Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Troj_rootkit.e

Started by Renegade , Mar 15 2006 04:36 PM

  • Please log in to reply

#1
Renegade
Posted 15 March 2006 - 04:36 PM

Renegade

    Member

  • Member
  • PipPip
  • 25 posts
Hello

A couple of days ago I checked my computer for virus and found this really annoying thing (I scanned my computer with the online sevice at www.trendmicro.com)

I have tried deleting it with the oline service and when that didn't work I tried a manual removal as they suggest on their website...nothing worked.

I hope that you can help me out here.

I send you my HijackThis logfile:

Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\zstatus.exe
C:\Program\Internet Explorer\iexplore.exe
D:\The Law\Installationsfiler\Virusprogram\Ny mapp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [hp 1000 firmware] C:\Program\hp LaserJet 1000\fwdl.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1142439737500
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1142440512375
O17 - HKLM\System\CCS\Services\Tcpip\..\{A9F3FE8C-1CDA-4FE9-99DC-EE3C4DB62D3D}: NameServer = 193.11.224.20,193.11.224.21
O23 - Service: MicroSoft Media Tools - Unknown owner - C:\WINDOWS\MSmedia.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe


I also wonder if you get rid of this problem by formating the whole hard drive? I formated my system disk a couple of days ago...before I saw the virus and haven't had the computer connected to the internet ever since...how did it get to me?

Edited by Renegade, 15 March 2006 - 05:01 PM.

  • 0

Advertisements

#2
Renegade
Posted 16 March 2006 - 08:14 AM

Renegade

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
I forgot to say that the file that Trendmicro always finds as infected is the "rdriv.sys" file in the "c:\windows\system32" folder.

I only find this file when I start in normal mode. If i reboot in safe mode I can't find it in the folder.
  • 0

#3
Metallica
Posted 16 March 2006 - 08:55 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Click Start > Run type services.msc > OK
In the list of services find:
MicroSoft Media Tools
Rightclick that line and choose Properties.
On the General tab Stop and set the service to disabled.
In HijackThis click Config > Misc Tools > Delete an NT service
In the dialog box paste: MicroSoft Media Tools

*Click here and download Killbox by Option^Explicit.
*Extract the program to your desktop and double-click on its folder, then double-click on Killbox.exe to start the program.
*In the killbox program, select the Delete on Reboot option.
*Copy the file names below to the clipboard by highlighting them and pressing Control-C:

c:\windows\system32\rdriv.sys
C:\WINDOWS\MSmedia.exe

*Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
*Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

Let the computer reboot and post a new HijackThis log.

Regards,
  • 0

#4
Renegade
Posted 16 March 2006 - 09:25 AM

Renegade

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
Here is the new Hijack This log

Now I just wonder...cause I saw that Killbox placed a folder in my"c:" directory with the file "rdriv.sys"...what shall I do with this folder"c:\!KillBox". Can I delete it?


Logfile of HijackThis v1.99.1
Scan saved at 16:20:29, on 2006-03-16
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\zstatus.exe
C:\WINDOWS\system32\wuauclt.exe
D:\The Law\Installationsfiler\Virusprogram\Ny mapp\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [hp 1000 firmware] C:\Program\hp LaserJet 1000\fwdl.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1142439737500
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1142440512375
O17 - HKLM\System\CCS\Services\Tcpip\..\{A9F3FE8C-1CDA-4FE9-99DC-EE3C4DB62D3D}: NameServer = 193.11.224.20,193.11.224.21
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
  • 0

#5
Metallica
Posted 16 March 2006 - 09:39 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts

Here is the new Hijack This log

Now I just wonder...cause I saw that Killbox placed a folder in my"c:" directory with the file "rdriv.sys"...what shall I do with this folder"c:\!KillBox". Can I delete it?


Yes. Killbox makes backups of the files we have it remove.
We make mistakes too and that gives us a way to undo them.

Your HijackThis log looks good now.
Can you do me a favour?
Surf to:
http://www.thespykil...x.php?board=1.0
Follow the instructions there to upload the c:\!KillBox folder

Then run a full system scan. This time the only files found should be in that folder.

And you can delete those once I found them at TheSpykiller.

Regards,
  • 0

#6
Renegade
Posted 16 March 2006 - 10:30 AM

Renegade

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
I'm sorry but I went ahead of you and scanned my computer with TrendMicro...When it found the files I told it to delete them and it did.

So I won't be able to upload them to thespykiller

Regards
  • 0

#7
Metallica
Posted 16 March 2006 - 12:09 PM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Oh. I'll run into them again. No worries. :tazz:

Please do have a look at my site about removing and preventing spyware.

Do me and yourself a favour and change all the passwords that are stored on that computer.

Take care,
  • 0

#8
Renegade
Posted 18 March 2006 - 07:43 PM

Renegade

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
Passwords...like what?

I don't hope you mean that I have to change all my passwords that I have to different internet sites?

Otherwise I don't think I have any passwords on my computer.

Regards
  • 0

#9
Metallica
Posted 19 March 2006 - 04:05 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
I'd certainly recommend changing them.
Unless it's no problem if someone else is able to log on under your account.

Regards,
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP