Tech Support Forum - View Single Post - NTRootKit-J (rdriv.sys)

rapid · 08-22-2005, 05:23 AM

Hello, I'm currently trying to clear out the above trojan without much luck, sadly our epolicy server went down leaving the front door open for sdbot, sdbot was picked up and removed by McAfee as was rdriv.sys but this is not true as it is still on the system.

I'm not too clued up when it comes to AV/Spyware, looking at the log I think svchost.exe is looking suspect, surely it shouldn't be unknown owner?

Any help would be well appriciated, Thanks
Ryan

HJT Log (HJT Analyzer Used) Results.txt : -

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 8/4/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 12:09:32, on 22/08/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\Common Files\Vision\vservice.exe
C:\PROGRA~1\COMMON~1\Vision\dbserv.exe
C:\WINNT\svchost.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://10.100.5.40/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.100.20.3:8080
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - Global Startup: HCVS Intranet Home Page.url
O4 - Global Startup: Vision Services.lnk = C:\Program Files\Common Files\Vision\vservice.exe
O16 - DPF: {494b8c10-bdb5-11d1-8373-00a0c901b28c} (KClient.ActiveX.1) -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1124466865134
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/actives...ree/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = hcuk.pri
O17 - HKLM\System\CCS\Services\Tcpip\..\{83455A16-BA9E-414C-8D57-F2C98BBC9CE9}: NameServer = 10.100.3.47,10.100.3.48
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = hcuk.pri
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = hcuk.pri
O23 - Service: Active Directory Migration Agent (OnePointDomainAdminService) - Unknown owner - C:\Program Files\OnePointDomainAgent\DCTAgentService.exe (file missing)
O23 - Service: Windows Kernel - Unknown owner - C:\WINNT\svchost.exe

End of KRC HijackThis Analyzer Log.
====================================================================

08-22-2005, 05:23 AM	#1 (permalink)
rapid Registered User Join Date: Aug 2005 Posts: 3 OS: xp	NTRootKit-J (rdriv.sys) Hello, I'm currently trying to clear out the above trojan without much luck, sadly our epolicy server went down leaving the front door open for sdbot, sdbot was picked up and removed by McAfee as was rdriv.sys but this is not true as it is still on the system. I'm not too clued up when it comes to AV/Spyware, looking at the log I think svchost.exe is looking suspect, surely it shouldn't be unknown owner? Any help would be well appriciated, Thanks Ryan HJT Log (HJT Analyzer Used) Results.txt : - ==================================================================== Log was analyzed using KRC HijackThis Analyzer - Updated on 8/4/05 Get updates at http://www.greyknight17.com/download.htm#programs *Security Programs Detected* C:\Program Files\Network Associates\Common Framework\FrameworkService.exe C:\Program Files\Network Associates\VirusScan\Mcshield.exe C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.1 Scan saved at 12:09:32, on 22/08/2005 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\Program Files\Common Files\Vision\vservice.exe C:\PROGRA~1\COMMON~1\Vision\dbserv.exe C:\WINNT\svchost.exe R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://10.100.5.40/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.100.20.3:8080 O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe O4 - Global Startup: HCVS Intranet Home Page.url O4 - Global Startup: Vision Services.lnk = C:\Program Files\Common Files\Vision\vservice.exe O16 - DPF: {494b8c10-bdb5-11d1-8373-00a0c901b28c} (KClient.ActiveX.1) - O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1124466865134 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/actives...ree/asinst.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = hcuk.pri O17 - HKLM\System\CCS\Services\Tcpip\..\{83455A16-BA9E-414C-8D57-F2C98BBC9CE9}: NameServer = 10.100.3.47,10.100.3.48 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = hcuk.pri O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = hcuk.pri O23 - Service: Active Directory Migration Agent (OnePointDomainAdminService) - Unknown owner - C:\Program Files\OnePointDomainAgent\DCTAgentService.exe (file missing) O23 - Service: Windows Kernel - Unknown owner - C:\WINNT\svchost.exe End of KRC HijackThis Analyzer Log. ====================================================================