rdriv.sys
Mam problem ...zawsze jak wchodze do internetu antywirus wykrywa u mnie trojana w pliku c\windows\system32\rdriv.sys daje kwaratntanne to nie pomaga daje usun tyz nie.... zrobilem skan w Hijack to rezultat
Logfile of HijackThis v1.99.1
Scan saved at 16:46:30, on 2005–10–22
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\Keyboard\Ikeymain.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\PowerS.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\r2 studios\HideOE\HideOE.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\CursorXP\CursorXP.exe
C:\Program Files\outlook express\msimn.exe
C:\Program Files\Hewlett–Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Hewlett–Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\WinBar\WinBar.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Hewlett–Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Rainlendar\Rainlendar.exe
C:\Program Files\Shellscape\Kapsules\Kapsules.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Maxthon\Maxthon.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Marek i Boźenka\Ustawienia lokalne\Temp\HijackThis.exe
R0 – HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.accoona.com/search_assistant/accoona_search_assistant.jsp?&utm_id=400010&utm_content=leftnav&utm_source=efc&utm_medium=bund&utm_campaign=efc0605
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Marek i Boźenka
R0 – HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 – REG:system.ini: Shell=explorer.exe
O2 – BHO: AcroIEHlprObj Class – {06849E9F–C8D7–4D59–B87D–784B7D6BE0B3} – C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
O3 – Toolbar: &Radio – {8E718888–423F–11D2–876E–00A0C9082467} – C:\WINDOWS\System32\msdxm.ocx
O4 – HKLM\..\Run: [SystemTray] SysTray.Exe
O4 – HKLM\..\Run: [iKeyWorks] C:\PROGRA~1\Keyboard\Ikeymain.exe
O4 – HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 – HKLM\..\Run: [Trickler] "c:\windows\temp\adware\fsg_4203.exe"
O4 – HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 – HKLM\..\Run: [Literki] "C:\Program Files\MATi\Literki\Literki.exe" "/autostart"
O4 – HKLM\..\Run: [avast!] "C:\Program Files\Alwil Software\Avast4\ashDisp.exe"
O4 – HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 – HKLM\..\Run: [nwiz] nwiz.exe /install
O4 – HKLM\..\Run: [PowerS] C:\WINDOWS\PowerS.exe
O4 – HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 – HKLM\..\Run: [HideOE] "C:\Program Files\r2 studios\HideOE\HideOE.exe"
O4 – HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 – HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 – HKCU\..\Run: [FreeMem Pro] "C:\Program Files\FreeMem Standard\freemem.exe" Startup
O4 – HKCU\..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exe
O4 – Startup: WinBar.lnk = C:\Program Files\WinBar\WinBar.exe
O4 – Startup: Winamp.lnk = C:\Program Files\Winamp\winamp.exe
O4 – Startup: IconPackager.lnk = ?
O4 – Startup: Rainlendar.lnk = C:\Program Files\Rainlendar\Rainlendar.exe
O4 – Startup: Kapsules.lnk = C:\Program Files\Shellscape\Kapsules\Kapsules.exe
O4 – Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 – Global Startup: hpoddt01.exe.lnk = ?
O4 – Global Startup: hp psc 1000 series.lnk = ?
O8 – Extra context menu item: &Download with &DAP – C:\PROGRA~1\DAP\dapextie.htm
O8 – Extra context menu item: Download &all with DAP – C:\PROGRA~1\DAP\dapextie2.htm
O8 – Extra context menu item: Download with GetRight – C:\PROGRA~1\GETRIGHT\GRdownload.htm
O8 – Extra context menu item: Open with GetRight Browser – C:\PROGRA~1\GETRIGHT\GRbrowse.htm
O9 – Extra button: (no name) – {9819CC0E–9669–4D01–9CD7–2C66DA43AC6C} – (no file)
O16 – DPF: {917623D1–D8E5–11D2–BE8B–00104B06BDE3} (CamImage Class) – http://80.51.123.131/activex/AxisCamControl.cab
O16 – DPF: {DEB21AD3–FDA4–42F6–B57D–EE696A675EE8} (IPSUploader Control) – http://asp01.photoprintit.de/microsite/defaults/activex/IPSUploader.cab
O16 – DPF: {E7544C6C–CFD6–43EA–B4E9–360CEE20BDF7} (MainControl Class) – http://skaner.mks.com.pl/SkanerOnline.cab
O17 – HKLM\System\CCS\Services\Tcpip\..\{8039E896–6AE7–4F99–AD02–4C055437DEC7}: NameServer = 194.204.152.34,194.204.159.1
O18 – Protocol: wpmsg – {2E0AC5A0–3597–11D6–B3ED–0001021DC1C3} – C:\Program Files\Wirtualna Polska\wpkontakt\url_wpmsg.dll
O23 – Service: avast! iAVS4 Control Service (aswUpdSv) – Unknown owner – C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 – Service: Ati HotKey Poller – Unknown owner – C:\WINDOWS\System32\Ati2evxx.exe
O23 – Service: ATI Smart – Unknown owner – C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 – Service: avast! Antivirus – Unknown owner – C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 – Service: avast! Mail Scanner – Unknown owner – C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 – Service: avast! Web Scanner – Unknown owner – C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 – Service: ewido security suite control – ewido networks – C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 – Service: ewido security suite guard – ewido networks – C:\Program Files\ewido\security suite\ewidoguard.exe
O23 – Service: NVIDIA Display Driver Service (NVSvc) – NVIDIA Corporation – C:\WINDOWS\System32\nvsvc32.exe
O23 – Service: Pml Driver HPZ12 – HP – C:\WINDOWS\System32\HPZipm12.exe
O23 – Service: Windows Update – Unknown owner – C:\WINDOWS\system32\winupdmon.exe
Logfile of HijackThis v1.99.1
Scan saved at 16:46:30, on 2005–10–22
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\Keyboard\Ikeymain.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\PowerS.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\r2 studios\HideOE\HideOE.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\CursorXP\CursorXP.exe
C:\Program Files\outlook express\msimn.exe
C:\Program Files\Hewlett–Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Hewlett–Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\WinBar\WinBar.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Hewlett–Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Rainlendar\Rainlendar.exe
C:\Program Files\Shellscape\Kapsules\Kapsules.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Maxthon\Maxthon.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Marek i Boźenka\Ustawienia lokalne\Temp\HijackThis.exe
R0 – HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.accoona.com/search_assistant/accoona_search_assistant.jsp?&utm_id=400010&utm_content=leftnav&utm_source=efc&utm_medium=bund&utm_campaign=efc0605
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Marek i Boźenka
R0 – HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 – REG:system.ini: Shell=explorer.exe
O2 – BHO: AcroIEHlprObj Class – {06849E9F–C8D7–4D59–B87D–784B7D6BE0B3} – C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
O3 – Toolbar: &Radio – {8E718888–423F–11D2–876E–00A0C9082467} – C:\WINDOWS\System32\msdxm.ocx
O4 – HKLM\..\Run: [SystemTray] SysTray.Exe
O4 – HKLM\..\Run: [iKeyWorks] C:\PROGRA~1\Keyboard\Ikeymain.exe
O4 – HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 – HKLM\..\Run: [Trickler] "c:\windows\temp\adware\fsg_4203.exe"
O4 – HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 – HKLM\..\Run: [Literki] "C:\Program Files\MATi\Literki\Literki.exe" "/autostart"
O4 – HKLM\..\Run: [avast!] "C:\Program Files\Alwil Software\Avast4\ashDisp.exe"
O4 – HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 – HKLM\..\Run: [nwiz] nwiz.exe /install
O4 – HKLM\..\Run: [PowerS] C:\WINDOWS\PowerS.exe
O4 – HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 – HKLM\..\Run: [HideOE] "C:\Program Files\r2 studios\HideOE\HideOE.exe"
O4 – HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 – HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 – HKCU\..\Run: [FreeMem Pro] "C:\Program Files\FreeMem Standard\freemem.exe" Startup
O4 – HKCU\..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exe
O4 – Startup: WinBar.lnk = C:\Program Files\WinBar\WinBar.exe
O4 – Startup: Winamp.lnk = C:\Program Files\Winamp\winamp.exe
O4 – Startup: IconPackager.lnk = ?
O4 – Startup: Rainlendar.lnk = C:\Program Files\Rainlendar\Rainlendar.exe
O4 – Startup: Kapsules.lnk = C:\Program Files\Shellscape\Kapsules\Kapsules.exe
O4 – Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 – Global Startup: hpoddt01.exe.lnk = ?
O4 – Global Startup: hp psc 1000 series.lnk = ?
O8 – Extra context menu item: &Download with &DAP – C:\PROGRA~1\DAP\dapextie.htm
O8 – Extra context menu item: Download &all with DAP – C:\PROGRA~1\DAP\dapextie2.htm
O8 – Extra context menu item: Download with GetRight – C:\PROGRA~1\GETRIGHT\GRdownload.htm
O8 – Extra context menu item: Open with GetRight Browser – C:\PROGRA~1\GETRIGHT\GRbrowse.htm
O9 – Extra button: (no name) – {9819CC0E–9669–4D01–9CD7–2C66DA43AC6C} – (no file)
O16 – DPF: {917623D1–D8E5–11D2–BE8B–00104B06BDE3} (CamImage Class) – http://80.51.123.131/activex/AxisCamControl.cab
O16 – DPF: {DEB21AD3–FDA4–42F6–B57D–EE696A675EE8} (IPSUploader Control) – http://asp01.photoprintit.de/microsite/defaults/activex/IPSUploader.cab
O16 – DPF: {E7544C6C–CFD6–43EA–B4E9–360CEE20BDF7} (MainControl Class) – http://skaner.mks.com.pl/SkanerOnline.cab
O17 – HKLM\System\CCS\Services\Tcpip\..\{8039E896–6AE7–4F99–AD02–4C055437DEC7}: NameServer = 194.204.152.34,194.204.159.1
O18 – Protocol: wpmsg – {2E0AC5A0–3597–11D6–B3ED–0001021DC1C3} – C:\Program Files\Wirtualna Polska\wpkontakt\url_wpmsg.dll
O23 – Service: avast! iAVS4 Control Service (aswUpdSv) – Unknown owner – C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 – Service: Ati HotKey Poller – Unknown owner – C:\WINDOWS\System32\Ati2evxx.exe
O23 – Service: ATI Smart – Unknown owner – C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 – Service: avast! Antivirus – Unknown owner – C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 – Service: avast! Mail Scanner – Unknown owner – C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 – Service: avast! Web Scanner – Unknown owner – C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 – Service: ewido security suite control – ewido networks – C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 – Service: ewido security suite guard – ewido networks – C:\Program Files\ewido\security suite\ewidoguard.exe
O23 – Service: NVIDIA Display Driver Service (NVSvc) – NVIDIA Corporation – C:\WINDOWS\System32\nvsvc32.exe
O23 – Service: Pml Driver HPZ12 – HP – C:\WINDOWS\System32\HPZipm12.exe
O23 – Service: Windows Update – Unknown owner – C:\WINDOWS\system32\winupdmon.exe
Odpowiedzi: 2
dzięki plik zniknął i nie powraca (mam nadzieję źe tak pozostanie) :D
Sciągnij rdrivRem
Uruchom konsole odzyskiwnia i wpisuj:
Teraz przełaczasz na tryb awaryjny i odpalasz plik bat z rozpakowanego i wcześniej ścianiętek archiwum.
Do usniecia:
Ostatnia usluga jest właśnie od rdriv wiec jakby ten fix ją nie ubił zrób to ręcznie.
Opróznij temp.
Uruchom konsole odzyskiwnia i wpisuj:
disable rdriv
cd %systemroot%/system32
attrib –r –s –h rdriv.sys
del rdriv.sys
Teraz przełaczasz na tryb awaryjny i odpalasz plik bat z rozpakowanego i wcześniej ścianiętek archiwum.
Do usniecia:
O4 – HKLM\..\Run: [Trickler] "c:\windows\temp\adware\fsg_4203.exe"
O23 – Service: Windows Update – Unknown owner – C:\WINDOWS\system32\winupdmon.exe
Ostatnia usluga jest właśnie od rdriv wiec jakby ten fix ją nie ubił zrób to ręcznie.
Opróznij temp.
Strona 1 / 1