Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Troj_rootkit.e


  • Please log in to reply

#1
Renegade

Renegade

    Member

  • Member
  • PipPip
  • 25 posts
Hello

A couple of days ago I checked my computer for virus and found this really annoying thing (I scanned my computer with the online sevice at www.trendmicro.com)

I have tried deleting it with the oline service and when that didn't work I tried a manual removal as they suggest on their website...nothing worked.

I hope that you can help me out here.

I send you my HijackThis logfile:

Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\zstatus.exe
C:\Program\Internet Explorer\iexplore.exe
D:\The Law\Installationsfiler\Virusprogram\Ny mapp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [hp 1000 firmware] C:\Program\hp LaserJet 1000\fwdl.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1142439737500
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1142440512375
O17 - HKLM\System\CCS\Services\Tcpip\..\{A9F3FE8C-1CDA-4FE9-99DC-EE3C4DB62D3D}: NameServer = 193.11.224.20,193.11.224.21
O23 - Service: MicroSoft Media Tools - Unknown owner - C:\WINDOWS\MSmedia.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe


I also wonder if you get rid of this problem by formating the whole hard drive? I formated my system disk a couple of days ago...before I saw the virus and haven't had the computer connected to the internet ever since...how did it get to me?

Edited by Renegade, 15 March 2006 - 05:01 PM.

  • 0

Advertisements


#2
Renegade

Renegade

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
I forgot to say that the file that Trendmicro always finds as infected is the "rdriv.sys" file in the "c:\windows\system32" folder.

I only find this file when I start in normal mode. If i reboot in safe mode I can't find it in the folder.
  • 0

#3
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,001 posts
Click Start > Run type services.msc > OK
In the list of services find:
MicroSoft Media Tools
Rightclick that line and choose Properties.
On the General tab Stop and set the service to disabled.
In HijackThis click Config > Misc Tools > Delete an NT service
In the dialog box paste: MicroSoft Media Tools

*Click here and download Killbox by Option^Explicit.
*Extract the program to your desktop and double-click on its folder, then double-click on Killbox.exe to start the program.
*In the killbox program, select the Delete on Reboot option.
*Copy the file names below to the clipboard by highlighting them and pressing Control-C:

c:\windows\system32\rdriv.sys
C:\WINDOWS\MSmedia.exe


*Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
*Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

Let the computer reboot and post a new HijackThis log.

Regards,
  • 0

#4
Renegade

Renegade

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
Here is the new Hijack This log

Now I just wonder...cause I saw that Killbox placed a folder in my"c:" directory with the file "rdriv.sys"...what shall I do with this folder"c:\!KillBox". Can I delete it?


Logfile of HijackThis v1.99.1
Scan saved at 16:20:29, on 2006-03-16
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\zstatus.exe
C:\WINDOWS\system32\wuauclt.exe
D:\The Law\Installationsfiler\Virusprogram\Ny mapp\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [hp 1000 firmware] C:\Program\hp LaserJet 1000\fwdl.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1142439737500
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1142440512375
O17 - HKLM\System\CCS\Services\Tcpip\..\{A9F3FE8C-1CDA-4FE9-99DC-EE3C4DB62D3D}: NameServer = 193.11.224.20,193.11.224.21
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
  • 0

#5
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,001 posts

Here is the new Hijack This log

Now I just wonder...cause I saw that Killbox placed a folder in my"c:" directory with the file "rdriv.sys"...what shall I do with this folder"c:\!KillBox". Can I delete it?


Yes. Killbox makes backups of the files we have it remove.
We make mistakes too and that gives us a way to undo them.

Your HijackThis log looks good now.
Can you do me a favour?
Surf to:
http://www.thespykil...x.php?board=1.0
Follow the instructions there to upload the c:\!KillBox folder

Then run a full system scan. This time the only files found should be in that folder.

And you can delete those once I found them at TheSpykiller.

Regards,
  • 0

#6
Renegade

Renegade

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
I'm sorry but I went ahead of you and scanned my computer with TrendMicro...When it found the files I told it to delete them and it did.

So I won't be able to upload them to thespykiller

Regards
  • 0

#7
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,001 posts
Oh. I'll run into them again. No worries. :tazz:

Please do have a look at my site about removing and preventing spyware.

Do me and yourself a favour and change all the passwords that are stored on that computer.

Take care,
  • 0

#8
Renegade

Renegade

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
Passwords...like what?

I don't hope you mean that I have to change all my passwords that I have to different internet sites?

Otherwise I don't think I have any passwords on my computer.

Regards
  • 0

#9
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,001 posts
I'd certainly recommend changing them.
Unless it's no problem if someone else is able to log on under your account.

Regards,
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP