Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

TrojanCachecachekit C:\WINNT\system32\rdriv.sys [CLOSED


  • This topic is locked This topic is locked

#1
coffeepot

coffeepot

    New Member

  • Member
  • Pip
  • 1 posts
:tazz: Please help. I am running a WIN2K server that NAV keeps notifiying me of a virus that it will not remove. This RDRIV.SYS is a nightmare!!!! Can I get your assistance cleaning this up?

Here is a copy of the HJT log....

Logfile of HijackThis v1.99.1
Scan saved at 10:26:56 AM, on 7/12/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\netdde.exe
C:\WINNT\System32\msdtc.exe
C:\WINNT\System32\cisvc.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
D:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\WINNT\System32\ismserv.exe
C:\MDAEMON\APP\MDAEMON.EXE
C:\MSSQL7\binn\sqlservr.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\ntfrs.exe
C:\WINNT\System32\RsFsa.exe
C:\WINNT\System32\locator.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\System32\snmptrap.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\wins.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\dmadmin.exe
C:\WINNT\System32\dns.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\System32\RsSub.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\Explorer.EXE
C:\PROGRA~1\NavNT\vptray.exe
C:\Mssql7\Binn\sqlmangr.exe
C:\MDaemon\LDaemon\LDaemon.exe
C:\MDAEMON\APP\CFEngine.exe
C:\MDAEMON\WorldClient\WorldClient.exe
C:\WINNT\System32\cidaemon.exe
C:\WINNT\image.exe
C:\WINNT\Profiles\Administrator\Desktop\HijackThis1991.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.1.2:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 192.168.1.*;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\program files\adobe\Acrobat\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
O4 - Startup: AboutTime.lnk = C:\Program Files\abouttime\PROGRAM\AboutTime.exe
O4 - Startup: cleanstomp.bat
O4 - Global Startup: Service Manager.lnk = C:\MSSQL7\Binn\sqlmangr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = server.ronnoco.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{15916AE3-D83C-4273-809B-07C0DD010137}: NameServer = 64.89.70.2,64.89.74.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{3B080901-E2CB-4BBB-B1D7-9D3B9D5ACCFD}: NameServer = 205.242.92.2 205.242.176.103
O17 - HKLM\System\CCS\Services\Tcpip\..\{B4CCDEB8-1B85-4D4A-9792-EB7CF55888D6}: NameServer = 127.0.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{C4F8B96F-B10D-4513-8CBD-C5348905FFD3}: NameServer = 127.0.0.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = server.ronnoco.net
O17 - HKLM\System\CS1\Services\Tcpip\..\{15916AE3-D83C-4273-809B-07C0DD010137}: NameServer = 64.89.70.2,64.89.74.2
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = server.ronnoco.net
O17 - HKLM\System\CS2\Services\Tcpip\..\{15916AE3-D83C-4273-809B-07C0DD010137}: NameServer = 64.89.70.2,64.89.74.2
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: EventLogs (Event Logs) - Unknown owner - C:\WINNT\svchosts.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: GhostStartService - Symantec Corporation - D:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: WIN32 (image) - Unknown owner - C:\WINNT\image.exe
O23 - Service: LDaemon - Unknown owner - C:\MDaemon\LDaemon\LDaemon.exe
O23 - Service: MDaemon - Alt-N Technologies, Ltd. - C:\MDAEMON\APP\MDAEMON.EXE
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: System Driver Inf (System) - Unknown owner - C:\Program Files\Common Files\System\Mapi\1033\NT\taskmanager.exe (file missing)
  • 0

Advertisements


#2
kool808

kool808

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,690 posts
Hello and welcome to Geeks to Go! :tazz: I'm kool808 and I will be helping you today.

I am working on your log. As soon as I made a good fix for this, I will post a reply. Thank you for your patience.
  • 0

#3
kool808

kool808

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,690 posts

I strongly recommend that you renew all your passwords from all accounts. The intruder must have taken them out. Make a stronger password combined with letters and numbers.


Please follow all instructions as specified. Print these instructions to ensure all are followed.

Please download the following programs, but do not run them yet:

* rdrivRem.zip
  • Unzip it to your desktop.
* Ewido Security Suite
Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

* CleanUp!
  • Install it. Do NOT run it yet.
Reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight "Safe Mode" then hit enter.

1.) Please double-click rdrivRem.bat to run the program - follow the instructions on the screen. After it's complete, rdriv.txt will be created in the rdrivRem folder.

2.) Double-click the Ewido Security Suite icon to run the program.
  • Click on scanner
  • Click Complete System Scan
  • Let the program scan the machine
While the scan is in progress you will be prompted to clean the first infected file it finds. Choose "clean", then put a check next to "Perform action on all infections" in the left corner of the box so you don't have to sit and watch Ewido the whole time. Click OK.

Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report
  • Save the report to your desktop
  • Exit Ewido
3.) Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.

4.) After Cleanup! is finished, we will now fix the remaining problems with HijackThis. Please close all remaining windows, disconnect from the internet, open HijackThis then click SCAN. Please put a check on the following items listed below:

O4 - Startup: cleanstomp.bat

Are you familiar with cleanstomp.bat? Are you using that one?


O23 - Service: WIN32 (image) - Unknown owner - C:\WINNT\image.exe


Make sure to double check the items you have selected, then click Fix Checked.

5.)Be sure to View Hidden and System Files.

Through Windows Explorer, delete the following folder(s) or files(s) if they exist (in bold):
  • C:\WINNT\image.exe
  • C:\cleanstomp.bat
  • C:\WINNT\system32\netdde.exe
Finally, Empty Recycle Bin


6.) Make sure your firewall is on. Make sure you can turn it off then turn it back on and that nothing is greyed out.
Also, Make sure your Anti-Virus program is working properly - you can turn on and off auto-protect, etc.

7.) Run BOTH of these online virus scans (NOT at the same time!):
ActiveScan
TrendMicro's HouseCall - check "Auto Clean"

Save the results from ActiveScan.

I need you to post the contents of rdriv.txt, the log from Ewido, the log from ActiveScan, and a new HiJackThis log into this topic.

Open Internet Explorer. When it is open click on Tools and then Internet Options. Then click on the Connections tab and then press the Lan Settings button. Do you have it set to use a proxy server?


Edited by kool808, 17 July 2005 - 08:40 AM.

  • 0

#4
kool808

kool808

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,690 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP