Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Trojan in C:\Windows\System32\rdriv.system [RESOLVED]


  • This topic is locked This topic is locked

#31
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.
  • We need to make sure all hidden files are showing so please:
    • Open My Computer.
    • Select the Tools menu and click Folder Options.
    • Select the View Tab.
    • Under the Hidden files and folders heading select Show hidden files and folders.
    • Uncheck the Hide protected operating system files (recommended) option.
    • Click Yes to confirm.
    • Click OK.
  • Please RUN HijackThis, click the SCAN button to produce a log.
    • Place a check mark beside each one of the following items:

      O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
      O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

    • Now with all the items selected, and all windows closed except for HJT, DELETE them by clicking the FIX checked button and EXIT the program.
  • Reboot Your System in Safe Mode

    How To Start To Safe Mode In Windows 2000
    • Turn the computer on
    • When you see the black-and-white Starting Windows bar at the bottom of the screen, start tapping the F8 key.
    • The Windows 2000 Advanced Options Menu will appear.
    • Choose the Safe mode option. (it is usually the first item in the list).
    • Use the arrow keys to select it if it is not selected by default.
    • Press Enter. The computer will start in Safe mode.
    • When finished troubleshooting, close all programs and restart the computer as you normally would.
  • Using Windows Explorer, locate the following files/folders (with all their content), and DELETE them (if they are present):

    C:\PROGRAM FILES\Grisoft<==Folder and content

  • Exit Explorer, and REBOOT BACK INTO NORMAL MODE

  • Finally, RUN Hijackthis again and produce a new HJT log. Post it in the forum so we can check how everything looks now.
Regards,

Trevuren

  • 0

Advertisements


#32
townangel

townangel

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Hi Trevuren,

Well, I did all the steps but still came up with the same error when attempting to delete the grisoft folder:
Cannot delete avgse.dll. Access denied. The source file may be in use. What the heck? Anyway, the AVG didn't reload coming back from safe mode to regular, which is what I know we were wanting, but now I'm online without protection. :tazz:
Should I try to delete as much of the AVG as possible and then attempt to download the whole shebang again? Ack! This stuff can be so frustrating!

I've posted the latest Hijack This below. Thanks for sticking with me.
Logfile of HijackThis v1.99.1
Scan saved at 2:07:50 PM, on 10/24/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\system32\stisvc.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\AutoSizer\AutoSizer.exe
C:\Program Files\hijack this NEW\HijackThis.exe
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\b7f09bd887ad6152c0b808f6fa447119\update\update.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.thewgalch....com/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\WS_FTP Pro\wsbho2k0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Control Pad - {28D44DAD-D1FC-4d4f-BB1B-ADF037C8DDBC} - C:\Program Files\Verizon Online\Verizon Online Control Pad\VerizonControlPad.Exe
O9 - Extra 'Tools' menuitem: Control Pad - {28D44DAD-D1FC-4d4f-BB1B-ADF037C8DDBC} - C:\Program Files\Verizon Online\Verizon Online Control Pad\VerizonControlPad.Exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1123562832238
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1128713893600
O16 - DPF: {776706AE-CACA-4EA3-93DF-BB83D9259DA9} (MailConfigure Class) - http://supportservic...ool/MailCfg.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {D06A22B4-6087-4D3D-B7AF-82B113E9ABD4} (CPostLaunch Object) - http://www2.verizon....es/vzWebIns.CAB
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe

Edited by townangel, 24 October 2005 - 12:19 PM.

  • 0

#33
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Please try going into Safe Mode, do a Search for that file, right click on it and make sure that no attributes are checked off, then try to delete it.

By all means, delete whatever you can at this point


Trevuren
  • 0

#34
townangel

townangel

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Hi Trevuren,

I'm not sure what you meant by "make sure that no attributes are checked off." How would I look for that? I'm going to go delete all I can and check back here later. Thanks!
  • 0

#35
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
1. You right click on the file and from there a mini window opens.

2. Choose "Properties"

3. Check to make sure that none of the three little boxes at the bottom of that mini window are checked.


Regards,

Trevuren

  • 0

#36
townangel

townangel

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Here's the latest, Trevuren,

I went into safe mode again and deleted all the AVG files except that one .dll that wouldn't budge. Under properties, the archive box was checkmarked, which I unchecked, but that didn't help.

I downloaded AVG free again and installation seemed to be going great until the very end. Got two error messages that I won't bother to post, because I rebooted and attempted the installation again, this time checking custom installation. It worked!!! Yeehaw - AVG is running once again! :tazz:

The Ewido scan I ran last night was still all clear, too.

Now should I even concern myself with ZoneAlarm's issues or just call it a month? lol

Thank, T, you're super!
  • 0

#37
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
It has been such a long saga that I no longer remember what your issues were with ZoneAlarm. Please refresh my memory.


Trevuren
  • 0

#38
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP