\WINNT\wweb32.dll/lookup.html

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88736
  • No support PMs thanks
Re: rdriv.sys
« Reply #12 on: October 07, 2005, 07:25:26 PM »
I would fix this in HJT, it does backup stuff that it will remove so it can be restored (check and ensure this default action is still set).

O23 - Service: Host Services - Unknown owner - D:\WINNT\svhosts.exe

Are you running two AVs as indicated by this entry, it often causes conflict and doesn't provide twice the protection?
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated - D:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe

The others you will have to check (ignore the entries for avast obviously) are they programs that you have installed or do they relate to hardware that you installed, etc.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.1.6099 (build 24.1.8821.762) UI 1.0.796/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88736
  • No support PMs thanks
Re: rdriv.sys
« Reply #13 on: October 07, 2005, 07:39:00 PM »
O2 - BHO: iFinger plugin / Browser helper object - {A114D52B-870C-4F15-8021-B6D7F91A054B} - D:\PROGRA~1\iFinger\plugins\IE.ifp
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] D:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [MsnAutostart] msnmsdn.exe
O4 - HKLM\..\RunServices: [MsnAutostart] msnmsdn.exe

Assuming that you know the BHO iFinger then no problem?
Do you use the extra toolbar for windows media player?
You don't need really need Quicktime or winamp to start at boot-up, they will start automatically according to the file associations for them when you click on a media file link.

The two entries for msnmsdn.exe should be fixed in HJT and the service will also need to be disabled. The fact that there is only one hit on google is suspicious as if it were anything to do with microsoft msn or msdn there would be lots of hits. Th single hit on google isn't old 22/9/2005 you can click the translate this page to the right of the google hit (not that there is much of use, but the google translate is handy for the future).
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.1.6099 (build 24.1.8821.762) UI 1.0.796/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

tachles

  • Guest
Re: rdriv.sys
« Reply #14 on: October 07, 2005, 07:45:44 PM »
Removed svhosts and msnmsdn, but rdriv.sys is still there!!!

I had disabled PC-Cillin, but apparently this does not stop the service. I'll try to do more clean-up. iFinger is not a problem.

I am curious to solve this, but I think in this case it would be easier to reinstall w2k... this installation is pretty old.