Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

rdriv.sys please help me [CLOSED]


  • This topic is locked This topic is locked

#1
vineetcoolguy

vineetcoolguy

    New Member

  • Member
  • Pip
  • 9 posts
It all started when norton 2002 detected a file rdriv.sys in my c:\windows\system32 folder. Since then I've tried really hard to get rid of this file but to no avail. Ive tried deleting in safe mode but it comes right back when I reboot in normal mode. Even diabled system restore and tried deleting in safe mode again but to no avail. It always comes back. Please treat me like a total newbie in this area. Can you please help me its driving me nuts.
  • 0

Advertisements


#2
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Welcome to GTG.

Please read the first link in my signature and follow the steps outlined there. When you are ready, post the HijackThis log here.
  • 0

#3
vineetcoolguy

vineetcoolguy

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Thank you. Here is the log

Logfile of HijackThis v1.99.1
Scan saved at 2:00:41 PM, on 6/9/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\System32\interserv.exe
C:\WINDOWS\System32\interserv.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.tataindicom.com/data/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
O4 - HKLM\..\Run: [TataIndicomStartUp] C:\Program Files\Tata Indicom Wireless Internet Service\TataIndicomStartUp.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [Repair Registry Pro] C:\Program Files\Repair Registry Pro\RepairRegistryPro.exe -s
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Internet Services] interserv.exe
O4 - HKLM\..\RunServices: [Internet Services] interserv.exe
O4 - HKCU\..\Run: [Internet Services] interserv.exe
O4 - HKCU\..\RunServices: [Internet Services] interserv.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: AOL Instant Messanger (AIM) - Unknown owner - C:\WINDOWS\aim.exe
O23 - Service: Intel PDS - Unknown owner - C:\WINDOWS\System32\cba\pds.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
  • 0

#4
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Please follow all instructions exactly as specified. I would advise printing them out so you're sure to follow all instructions.

Copy the below instructions (until you get to the purple text). Paste them into notepad and save it for use while in Safe Mode. This is important because it has to be done exactly in order for this to work

I need you to reboot into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. use your up arrow key to highlight Safe Mode, then hit enter.

After getting into Safe Mode, Go to Start > Run type in:

cmd

Click OK.

A black window will open up.

Type the following in:

attrib -h -r -s C:\WINDOWS\system32\rdriv.sys

Hit Enter.

When it goes to the next line, type the following line:

del C:\WINDOWS\system32\rdriv.sys

Hit Enter.

Then type exit

[END OF INSTRUCTIONS TO COPY FOR SAFE MODE]

Reboot into normal mode.

RIGHT-CLICK HERE and Save As (in Internet Explorer, it's "Save Target As") in order to download the fixrdriv.reg file. Save it to your deskop.

Locate fixrdriv.reg on your Desktop and double-click on it. When it asks if you want to merge with the registry, click YES.

After the "merged successfully" prompt, please do the following:

* Download the Killbox by Option^Explicit.

* Save it to your desktop.

* Run Killbox.exe.

* Select "Delete on Reboot".

* Copy the file names below to the clipboard by highlighting ALL of them then press CTRL + C

C:\WINDOWS\system32\rdriv.sys
C:\WINDOWS\ItunesMusic.exe
C:\WINDOWS\wkssvc.exe
C:\WINDOWS\System32\interserv.exe
C:\WINDOWS\aim.exe


* Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

* Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the "PendingRenameOperation" prompt. If your computer does not restart automatically, please restart it manually.

After your computer reboots, Run HijackThis. Place a check next to the following items and click FIX CHECKED:

O4 - HKLM\..\Run: [Internet Services] interserv.exe
O4 - HKLM\..\RunServices: [Internet Services] interserv.exe
O4 - HKCU\..\Run: [Internet Services] interserv.exe
O4 - HKCU\..\RunServices: [Internet Services] interserv.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O23 - Service: AOL Instant Messanger (AIM) - Unknown owner - C:\WINDOWS\aim.exe


Close HiJackThis.

Now, make sure your firewall is on. Make sure you can turn it off then turn it back on and that nothing is greyed out
Also, Make sure your Anti-Virus program is working properly - you can turn on and off auto-protect, etc.

Download, install, and run CleanUp!

Download Ewido Security Suite
  • Install ewido security suite
  • Launch ewido, there should be a big E icon on your desktop, double-click it.
  • The program will prompt you to update click the OK button
  • The program will now go to the main screen
You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Click on Start
The update will start and a progress bar will show the updates being installed.

Once the updates are installed do the following:
  • Reboot into Safe Mode, you can do this by restarting your computer, then contiunally tapping F8 until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter. Then, run Ewido.
  • Click on scanner
  • Make sure the following boxes are checked before scanning:
    • Binder
    • Crypter
    • Archives
  • Click on Start Scan
  • Let the program scan the machine
While the scan is in progress you will be prompted to clean files, click OK

Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report
  • Save the report to your desktop
Reboot into normal mode.

Then, run this online virus scan:
ActiveScan

Save the results from ActiveScan.

I need you to post the log from Ewido, the log from ActiveScan, and a new HiJackThis log into this topic.
  • 0

#5
vineetcoolguy

vineetcoolguy

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Thank you. That took care of rdriv.sys. Here are the logs...

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 3:07:29 PM, 6/10/2005
+ Report-Checksum: 985784D2

+ Date of database: 6/10/2005
+ Version of scan engine: v3.0

+ Duration: 27 min
+ Scanned Files: 30726
+ Speed: 18.66 Files/Second
+ Infected files: 3
+ Removed files: 3
+ Files put in quarantine: 3
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\
D:\
E:\
F:\

+ Scan result:
C:\WINDOWS\system32\eraseme_77504.exe -> Backdoor.SdBot.xd -> Cleaned with backup
C:\Program Files\NetMeeting\netmeet.htm -> Worm.Nimda -> Cleaned with backup
D:\Cool Stuff\Danger.exe -> Not-A-Virus.Joke.JepRuss -> Cleaned with backup


::Report End



Logfile of HijackThis v1.99.1
Scan saved at 8:26:51 PM, on 6/14/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.tataindicom.com/data/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
O4 - HKLM\..\Run: [TataIndicomStartUp] C:\Program Files\Tata Indicom Wireless Internet Service\TataIndicomStartUp.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [Repair Registry Pro] C:\Program Files\Repair Registry Pro\RepairRegistryPro.exe -s
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Download using LeechGet - file://C:\Program Files\LeechGet 2004\\AddUrl.html
O8 - Extra context menu item: Download using LeechGet Wizard - file://C:\Program Files\LeechGet 2004\\Wizard.html
O8 - Extra context menu item: Parse with LeechGet - file://C:\Program Files\LeechGet 2004\\Parser.html
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Intel PDS - Unknown owner - C:\WINDOWS\System32\cba\pds.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

I've still got some other problems

1. The main problem is with my internet connection. I notice that suddenly, abruptly my connection SOFTWARE says its disconnected while my phone line remains active. I can no longer browse the net. Then the only way I can get back on the net is to switch my phone off and on and restart my computer (logoff and logon does'nt help). This is the main reason I havent done the activescan till now. This problem was already present before I followed all your steps to remove rdriv.sys.
2. I've got 512 MB RAM and a 1 GB swapfile but still day before yesterday while I was browsing I saw a message that my swapfile has exceeded its maximum. I havent seen the message again.


Finally...

If we are done, Can I...
1. Enable system restore?
2. Delete the KillBox program on my desktop?
3. Delete the .reg file I downloaded from the link above?
4. Uninstall CleanUp?

Thanks in advance.
  • 0

#6
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Where is the Panda log?

I don't remember asking you to disable system restore. But yes, enable it back now.

You may delete the killbox and .reg file you downloaded.

CleanUp is a good program to keep for overall use. But if you don't want it, then uninstall it.

Now to your problem at hand. Are you doing anything else when the disconnect occurs? Downloading anything? Try this:

Download WinsockFix http://www.greyknigh...sockFix.sfx.exe and uncompress it. Then double-click on the uncompressed file to run it.

Restart and go online. See if you still get disconnects.

For your swap file question, are you using any big (or memory intensive) program when that error started? This question should be asked in the Windows section I think. It's probably better suited over there.

Your log is clean.

Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer and uncheck the same box to enable System Restore.

Make sure to get the latest updates for Windows and Internet Explorer at http://v5.windowsupd...t.aspx?ln=en-us.

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If not, you should be set to go.
  • 0

#7
vineetcoolguy

vineetcoolguy

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Sorry but the disconnenct problem has not been resolved. I notice it specially occurs if the line is idle for some time although it can occur even when its busy
  • 0

#8
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Are all the other problems gone now? Just want to make sure :tazz:

OK, does your internet program have a setting for the idle time? I know you said it may happen even when it's busy, but try increasing the idle time and see if that's better.
  • 0

#9
vineetcoolguy

vineetcoolguy

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
What is idle time? Please tell me how to raise it
  • 0

#10
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
For the internet, when we refer to idle time it's the time when there is no activity going on at all online. For example, if you connect online but you are not doing anything (neither sending nor receiving any data online), then you are considered to be idle at that time. Some ISPs (Internet Service Providers) will time you out and disconnect you after a certain amount of time has passed if you don't do anything online.

So I just want you to check your settings (if you are using dial up internet) to make sure it's not set too low.
  • 0

#11
vineetcoolguy

vineetcoolguy

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
No its not set at all. There's no idle time with my ISP.
  • 0

#12
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Call up your ISP and see if it's a problem on their end. If not, post back here with an update.
  • 0

#13
vineetcoolguy

vineetcoolguy

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
I've found a way to stay connected. the trick is to press control alt del and ent the process svchost.exe which occupies the maximum memory (usually between 14000 and 20000 KB). Now If I dial the connection is established but its not visible. That is the computer behaves as if I'm disconnected but in reality I'm actually connected. Since the computer does not know Im connected It cant disconnect me. Later however I must disconnect my phone line manually. Is this info of any help?
  • 0

#14
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
A little. That svchost is an important process since a lot of programs rely on it and that's why it's spiking so high at times.

OK, let's try this:

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [Repair Registry Pro] C:\Program Files\Repair Registry Pro\RepairRegistryPro.exe -s
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE


We're not deleting any programs here, just disabling them from startup. You can start them manually if needed.

Restart and see if that improves.

Try running that Panda scan now and give me the log.
  • 0

#15
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP