Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

rdriv installation


  • This topic is locked This topic is locked

#1
kanishka

kanishka

    Member

  • Member
  • PipPip
  • 54 posts
hello, i had formated my comp 5 days ago, and got a dsl line connection at the same time. yesterday when i was about to install xpsp2 . i saw this pop up coming in my startup window.it says that a new hardware rdriv has been detected do you want to instal the driver. and i also find that it is present in c:\windows\system32\rdriv.sys . i am usin zone alaram fiewall along with avast antivirus and a bps spyware none was able to dectet it. plz help me to get rid of this. and also tell me the steps in detail to perform them. plz. :tazz:
  • 0

Advertisements


#2
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Welcome kanishka to Geeks to Go!

Please download the latest version of HiJack This. Click here to download the latest version (1.99.1). Please save it in a permanent folder (such as C:\HJT). This is to ensure that backups are saved and accessible in the event you should need it. Follow the instructions below if you are unsure how to save it in a permanent folder:1.) Click on the link to download HiJackThis.exe.
2.) When it pulls up the box (for you to pick a location to save the file), click on the pulldown menu and select "[C:]".
3.) Click on the button to "create new folder" and name the folder HiJackThis
4.) Double click on the folder you just made (to go into the folder) and click "save" on the bottom of the box.
Double click HijackThis to run a scan and save the log.

Post that log here in your reply to this topic by using the 'add reply' button.
  • 0

#3
kanishka

kanishka

    Member

  • Topic Starter
  • Member
  • PipPip
  • 54 posts
hello,
here is the log that u asked for.

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\winssvc.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\AIRTEL\AIRTEL-Broadband\fts.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\AIRTEL\AIRTEL-Broadband\pppoetray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\hawk\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://minisearch.startnow.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://minisearch.startnow.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.in/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://minisearch.startnow.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://minisearch.startnow.com/
R3 - Default URLSearchHook is missing
O2 - BHO: HyperBHO - {4B2F5308-2CB0-40E2-8030-59936ED5D22C} - C:\Program Files\Common Files\Hyperbar\Hyperbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [%FP%AIRTEL fts.exe] "C:\Program Files\AIRTEL\AIRTEL-Broadband\fts.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [warez] "C:\Program Files\Warez P2P Client\warez.exe" -h
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1117646471222
O17 - HKLM\System\CCS\Services\Tcpip\..\{B5BAB303-5CE4-4DCB-BCCB-591793A1B6D6}: NameServer = 202.56.215.6,202.56.230.6
O17 - HKLM\System\CCS\Services\Tcpip\..\{D33A2A29-FCA1-4091-ADE0-BE9F08CAFDA2}: NameServer = 202.56.215.6 202.56.230.6
O23 - Service: AOL Instant Messenger - Unknown owner - C:\WINDOWS\winssvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe
  • 0

#4
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Please post me the header along with the log, so the part starting with HijackThis log, date of creation etc.
  • 0

#5
kanishka

kanishka

    Member

  • Topic Starter
  • Member
  • PipPip
  • 54 posts
here is what u requested for. the log file with d header. lokking forward 2 ur reply.

Logfile of HijackThis v1.99.1
Scan saved at 11:31:56 AM, on 6/18/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\winssvc.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\AIRTEL\AIRTEL-Broadband\fts.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\System32\rasautou.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\AIRTEL\AIRTEL-Broadband\pppoetray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Documents and Settings\hawk\Local Settings\Temp\Temporary Directory 4 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://minisearch.startnow.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://minisearch.startnow.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.in/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://minisearch.startnow.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://minisearch.startnow.com/
R3 - Default URLSearchHook is missing
O2 - BHO: HyperBHO - {4B2F5308-2CB0-40E2-8030-59936ED5D22C} - C:\Program Files\Common Files\Hyperbar\Hyperbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [%FP%AIRTEL fts.exe] "C:\Program Files\AIRTEL\AIRTEL-Broadband\fts.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [warez] "C:\Program Files\Warez P2P Client\warez.exe" -h
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1117646471222
O17 - HKLM\System\CCS\Services\Tcpip\..\{B5BAB303-5CE4-4DCB-BCCB-591793A1B6D6}: NameServer = 202.56.215.6,202.56.230.6
O17 - HKLM\System\CCS\Services\Tcpip\..\{D33A2A29-FCA1-4091-ADE0-BE9F08CAFDA2}: NameServer = 202.56.215.6 202.56.230.6
O23 - Service: AOL Instant Messenger - Unknown owner - C:\WINDOWS\winssvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe
  • 0

#6
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Please follow all instructions as specified. Print these instructions to ensure all are followed.


You are running HijackThis from its zipped archive; please create a new folder for it and unzip the program into it. It is very important you do this before anything else!

---------

Go to this site:
http://www.virustota...h/index_en.html
Have this file scanned there:
C:\WINDOWS\winssvc.exe
Copy the result to a notepad file and save it to your desktop.

---------

Please download the following programs, but do not run them yet:


* rdrivRem.zip*Unzip it to your desktop.
* Ewido Security Suite*Install ewido security suite
*Launch ewido, there should be a big E icon on your desktop, double-click it.
*The program will prompt you to update click the OK button
*The program will now go to the main screen
*You will need to update ewido to the latest definition files.
*On the left hand side of the main screen click update
*Click on Start
*The update will start and a progress bar will show the updates being installed.
*After the updates are installed exit Ewido.
* CleanUp!*Install it.
***

Reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight "Safe Mode" then hit enter.

***

1.) Please double-click rdrivRem.bat to run the program - follow the instructions on the screen.

***

2.) Double-click the Ewido Security Suite icon to run the program. Set the program up as follows:*Click on scanner
*Make sure the following boxes are checked before scanning:
*Binder
*Crypter
*Archives

*Click on Start Scan
*Let the program scan the machine
While the scan is in progress you will be prompted to clean the first file. Choose "clean", then put a check next to "Perform action on all infections" in the left corner of the window (this way you don't have to sit and watch ewido) click OK
*Once the scan has completed, there will be a button located on the bottom of the screen named Save report
*Click Save report
*Save the report to your desktop.
***

3.) Find and doubleclick the file cleanup.

Go to option
Select ‘custom’
Put a check to:* Cookies
* Prefetch
* Temp
* All users.
Press 'cleanup!'

Once it's done, press Close. Reboot the system. This will remove files that were in use during the scan.

***

4.) Run HijackThis. Place a check next to the following items, if found, and click FIX CHECKED:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://minisearch.startnow.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://minisearch.startnow.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://minisearch.startnow.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://minisearch.startnow.com/

R3 - Default URLSearchHook is missing

O2 - BHO: HyperBHO - {4B2F5308-2CB0-40E2-8030-59936ED5D22C} - C:\Program Files\Common Files\Hyperbar\Hyperbar.dll

O4 - HKCU\..\Run: [warez] "C:\Program Files\Warez P2P Client\warez.exe" -h

Close HiJackThis.

***

5.) Use windows Explorer to remove these folders:
C:\Program Files\Common Files\Hyperbar\
C:\Program Files\Warez P2P Client\

***

6.) Make sure your firewall is on. Make sure you can turn it off then turn it back on and that nothing is greyed out.
Also, Make sure your Anti-Virus program is working properly - you can turn on and off auto-protect, etc.

***

7.) Run this online virus scan:
ActiveScan

Save the results from ActiveScan.

***

I need you to post the log from Ewido, the log from ActiveScan, and a new HiJackThis log into this topic. Also post the scanresult for the file I let you scan.
  • 0

#7
kanishka

kanishka

    Member

  • Topic Starter
  • Member
  • PipPip
  • 54 posts
hello i have done all the process here r the things u requested for. let me know weather i can install xpsp-2 now or not. LOOKING FORWARD FOR UR REPLY.

ewido log:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 11:53:34 AM, 6/19/2005
+ Report-Checksum: 5AECD486

+ Date of database: 6/18/2005
+ Version of scan engine: v3.0

+ Duration: 25 min
+ Scanned Files: 30182
+ Speed: 20.12 Files/Second
+ Infected files: 60
+ Removed files: 60
+ Files put in quarantine: 60
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\
D:\
E:\

+ Scan result:
C:\WINDOWS\winssvc.exe -> Backdoor.SdBot.zo -> Cleaned with backup
C:\System Volume Information\_restore{6C033B2D-A893-49D6-A43A-C825614F23DD}\RP14\A0005854.sys -> Trojan.Rootkit.k -> Cleaned with backup
C:\System Volume Information\_restore{6C033B2D-A893-49D6-A43A-C825614F23DD}\RP14\A0005868.sys -> Trojan.Rootkit.k -> Cleaned with backup
C:\System Volume Information\_restore{6C033B2D-A893-49D6-A43A-C825614F23DD}\RP14\A0005882.SYS -> Trojan.Rootkit.k -> Cleaned with backup
C:\System Volume Information\_restore{6C033B2D-A893-49D6-A43A-C825614F23DD}\RP15\A0005903.sys -> Trojan.Rootkit.k -> Cleaned with backup
C:\System Volume Information\_restore{6C033B2D-A893-49D6-A43A-C825614F23DD}\RP15\A0005937.sys -> Trojan.Rootkit.k -> Cleaned with backup
C:\System Volume Information\_restore{6C033B2D-A893-49D6-A43A-C825614F23DD}\RP15\A0006015.sys -> Trojan.Rootkit.k -> Cleaned with backup
C:\System Volume Information\_restore{6C033B2D-A893-49D6-A43A-C825614F23DD}\RP16\A0006957.sys -> Trojan.Rootkit.k -> Cleaned with backup
C:\System Volume Information\_restore{6C033B2D-A893-49D6-A43A-C825614F23DD}\RP17\A0006977.sys -> Trojan.Rootkit.k -> Cleaned with backup
C:\System Volume Information\_restore{6C033B2D-A893-49D6-A43A-C825614F23DD}\RP17\A0006989.sys -> Trojan.Rootkit.k -> Cleaned with backup
C:\System Volume Information\_restore{6C033B2D-A893-49D6-A43A-C825614F23DD}\RP17\A0007989.sys -> Trojan.Rootkit.k -> Cleaned with backup
C:\System Volume Information\_restore{6C033B2D-A893-49D6-A43A-C825614F23DD}\RP17\A0008989.sys -> Trojan.Rootkit.k -> Cleaned with backup
C:\System Volume Information\_restore{6C033B2D-A893-49D6-A43A-C825614F23DD}\RP17\A0009989.sys -> Trojan.Rootkit.k -> Cleaned with backup
C:\System Volume Information\_restore{6C033B2D-A893-49D6-A43A-C825614F23DD}\RP17\A0010989.sys -> Trojan.Rootkit.k -> Cleaned with backup
C:\System Volume Information\_restore{6C033B2D-A893-49D6-A43A-C825614F23DD}\RP18\A0011989.sys -> Trojan.Rootkit.k -> Cleaned with backup
C:\System Volume Information\_restore{6C033B2D-A893-49D6-A43A-C825614F23DD}\RP18\A0012009.sys -> Trojan.Rootkit.k -> Cleaned with backup
C:\System Volume Information\_restore{6C033B2D-A893-49D6-A43A-C825614F23DD}\RP18\A0012023.sys -> Trojan.Rootkit.k -> Cleaned with backup
C:\System Volume Information\_restore{6C033B2D-A893-49D6-A43A-C825614F23DD}\RP18\A0012042.sys -> Trojan.Rootkit.k -> Cleaned with backup
C:\System Volume Information\_restore{6C033B2D-A893-49D6-A43A-C825614F23DD}\RP18\A0013042.sys -> Trojan.Rootkit.k -> Cleaned with backup
C:\System Volume Information\_restore{6C033B2D-A893-49D6-A43A-C825614F23DD}\RP18\A0014041.sys -> Trojan.Rootkit.k -> Cleaned with backup
C:\System Volume Information\_restore{6C033B2D-A893-49D6-A43A-C825614F23DD}\RP18\A0015042.sys -> Trojan.Rootkit.k -> Cleaned with backup
C:\System Volume Information\_restore{6C033B2D-A893-49D6-A43A-C825614F23DD}\RP18\A0016042.sys -> Trojan.Rootkit.k -> Cleaned with backup
C:\System Volume Information\_restore{6C033B2D-A893-49D6-A43A-C825614F23DD}\RP18\A0017041.SYS -> Trojan.Rootkit.k -> Cleaned with backup
C:\System Volume Information\_restore{6C033B2D-A893-49D6-A43A-C825614F23DD}\RP18\A0019042.sys -> Trojan.Rootkit.k -> Cleaned with backup
C:\System Volume Information\_restore{6C033B2D-A893-49D6-A43A-C825614F23DD}\RP18\A0020042.sys -> Trojan.Rootkit.k -> Cleaned with backup
C:\System Volume Information\_restore{6C033B2D-A893-49D6-A43A-C825614F23DD}\RP18\A0021040.SYS -> Trojan.Rootkit.k -> Cleaned with backup
C:\System Volume Information\_restore{6C033B2D-A893-49D6-A43A-C825614F23DD}\RP19\A0022042.sys -> Trojan.Rootkit.k -> Cleaned with backup
C:\System Volume Information\_restore{6C033B2D-A893-49D6-A43A-C825614F23DD}\RP19\A0022060.sys -> Trojan.Rootkit.k -> Cleaned with backup
C:\System Volume Information\_restore{6C033B2D-A893-49D6-A43A-C825614F23DD}\RP19\A0023060.sys -> Trojan.Rootkit.k -> Cleaned with backup
C:\System Volume Information\_restore{6C033B2D-A893-49D6-A43A-C825614F23DD}\RP19\A0025063.sys -> Trojan.Rootkit.k -> Cleaned with backup
C:\System Volume Information\_restore{6C033B2D-A893-49D6-A43A-C825614F23DD}\RP19\A0026058.dll -> Spyware.NewDotNet -> Cleaned with backup
C:\System Volume Information\_restore{6C033B2D-A893-49D6-A43A-C825614F23DD}\RP19\A0026059.exe -> Spyware.NewDotNet.C -> Cleaned with backup
C:\System Volume Information\_restore{6C033B2D-A893-49D6-A43A-C825614F23DD}\RP19\A0026065.sys -> Trojan.Rootkit.k -> Cleaned with backup
C:\System Volume Information\_restore{6C033B2D-A893-49D6-A43A-C825614F23DD}\RP19\A0026077.sys -> Trojan.Rootkit.k -> Cleaned with backup
C:\System Volume Information\_restore{6C033B2D-A893-49D6-A43A-C825614F23DD}\RP19\A0026086.sys -> Trojan.Rootkit.k -> Cleaned with backup
C:\System Volume Information\_restore{6C033B2D-A893-49D6-A43A-C825614F23DD}\RP20\A0026106.sys -> Trojan.Rootkit.k -> Cleaned with backup
C:\System Volume Information\_restore{6C033B2D-A893-49D6-A43A-C825614F23DD}\RP20\A0026179.sys -> Trojan.Rootkit.k -> Cleaned with backup
C:\System Volume Information\_restore{6C033B2D-A893-49D6-A43A-C825614F23DD}\RP20\A0027178.sys -> Trojan.Rootkit.k -> Cleaned with backup
C:\System Volume Information\_restore{6C033B2D-A893-49D6-A43A-C825614F23DD}\RP20\A0028176.sys -> Trojan.Rootkit.k -> Cleaned with backup
C:\System Volume Information\_restore{6C033B2D-A893-49D6-A43A-C825614F23DD}\RP20\A0029178.sys -> Trojan.Rootkit.k -> Cleaned with backup
C:\System Volume Information\_restore{6C033B2D-A893-49D6-A43A-C825614F23DD}\RP21\A0029192.sys -> Trojan.Rootkit.k -> Cleaned with backup
C:\System Volume Information\_restore{6C033B2D-A893-49D6-A43A-C825614F23DD}\RP21\A0030190.SYS -> Trojan.Rootkit.k -> Cleaned with backup
C:\System Volume Information\_restore{6C033B2D-A893-49D6-A43A-C825614F23DD}\RP21\A0030210.sys -> Trojan.Rootkit.k -> Cleaned with backup
C:\System Volume Information\_restore{6C033B2D-A893-49D6-A43A-C825614F23DD}\RP22\A0030226.sys -> Trojan.Rootkit.k -> Cleaned with backup
C:\System Volume Information\_restore{6C033B2D-A893-49D6-A43A-C825614F23DD}\RP22\A0030236.SYS -> Trojan.Rootkit.k -> Cleaned with backup
C:\System Volume Information\_restore{6C033B2D-A893-49D6-A43A-C825614F23DD}\RP22\A0030249.SYS -> Trojan.Rootkit.k -> Cleaned with backup
C:\System Volume Information\_restore{6C033B2D-A893-49D6-A43A-C825614F23DD}\RP22\A0031251.sys -> Trojan.Rootkit.k -> Cleaned with backup
C:\System Volume Information\_restore{6C033B2D-A893-49D6-A43A-C825614F23DD}\RP22\A0032252.sys -> Trojan.Rootkit.k -> Cleaned with backup
C:\System Volume Information\_restore{6C033B2D-A893-49D6-A43A-C825614F23DD}\RP22\A0033248.sys -> Trojan.Rootkit.k -> Cleaned with backup
C:\System Volume Information\_restore{6C033B2D-A893-49D6-A43A-C825614F23DD}\RP22\A0034251.sys -> Trojan.Rootkit.k -> Cleaned with backup
C:\System Volume Information\_restore{6C033B2D-A893-49D6-A43A-C825614F23DD}\RP22\A0035251.sys -> Trojan.Rootkit.k -> Cleaned with backup
C:\System Volume Information\_restore{6C033B2D-A893-49D6-A43A-C825614F23DD}\RP22\A0036251.sys -> Trojan.Rootkit.k -> Cleaned with backup
C:\System Volume Information\_restore{6C033B2D-A893-49D6-A43A-C825614F23DD}\RP22\A0037251.sys -> Trojan.Rootkit.k -> Cleaned with backup
C:\System Volume Information\_restore{6C033B2D-A893-49D6-A43A-C825614F23DD}\RP22\A0038248.SYS -> Trojan.Rootkit.k -> Cleaned with backup
C:\System Volume Information\_restore{6C033B2D-A893-49D6-A43A-C825614F23DD}\RP22\A0038280.sys -> Trojan.Rootkit.k -> Cleaned with backup
C:\System Volume Information\_restore{6C033B2D-A893-49D6-A43A-C825614F23DD}\RP22\A0039279.sys -> Trojan.Rootkit.k -> Cleaned with backup
C:\System Volume Information\_restore{6C033B2D-A893-49D6-A43A-C825614F23DD}\RP22\A0039291.SYS -> Trojan.Rootkit.k -> Cleaned with backup
C:\System Volume Information\_restore{6C033B2D-A893-49D6-A43A-C825614F23DD}\RP22\A0039299.SYS -> Trojan.Rootkit.k -> Cleaned with backup
C:\System Volume Information\_restore{6C033B2D-A893-49D6-A43A-C825614F23DD}\RP22\A0040299.sys -> Trojan.Rootkit.k -> Cleaned with backup
C:\FOUND.004\FILE0001.CHK -> Trojan.Rootkit.k -> Cleaned with backup


::Report End



LOG OF ACTIVE SCAN:


Incident Status Location

Adware:Adware/SaveNow No disinfected Windows Registry
Spyware:Spyware/Hyperbar No disinfected C:\hjt\backups\backup-20050619-121649-601.dll




LOG OF HIGHJACK THIS:

Logfile of HijackThis v1.99.1
Scan saved at 3:15:28 PM, on 6/19/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\AIRTEL\AIRTEL-Broadband\fts.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\AIRTEL\AIRTEL-Broadband\pppoetray.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.in/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [%FP%AIRTEL fts.exe] "C:\Program Files\AIRTEL\AIRTEL-Broadband\fts.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1117646471222
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B5BAB303-5CE4-4DCB-BCCB-591793A1B6D6}: NameServer = 202.56.215.6,202.56.230.6
O17 - HKLM\System\CCS\Services\Tcpip\..\{D33A2A29-FCA1-4091-ADE0-BE9F08CAFDA2}: NameServer = 202.56.215.6 202.56.230.6
O23 - Service: AOL Instant Messenger - Unknown owner - C:\WINDOWS\winssvc.exe (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe




SCAN RESULT OF THE FILE:

This is a report processed by VirusTotal on 06/18/2005 at 21:13:26 (CET) after scanning the file "winssvc.exe-up.txt" file.

Antivirus Version Update Result
AntiVir 6.31.0.7 06.17.2005 no virus found
AVG 718 06.14.2005 no virus found
Avira 6.31.0.7 06.17.2005 no virus found
BitDefender 7.0 06.18.2005 no virus found
ClamAV devel-20050501 06.18.2005 no virus found
DrWeb 4.32b 06.18.2005 no virus found
eTrust-Iris 7.1.194.0 06.17.2005 no virus found
eTrust-Vet 11.9.1.0 06.17.2005 no virus found
Fortinet 2.35.0.0 06.18.2005 no virus found
Ikarus 2.32 06.18.2005 no virus found
Kaspersky 4.0.2.24 06.18.2005 no virus found
McAfee 4516 06.17.2005 no virus found
NOD32v2 1.1145 06.18.2005 no virus found
Norman 5.70.10 06.17.2005 no virus found
Panda 8.02.00 06.18.2005 no virus found
Sybari 7.5.1314 06.18.2005 no virus found
Symantec 8.0 06.18.2005 no virus found
TheHacker 5.8-3.0 06.17.2005 no virus found
VBA32 3.10.3 06.17.2005 no virus found
  • 0

#8
kanishka

kanishka

    Member

  • Topic Starter
  • Member
  • PipPip
  • 54 posts
hi there,

right now i just restarted my computer . still i am getting the popup in my startup menu regarding installation of rdriv hardware and along with it a new pop up is aslo comming ,which also says that a new hardware was found, installation of ewido security suite hardware.
i have also run the "search" for rdriv file. now i am not finding the file "c:\windows\system32\rdriv.sys" which was present earlier.

i have added this reply before u reply me thinking this wod help u save time. loking forward 4 ur reply.
  • 0

#9
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Did you try to scan this file:
C:\WINDOWS\winssvc.exe

The scan result says you had this file scanned:
winssvc.exe-up.txt

Please try again.


---


Were you able to run rdrivRem.bat?
  • 0

#10
kanishka

kanishka

    Member

  • Topic Starter
  • Member
  • PipPip
  • 54 posts
hello.
there is no file named "C:\WINDOWS\winssvc.exe" in existence in my computer. so waht shal i do know?
  • 0

Advertisements


#11
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Were you able to run rdrivRem.bat?
  • 0

#12
kanishka

kanishka

    Member

  • Topic Starter
  • Member
  • PipPip
  • 54 posts
hi ,

i downloaded rdrivrem zipped file from the link u suggested then extrated the folder on my desktop. then when was in safe mode i double cliked the folder there was a 8kb ms dos batch file in it which i ran double cliking it. then a screen appeared saying that the makers of this file r not resposible for anything that happens in my comp. there was a contineu button for continuing the process and for exiting one had to close the window. i pressed the contineu botton but after that nothing happend. i thought the process has taken place so then i went forward with rest of the instuctions.
plz. tell me wat to do next.
  • 0

#13
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Go to Start->Run and type "Services.msc" (without quotes) then hit Ok
Scroll down and find the service called:

AOL Instant Messenger

When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows. If you don´t find this service listed go ahead with the next step.

***

Open HijackThis to the misc tools section and click the Delete an NT Sevice button.
Paste in
AOL Instant Messenger
and click OK.
Close HijackThis.

Let the system reboot.

Let me know how things are now and post me a fresh log using HijackThis to check.
  • 0

#14
kanishka

kanishka

    Member

  • Topic Starter
  • Member
  • PipPip
  • 54 posts
hello,

well i found the service in "Services.msc" when i double clicked the service was already stopped and ten i also disabled it. and then i restarted the comp. but still there is no improvement. i am having the same pop up of hardware installation. also in display in the themes section the window classic and the window xp thems have become the same except the wallpaper behind them.

here is the new log that u requested for

Logfile of HijackThis v1.99.1
Scan saved at 3:04:15 PM, on 6/23/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\AIRTEL\AIRTEL-Broadband\fts.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\AIRTEL\AIRTEL-Broadband\pppoetray.exe
C:\Program Files\Trillian\trillian.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\rundll32.exe
C:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.in/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [%FP%AIRTEL fts.exe] "C:\Program Files\AIRTEL\AIRTEL-Broadband\fts.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1117646471222
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B5BAB303-5CE4-4DCB-BCCB-591793A1B6D6}: NameServer = 202.56.215.6,202.56.230.6
O17 - HKLM\System\CCS\Services\Tcpip\..\{D33A2A29-FCA1-4091-ADE0-BE9F08CAFDA2}: NameServer = 202.56.215.6 202.56.230.6
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe
  • 0

#15
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
To repair the XP styles:

One of our Experts, Miekiemoes uploaded a copy of her luna.msstyles, so
click on this link to download it. Click here

Unzip it and using windows explorer, move the luna.msstyles which is in the folder you unzipped to this folder: C:\WINDOWS\Resources\Themes\Luna

Don't move it anywhere else except that folder!

When you have moved it, rightclick on your desktop > properties ... and look if Windows XPstyle is now present again. Choose apply and OK.

If not, reboot first, and try again to select Windows XPstyle

***

Reboot and try to make a screenshot of that installation message. Add it as an attachment to this post.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP