Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

rdriv.sys


  • This topic is locked This topic is locked

#1
sigfrid

sigfrid

    Member

  • Member
  • PipPip
  • 42 posts
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.prodigy.net.mx/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [WinampAgent] C:\Archivos de programa\Winamp\winampa.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\ARCHIV~1\ARCHIV~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [InCD] C:\Archivos de programa\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Archivos de programa\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [avast!] C:\ARCHIV~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Archivos de programa\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\RunServices: [Microsoft Media player 9] msmedia32.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {05317530-B882-449D-9421-18D94FA3ED34} (OSInfo Control) - http://www.sis.com/s...ocis/OSInfo.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...Bridge-c139.cab
O16 - DPF: {16095503-786F-4097-AED6-5D567A26D760} (SiS_OCX Control) - http://www.sis.com/s...utodetectNT.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1100834684415
O17 - HKLM\System\CCS\Services\Tcpip\..\{3EEA5FC2-4B9D-4002-81C9-158BC783B4BC}: NameServer = 200.23.242.202 200.23.242.196
O23 - Service: avast! iAVS4 Control Service - Unknown - C:\Archivos de programa\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown - C:\Archivos de programa\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Archivos de programa\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Archivos de programa\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: Servicio del administrador de discos lógicos - Unknown - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Registro de sucesos - Unknown - C:\WINDOWS\system32\services.exe
O23 - Service: Servicio COM de grabación de CD de IMAPI - Unknown - C:\WINDOWS\System32\imapi.exe
O23 - Service: Escritorio remoto compartido de NetMeeting - Unknown - C:\WINDOWS\System32\mnmsrvc.exe
O23 - Service: DDE de red - Unknown - C:\WINDOWS\system32\netdde.exe
O23 - Service: DSDM de DDE de red - Unknown - C:\WINDOWS\system32\netdde.exe
O23 - Service: Plug and Play - Unknown - C:\WINDOWS\system32\services.exe
O23 - Service: Administrador de sesión de Ayuda de escritorio remoto - Unknown - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: Registros y alertas de rendimiento - Unknown - C:\WINDOWS\system32\smlogsvc.exe
O23 - Service: Instantáneas de volumen - Unknown - C:\WINDOWS\System32\vssvc.exe
O23 - Service: Ati Management - Unknown - C:\WINDOWS\encrypt.exe
O23 - Service: Adaptador de rendimiento de WMI - Unknown - C:\WINDOWS\System32\wbem\wmiapsrv.exe
  • 0

Advertisements


#2
sigfrid

sigfrid

    Member

  • Topic Starter
  • Member
  • PipPip
  • 42 posts
Funny i`d swear that some one was looking da post :tazz:
  • 0

#3
John_L

John_L

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,398 posts
Hi Sigfrid :tazz:

Now that i have some time to respond to this, i need to see a full log from top to bottom, there are things that are missing that i need to see. ;)
  • 0

#4
sigfrid

sigfrid

    Member

  • Topic Starter
  • Member
  • PipPip
  • 42 posts
um, missing? ;) like what, u know i run hijack this and thats all that i've got :tazz:
  • 0

#5
John_L

John_L

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,398 posts
There is alot missing :tazz:

All the processes that i need to see are not there.

You may have a corrupt version, redownload the application.

Hijack This Direct Link

Make sure to get it all from top to bottom. ;)

Everything from the RO'S and up.

Edited by John_L, 24 July 2005 - 03:01 PM.

  • 0

#6
sigfrid

sigfrid

    Member

  • Topic Starter
  • Member
  • PipPip
  • 42 posts
;) man thats soooo wiered i downloaded the app like 3 times now and just keep on getting just that,:tazz:




(Linux RuLZzzzzZ)
  • 0

#7
sigfrid

sigfrid

    Member

  • Topic Starter
  • Member
  • PipPip
  • 42 posts
well any way, by night i might have figuered out whats up with da hijack this so i'll be posting the complete log by nigh
  • 0

#8
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Lets back this up a Step how bouts!

You can here for help correct?


Help is what you will get but I Insist that this Childs Play of PMing Staff members Stop Now!

Agreed?

Deal?

If you can concede to this simple request,I will be more than happy to help you out!?
  • 0

#9
sigfrid

sigfrid

    Member

  • Topic Starter
  • Member
  • PipPip
  • 42 posts
Hey chill out crest i haven`t pm again :tazz: and i think i never did to u, anyway i dunno what da [bleep] happened but i ran the hijack this again and got a full log with all the processes, ;)

Logfile of HijackThis v1.99.1
Scan saved at 20:35:16, on 24/07/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Alwil Software\Avast4\aswUpdSv.exe
C:\Archivos de programa\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\vssvc.exe
C:\Archivos de programa\Alwil Software\Avast4\ashMaiSv.exe
C:\Archivos de programa\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Archivos de programa\Winamp\winampa.exe
C:\WINDOWS\System32\qttask.exe
C:\Archivos de programa\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\ARCHIV~1\ALWILS~1\Avast4\ashDisp.exe
C:\Archivos de programa\D-Tools\daemon.exe
C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\ctfmon.exe
C:\Archivos de programa\Hijackthis\HijackThis.exe
C:\WINDOWS\system32\notepad.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.prodigy.net.mx/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [WinampAgent] C:\Archivos de programa\Winamp\winampa.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\ARCHIV~1\ARCHIV~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [InCD] C:\Archivos de programa\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Archivos de programa\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [avast!] C:\ARCHIV~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Archivos de programa\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\RunServices: [Microsoft Media player 9] msmedia32.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: {05317530-B882-449D-9421-18D94FA3ED34} (OSInfo Control) - http://www.sis.com/s...ocis/OSInfo.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...Bridge-c139.cab
O16 - DPF: {16095503-786F-4097-AED6-5D567A26D760} (SiS_OCX Control) - http://www.sis.com/s...utodetectNT.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1100834684415
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Archivos de programa\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Archivos de programa\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Archivos de programa\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Archivos de programa\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: Ati Management (Winconfig32) - Unknown owner - C:\WINDOWS\encrypt.exe
  • 0

#10
sigfrid

sigfrid

    Member

  • Topic Starter
  • Member
  • PipPip
  • 42 posts
i have an sligh idea of which proceses r not suposed to be there
  • 0

Advertisements


#11
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Please understand what I mean when saying that PMing the GeekstoGo Staff member is just taboo around here!

Think,if every user we posted to PMed us?

How the heck would we get anything done!

Lets let all that BS rest and get u fixed up!

Because of the language barrier and the fact that my translator is acting like an Arse!

Bear with me,I will have to research all these funky looking Services(023s) one at a time!

Download UnHackme from here
http://www.greatis.c...me/download.htm

Run Unhackme and place the Results in the next post

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet

Reboot into SAFE MODE(Tap F8 when restarting)
Here is a link on how to boot into Safe Mode:
http://service1.syma...src=sec_doc_nam

After restarting in Safe Mode,Configure Windows to Show All Hidden Files and Folders Here is a link to help with that:
http://www.bleepingc...showtutorial=62


Locate and Delete

C:\WINDOWS\System32\qttask.exe<< File Only!

C:\WINDOWS\System32\rdriv.sys<< File Only!

Open the Search Assistant(Click Start>>Click Search)
Select All Files and Folders,
Select Advanced Options,
Make sure there is a check by every box under Advanced Options!

Now under All Files and Folders,enter this into the text box:

msmedia32.exe

Delete any exact matched found!

Open HijackThis and put a check by these but DO NOT hit the Fix Checked button yet!

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe

O4 - HKLM\..\RunServices: [Microsoft Media player 9] msmedia32.exe

O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone

O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...Bridge-c139.cab

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button!

Now Open and Run Ewido-> Clean All it finds and Be sure to Click the tab to Save a Report!

Run MSCONFIG and enable everything in the startup area. To get to MSCONFIG, click on Start -> Run -> type in MSCONFIG -> click OK!

Under the "General" Tab
Make Sure Normal Startup is Checked!!

Click Apply>>Close>>Follow the Prompts to Restart!!

Restart Normal and have the PC Scanned here:
Panda Active Scan

You will need to be using Internet Explorer for the Scan to work!

Save the Report it generates


Post back with a fresh HijackThis log and the reports from UnHackMe-> Ewido and Panda!

Edited by Cretemonster, 25 July 2005 - 06:56 AM.

  • 0

#12
sigfrid

sigfrid

    Member

  • Topic Starter
  • Member
  • PipPip
  • 42 posts
(bleep bleep) mos of that i have already done a while ago(i'll give it a try any way and that funny looking service os an antivirus)
and bout the deletins they always keep on respawning, thx i'll see how turns out , but not so shure bout being able to do a online-scan (my conexion is dial up)
  • 0

#13
sigfrid

sigfrid

    Member

  • Topic Starter
  • Member
  • PipPip
  • 42 posts
sorry, forgot to thank u,
  • 0

#14
sigfrid

sigfrid

    Member

  • Topic Starter
  • Member
  • PipPip
  • 42 posts
---------------------------------------------------------
ewido security suite - Report de exploración
---------------------------------------------------------

+ Creado en: 21:29:41, 25/07/2005
+ Report-Checksum: BA008ACE

+ Scan result:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\AMeOpt -> Spyware.InternetOptimizer : Limpio sin backup
C:\Documents and Settings\LocalService\Configuración local\Archivos temporales de Internet\Content.IE5\CJ2XSZIV\ok[1].exe -> Heuristic.Win32.Morphine-Crypted : Limpio sin backup
C:\Documents and Settings\Omar\Cookies\omar@atdmt[2].txt -> Spyware.Cookie.Atdmt : Limpio sin backup
C:\Documents and Settings\Omar\Cookies\omar@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Limpio sin backup
C:\Documents and Settings\Omar\Cookies\omar@ysbweb[1].txt -> Spyware.Cookie.Ysbweb : Limpio sin backup
C:\Documents and Settings\Omar\Escritorio\EliTriIP.exe -> Heuristic.Win32.AVKiller : Limpio sin backup
C:\WINDOWS\Downloaded Program Files\ysbactivex.dll -> TrojanDownloader.IstBar : Limpio sin backup
C:\WINDOWS\encrypt.exe -> Heuristic.Win32.Morphine-Crypted : Limpio sin backup
C:\WINDOWS\NDNuninstall4_85.exe -> Spyware.NewDotNet : Limpio sin backup
C:\WINDOWS\NDNuninstall6_38.exe -> Spyware.NewDotNet : Limpio sin backup
C:\WINDOWS\system32\edojweyd.exe -> TrojanDownloader.Agent.jc : Limpio sin backup
C:\WINDOWS\system32\eraseme_01251.exe -> Heuristic.Win32.Morphine-Crypted : Limpio sin backup
C:\WINDOWS\system32\eraseme_76702.exe -> Heuristic.Win32.Morphine-Crypted : Limpio sin backup
C:\WINDOWS\system32\rdriv.sys -> Trojan.Rootkit.k : Limpio sin backup
C:\WINDOWS\system32\TFTP3004 -> Heuristic.Win32.Morphine-Crypted : Limpio sin backup
C:\WINDOWS\system32\TFTP3180 -> Heuristic.Win32.Morphine-Crypted : Limpio sin backup
C:\WINDOWS\system32\TFTP3688 -> Heuristic.Win32.Morphine-Crypted : Limpio sin backup
C:\WINDOWS\system32\TFTP4912 -> Heuristic.Win32.Morphine-Crypted : Limpio sin backup


::Fin Report
  • 0

#15
sigfrid

sigfrid

    Member

  • Topic Starter
  • Member
  • PipPip
  • 42 posts
---------------------------------------------------------
ewido security suite - Report de exploración
---------------------------------------------------------

+ Creado en: 21:29:41, 25/07/2005
+ Report-Checksum: BA008ACE

+ Scan result:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\AMeOpt -> Spyware.InternetOptimizer : Limpio sin backup
C:\Documents and Settings\LocalService\Configuración local\Archivos temporales de Internet\Content.IE5\CJ2XSZIV\ok[1].exe -> Heuristic.Win32.Morphine-Crypted : Limpio sin backup
C:\Documents and Settings\Omar\Cookies\omar@atdmt[2].txt -> Spyware.Cookie.Atdmt : Limpio sin backup
C:\Documents and Settings\Omar\Cookies\omar@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Limpio sin backup
C:\Documents and Settings\Omar\Cookies\omar@ysbweb[1].txt -> Spyware.Cookie.Ysbweb : Limpio sin backup
C:\Documents and Settings\Omar\Escritorio\EliTriIP.exe -> Heuristic.Win32.AVKiller : Limpio sin backup
C:\WINDOWS\Downloaded Program Files\ysbactivex.dll -> TrojanDownloader.IstBar : Limpio sin backup
C:\WINDOWS\encrypt.exe -> Heuristic.Win32.Morphine-Crypted : Limpio sin backup
C:\WINDOWS\NDNuninstall4_85.exe -> Spyware.NewDotNet : Limpio sin backup
C:\WINDOWS\NDNuninstall6_38.exe -> Spyware.NewDotNet : Limpio sin backup
C:\WINDOWS\system32\edojweyd.exe -> TrojanDownloader.Agent.jc : Limpio sin backup
C:\WINDOWS\system32\eraseme_01251.exe -> Heuristic.Win32.Morphine-Crypted : Limpio sin backup
C:\WINDOWS\system32\eraseme_76702.exe -> Heuristic.Win32.Morphine-Crypted : Limpio sin backup
C:\WINDOWS\system32\rdriv.sys -> Trojan.Rootkit.k : Limpio sin backup
C:\WINDOWS\system32\TFTP3004 -> Heuristic.Win32.Morphine-Crypted : Limpio sin backup
C:\WINDOWS\system32\TFTP3180 -> Heuristic.Win32.Morphine-Crypted : Limpio sin backup
C:\WINDOWS\system32\TFTP3688 -> Heuristic.Win32.Morphine-Crypted : Limpio sin backup
C:\WINDOWS\system32\TFTP4912 -> Heuristic.Win32.Morphine-Crypted : Limpio sin backup


::Fin Report
there it is the log from the antivirus u told me, it looks that this one did got the rootkit ,thanks, what shall i do know
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP