Help me remove: Win32:Trojan-gen. {Other} rdriv.sys

Posted 11/11/2005 1:45 PM
#22916
User avatar

thepossessed Member

Date Joined Nov 2016
Total Posts: 6
hello! please help me remove Win32:Trojan-gen. {Other} rdriv.sys

i've tried deleting this file using avast and ewido but it still comes back! below is the HJT file:

Logfile of HijackThis v1.99.1
Scan saved at 9:44:07 PM, on 11/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\System32\carpserv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\eraseme_84014.exe
C:\WINDOWS\ntsys32.exe
C:\hijackthis\HijackThis.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: NTsystem (System) - Unknown owner - C:\WINDOWS\ntsys32.exe
Posted 11/11/2005 2:05 PM
#22919
User avatar

thepossessed Member

Date Joined Nov 2016
Total Posts: 6
TOUCH, please help! :(

below is the ewido logfile. ewido can't detect trojan in rdriv.sys but avast keeps popping about the trojan and can't delete the file.

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 10:03:17 PM, 11/11/2005
+ Report-Checksum: EE285781

+ Scan result:

:mozilla.22:C:\Documents and Settings\princeton.chu\Application Data\Mozilla\Firefox\Profiles\tkccx83m.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.24:C:\Documents and Settings\princeton.chu\Application Data\Mozilla\Firefox\Profiles\tkccx83m.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.29:C:\Documents and Settings\princeton.chu\Application Data\Mozilla\Firefox\Profiles\tkccx83m.default\cookies.txt -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup


::Report End
Posted 11/11/2005 2:17 PM
#22922
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12976
Hi :smile:





Download this scanner – mwav exe [color=#0000ff>mwav[/url]



Download this scanner:
[color=#0000ff>Download[/url]



[/color]



Reboot into Safe Mode by tapping F8 after the BIOS has loaded.
The Windows Advanced Options Menu appears.
If you begin tapping the F8 key too soon, some computers display a "keyboard error" message.
To resolve this, restart the computer and try again.
Ensure that the Safe mode option is selected.
Press Enter. The computer then begins to start in Safe mode.









CleanUp!, is a quick and easy way to delete temporary files from your system. Simply deleting these temp files may clear some infections, and will make running the following scans faster.
Click on the button labeled CleanUp!.
When it finishes it will prompt you to restart Windows - there will be one or two files it cannot delete when Windows is running - however, they will be deleted next time Windows starts up.







Doubleclick the "drweb-cureit.exe" and click "ok" in the prompt window that will open , asking "start the express scan now".

It will first make a quick scan of your system, let it clean what it find, and when it says "done"

Click on the green screwdriver-

Actions Tab- Adware-Dialers-Riskware-Hacktools, use dropdown menu and select -Delete

Click on the drive(s) you want to scan . A red dot will mark the selected drive(s) . Then hit the green arrow in lower right corner It will now scan your drive(s), say yes to all









åØåRun the mwav scanner:
Put a checkmark in:

Memory, Startup folders, drive, Registry, System folders and Services.
And:
All local drives og Scan all files
Push: Scan Button
This scan can take quite a while to run with many applications installed.



Reboot normally, download this version of hijackthis:
Hijackthis

Post new log and tell how things are running

[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />
[/color]
Do not PM me with logfiles. They will be deleted.


Posted 11/11/2005 3:08 PM
#22925
User avatar

thepossessed Member

Date Joined Nov 2016
Total Posts: 6
Hello Touch,

thanks for your prompt response! i've done all the steps and rebooted normally. i think it's getting better! i didn't received any virus alert anymore! but i'm still posting the HJT log file. here it is..


Logfile of HijackThis v1.99.1
Scan saved at 11:06:27 PM, on 11/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\System32\carpserv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\hijackthis\HijackThis.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - https://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: NTsystem (System) - Unknown owner - C:\WINDOWS\ntsys32.exe (file missing)
Posted 11/11/2005 4:15 PM
#22933
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12976
Sounds good :smilewinkgrin:






Go to Start->Run and type "Services.msc" (without quotes) then hit Ok

Scroll down and find the service called: NTsystem (System)

When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows.



Run Hijackthis and place a check beside each of the following. Close all other browser windows except HJT.
Click fix checked.

O23 - Service: NTsystem (System) - Unknown owner - C:\WINDOWS\ntsys32.exe (file missing)



Reboot and you have a clean log

I suggest you install these:



[color=#0000ff>Spywareblaster
[/url]
and other potentially unwanted software.
Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
Restrict the actions of potentially unwanted sites in Internet Explorer.

SpywareBlaster can help keep your system spyware-free and secure, without interfering with the "good side" of the web.
And unlike other programs, SpywareBlaster does not have to remain running in the background.



Spywareguard[/color]
SpywareGuard provides a real-time protection solution against spyware
that is a great addition to SpywareBlaster's protection method.

[color=#0000ff>IE]
IE-SPYAD adds a long list of sites and domains associated with known advertisers, marketers, and crapware pushers to the Restricted sites zone of Internet Explorer. Nor will they be able to use your browser to push unwanted pop-ups, cookies, or auto-installing programs on your PC.


Visit Microsoft and check for Critical Security Updates
Microsoft Update[/color][/url]




If you have any questions or comments, post back. Otherwise -

Happy Surfing :smile:


[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />
[/color]
Do not PM me with logfiles. They will be deleted.


Posted 11/12/2005 1:48 AM
#22965
User avatar

thepossessed Member

Date Joined Nov 2016
Total Posts: 6
thanks touch! i've installed the programs as u suggested..
Posted 11/12/2005 7:23 AM
#22975
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12976
My pleasure :smile:




Since your problem appears to be resolved, this thread will now be closed. If you need this topic reopened, please PM a Moderator and we will reopen it for you






[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />
[/color]
Do not PM me with logfiles. They will be deleted.


  • Unread posts or replies
  • No unread posts or replies
  • Unread Posts (Read Only Forum)
  • No Unread Posts (Read Only Forum)

Forum Information

Currently it is Saturday, January 19, 2019, 7:21 PM (GMT +1)
There are a total of 61,707 posts in 13,599 threads.
In the last 3 days there were 0 new threads and 0 reply posts.

Who's online

This forum has 38,441 registered members. Please welcome our newest member, Orlando Niles.
There are currently no users on-line.
We use cookies to ensure that we give you the best experience on our website. By continuing to browse, we are assuming that you have no objection in accepting cookies. You can change your cookie settings at any time.