Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Infected with rdriv.sys AKA Win32.Trojan-gen

Started by Wiriyami , Jul 03 2005 06:59 AM

  • Please log in to reply

#1
Wiriyami
Posted 03 July 2005 - 06:59 AM

Wiriyami

    New Member

  • Member
  • Pip
  • 2 posts
Um, yes that's the size of it. Avast! keeps detecting it and can't really do anything about it.
As per standard procedure - here's my HiJackThis log.

Logfile of HijackThis v1.99.1
Scan saved at 8:55:49 AM, on 7/3/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\program files\powerstrip\pstrip.exe
C:\WINDOWS\System32\logon.exe
C:\WINDOWS\System32\qxipiv.exe
C:\WINDOWS\System32\ltowco.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\wkssvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\William\Desktop\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [PowerStrip] c:\program files\powerstrip\pstrip.exe
O4 - HKLM\..\Run: [Windows Logon Application] C:\WINDOWS\System32\logon.exe
O4 - HKLM\..\Run: [ZoneEdit] C:\WINDOWS\System32\qxipiv.exe
O4 - HKLM\..\Run: [ibin] C:\WINDOWS\System32\ltowco.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O17 - HKLM\System\CCS\Services\Tcpip\..\{2922F04C-2603-4D41-A779-E6AE4E8176D8}: NameServer = 166.102.165.13 166.102.165.11
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Workstation Service Library (Microsoft Locator Service) - Unknown owner - C:\WINDOWS\wkssvc.exe
  • 0

Advertisements

#2
Wizard
Posted 03 July 2005 - 10:23 AM

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Hi Wiriyami and Welcome to GeekstoGo!!

I need to see a few files from your System please

Right Click the Desktop and Select Compressed(zipped)Folder

Place a copy of these 3 in there

C:\WINDOWS\System32\logon.exe

C:\WINDOWS\System32\qxipiv.exe

C:\WINDOWS\System32\ltowco.exe

Dont close the zip folder>> click File>> Add a Password>> Make the Password "infected" all lower case letters please!


Email them to filesubmitATcharterDOTnet

AT=@
DOT=.

Now Scan all 3 at these 2 sites

http://www.virustota...h/index_en.html
and
http://virusscan.jotti.org/

Save the results by highlighting and Copy&Paste to a Notepad page!

Please Upload those files here for examination
http://www.thespykiller.co.uk/forum/

Put a link to this Post with it!

Now Click Start>> Run>> Type in Services.msc and Click OK!

Sroll that list and locate

Workstation Service Library

Right Click that entry and Select "Properties">> Click "Stop">> Go up and Change the "Startup Type" to "Disabled"

Do the exact Same for either of these that exist

Windows lsass Service

AOL Instant Messanger

Assuming my Suspicions are correct and the Virus Scans flagged all those as Infected!

Open HijackThis and Click on Config>> Misc Tools>> Delete a file on Reboot

Once the small Explorer Window opens Navigate to the "Windows" folder

Locate wkssvc.exe<< Double Click and Answer "NO" to the next prompt!

Follow those steps for each of the files listed below by navigating to each folder and locating the file and using the method above!

C:\WINDOWS\lsass.exe

C:\WINDOWS\aim.exe

C:\WINDOWS\System32\logon.exe

C:\WINDOWS\System32\qxipiv.exe

C:\WINDOWS\System32\ltowco.exe

C:\WINDOWS\web\related.htm<< When you get the Prompt to Restart,Do So by Click Yes!

Be sure all other Windows are Closed before doiong so

Restart in Safe Mode

Now Click Start>> Run>> Copy&Paste each command below into the Open box,one at a time and Click OK!

sc delete lsass

sc delete AIM

sc delete Microsoft Locator Service

Open HijackThis and put a check by these but DO NOT hit the Fix Checked button yet!

O4 - HKLM\..\Run: [Windows Logon Application] C:\WINDOWS\System32\logon.exe

O4 - HKLM\..\Run: [ZoneEdit] C:\WINDOWS\System32\qxipiv.exe

O4 - HKLM\..\Run: [ibin] C:\WINDOWS\System32\ltowco.exe

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O23 - Service: Workstation Service Library (Microsoft Locator Service) - Unknown owner - C:\WINDOWS\wkssvc.exe

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button!

Run MSCONFIG and enable everything in the startup area. To get to MSCONFIG, click on Start -> Run -> type in MSCONFIG -> click OK!

Under the "General" Tab
Make Sure Normal Startup is Checked!!

Click Apply>>Close>>Follow the Prompts to Restart!!

Restart Normal and Download "The Hoster" from here
http://www.funkytoad...load/hoster.zip

Open it and Press "Restore Original Hosts" then press "OK".

Exit Program.

Have the PC Scanned here
Panda Active Scan

You will need to be using Internet Explorer for the Scan to work!

Save the Report it generates!

Post a fresh HijackThis log along with the Report from Panda
  • 0

#3
Wiriyami
Posted 03 July 2005 - 12:31 PM

Wiriyami

    New Member

  • Topic Starter
  • Member
  • Pip
  • 2 posts
I quite appreciate all your help Sir Crete. But um, logon.exe and qxipix.exe no longer exist. :tazz: They're just...not there anymore. I know for sure I didn't delete them.
  • 0

#4
Wizard
Posted 03 July 2005 - 06:43 PM

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
No Problems,

Follow through with all the directions and post back!
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP