Tech Support Forum - View Single Post - NTRootKit-J (rdriv.sys)

rapid · 08-23-2005, 03:55 AM

Thanks for your reply sUBs.

I have followed your instructions and it appears to have worked. I have rebooted into normal mode, run HJT, this no longer lists the windows kernel / svchost.exe service and I am yet to have any McAfee popups regarding rdriv.sys

One thing that did concern me was the rdriv remover, for some reason it couldn't find anything?

rdriv log below:

~~~~~~~~~~~~~ Pre-run File Check ~~~~~~~~~~~~~

rdriv.sys NOT PRESENT!
ItunesMusic.exe NOT PRESENT!
wkssvc.exe NOT PRESENT!

~~~~~~~~~~~~~ Post run File Check ~~~~~~~~~~~~~

rdriv.sys NOT PRESENT!
ItunesMusic.exe NOT PRESENT!
wkssvc.exe NOT PRESENT!

Below are the requested logs: -

HJT Results.txt: -

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 8/4/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 09:51:27, on 23/08/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\hjt\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Vision\vservice.exe
C:\PROGRA~1\COMMON~1\Vision\dbserv.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://10.100.5.40/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.100.20.3:8080
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - Global Startup: HCVS Intranet Home Page.url
O4 - Global Startup: Vision Services.lnk = C:\Program Files\Common Files\Vision\vservice.exe
O16 - DPF: {494b8c10-bdb5-11d1-8373-00a0c901b28c} (KClient.ActiveX.1) -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1124466865134
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/actives...ree/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = hcuk.pri
O17 - HKLM\System\CCS\Services\Tcpip\..\{83455A16-BA9E-414C-8D57-F2C98BBC9CE9}: NameServer = 10.100.3.47,10.100.3.48
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = hcuk.pri
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = hcuk.pri
O23 - Service: ewido security suite control - ewido networks - C:\hjt\ewido\security suite\ewidoctrl.exe
O23 - Service: Active Directory Migration Agent (OnePointDomainAdminService) - Unknown owner - C:\Program Files\OnePointDomainAgent\DCTAgentService.exe (file missing)

End of KRC HijackThis Analyzer Log.
====================================================================

ewido Scan report_20050823.txt

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 09:40:22, 23/08/2005
+ Report-Checksum: B6B7E3B

+ Scan result:

No infected objects found.

::Report End

08-23-2005, 03:55 AM	#3 (permalink)
rapid Registered User Join Date: Aug 2005 Posts: 3 OS: xp	Thanks for your reply sUBs. I have followed your instructions and it appears to have worked. I have rebooted into normal mode, run HJT, this no longer lists the windows kernel / svchost.exe service and I am yet to have any McAfee popups regarding rdriv.sys One thing that did concern me was the rdriv remover, for some reason it couldn't find anything? rdriv log below: ~~~~~~~~~~~~~ Pre-run File Check ~~~~~~~~~~~~~ rdriv.sys NOT PRESENT! ItunesMusic.exe NOT PRESENT! wkssvc.exe NOT PRESENT! ~~~~~~~~~~~~~ Post run File Check ~~~~~~~~~~~~~ rdriv.sys NOT PRESENT! ItunesMusic.exe NOT PRESENT! wkssvc.exe NOT PRESENT! Below are the requested logs: - HJT Results.txt: - ==================================================================== Log was analyzed using KRC HijackThis Analyzer - Updated on 8/4/05 Get updates at http://www.greyknight17.com/download.htm#programs *Security Programs Detected* C:\Program Files\Network Associates\Common Framework\FrameworkService.exe C:\Program Files\Network Associates\VirusScan\Mcshield.exe C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.1 Scan saved at 09:51:27, on 23/08/2005 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\hjt\ewido\security suite\ewidoctrl.exe C:\Program Files\Common Files\Vision\vservice.exe C:\PROGRA~1\COMMON~1\Vision\dbserv.exe R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://10.100.5.40/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.100.20.3:8080 O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe O4 - Global Startup: HCVS Intranet Home Page.url O4 - Global Startup: Vision Services.lnk = C:\Program Files\Common Files\Vision\vservice.exe O16 - DPF: {494b8c10-bdb5-11d1-8373-00a0c901b28c} (KClient.ActiveX.1) - O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1124466865134 O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/actives...ree/asinst.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = hcuk.pri O17 - HKLM\System\CCS\Services\Tcpip\..\{83455A16-BA9E-414C-8D57-F2C98BBC9CE9}: NameServer = 10.100.3.47,10.100.3.48 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = hcuk.pri O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = hcuk.pri O23 - Service: ewido security suite control - ewido networks - C:\hjt\ewido\security suite\ewidoctrl.exe O23 - Service: Active Directory Migration Agent (OnePointDomainAdminService) - Unknown owner - C:\Program Files\OnePointDomainAgent\DCTAgentService.exe (file missing) End of KRC HijackThis Analyzer Log. ==================================================================== ewido Scan report_20050823.txt --------------------------------------------------------- ewido security suite - Scan report --------------------------------------------------------- + Created on: 09:40:22, 23/08/2005 + Report-Checksum: B6B7E3B + Scan result: No infected objects found. ::Report End