Question

Locked

rdriv.sys HELP!!!

By ge0rgei ·
help i cant remove rdriv.sys from a system any help on how i could remove it this is my hijackthis.log file

Logfile of HijackThis v1.99.1
Scan saved at 2:29:27 PM, on 12/1/2006
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\cisvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\r_server.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\mspmspsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\administrator\Desktop\rdrivRem\HijackThis.exe
C:\WINNT\System32\cidaemon.exe
C:\WINNT\servstat32x.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1165000383250
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O20 - Winlogon Notify: WLogon - srvc.dll (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Java development Services - Unknown owner - C:\WINNT\servstat32x.exe
O23 - Service: Network helper Service (MSDisk) - Unknown owner - C:\WINNT\System32\irdvxc.exe" /service (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINNT\System32\r_server.exe" /service (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Windows NT Logon Application (WINLOGON) - Unknown owner - C:\WINNT\system\winlogon.exe (file missing)

step by step instructions would be helpfull thanks in advance...
ge0rgei

This conversation is currently closed to new comments.

4 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Answers

Collapse -

RE: rdriv.sys HELP!!!

by BudhaScott In reply to rdriv.sys HELP!!!

rdriv.sys is part of a rootkit. Sysinternal's RootKit Revealer might help, find it at:
http://www.microsoft.com/technet/sysinternals/Security/RootkitRevealer.mspx

I also see you have "servstat32x.exe" -- that's quite possibly malware, too -- I don't think it's any legit portion of Java.

Last, but not least, you could put the drive into another VIRUS/TROJAN-free computer as a slave drive (D:), and use the other computer's clean OS to remove the bad stuff from the infected drive.

Good luck!
-Scott

Collapse -

Servstat32x / RDRIV.sys removal

by Chaosrob In reply to RE: rdriv.sys HELP!!!

I too had an issue with all this. I was able to remove it (time and time again) from our servers and PC's. First you need to do a REGEDIT and find "Java deve" (yes, it's truncated). You'll find the key as "Java development Services" and you will see "SERVSTAT32X.EXE" in the right pane. That whole KEY can go, not just the line with SERVSTAT in it. You should backup your REGISTY before attmepting any REGEDITs. You'll find this entry twice. After they are both gone, go to the top of the REG and search on "SERVSTAT32X". If it's in LEGACY_Java...., then you'll need to do a REGEDT32, find the entries again, PERMISSIONS for EVERYONE to FULL and allow INHERITED, then you can delete that key as well. Do a REG search for RDRIV.SYS (not RDRIV, that'll find the wrong things) and remove the RDRIV key that has RDRIV.SYS in it. Go to SERVICES and set the properties on "Java development Services" to DISABLED. Reboot and go into SAFE-MODE. Open a CMD prompt and get into your WINNT-or-WINDOWS folder. Do a DIR /a /od. This will show all files and in oldest-2-newest order. You should see "SERVSTAT32X.EXE". Then type ATTRIB -a -s -h -r SERVSTAT32X.EXE (hit enter) then type DELETE SERVSTAT32X*.* /p - This will prompt you y/n to delete it. Then CD SYSTEM32. Do a DIR /a /od. Look at the last files and you might see files called ERASEME######.EXE (#### will all be different) and delete all them. There is where you'll find RDRIV.SYS, delete it. Delete and file that's new like "i" or "o", they will have no extentions. (It might be in DRIVERS folder, I forget) After that, you should be good to get your machine back in running shape. Get get the latest update for whatever VIRUS software you have or go to TRENDMICRO.COM and use HOUSECALL. Good luck.

Collapse -

windows 2003 server erorr

by mthiruvangadam In reply to rdriv.sys HELP!!!

when iam booting my server 2003 its showing an blue screen error as rdriv.sys and its say that place run f8 and go to safemode uninstal the software or hardware which is instaled last but i have not instale any thing iam unable to login place help me

Collapse -

please read

by jamesatmaisonverre In reply to rdriv.sys HELP!!!

Click Start > Run.
Type regedit
Click OK.

Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor. Security Response has developed a tool to resolve this problem. Download and run this tool, and then continue with the removal.


Click OK.


In the Registry Editor, navigate to the following subkeys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
RunOnce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
RunServices
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
RunServices
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
RunOnce
HKEY_CURRENT_USER\Software\Microsoft\OLE


In the right pane, delete any values that refer to the file names that were detected.


Navigate to the subkeys:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Messenger


In the right pane, reset the original value, if known:

"Start" = "4"


Navigate to the subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa


In the right pane, reset the original value, if known:

"restrictanonymous" = "1"


Navigate to the subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\
parameters
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanworkstation\
parameters


In the right pane, reset the original values, if known:

"AutoShareWks" = "0"
"AutoShareServer" = "0"


Navigate to the subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate


In the right pane, reset the original value, if known:

"DoNotAllowXPSP2" = "1"


Navigate to the subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE


In the right pane, reset the original value, if known:

"EnableDCOM" = "N"


Navigate to and delete the following subkeys, if present:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BoolTern
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_BOOLTERN
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\rdriv
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_RDRIV


Exit the Registry Editor.


5. To delete the zero-byte files from the Startup folder
Follow the instructions for your version of Windows:

Note: There may be legitimate files on your system that start with "tftp." Delete only the zero-byte files from the Startup folder.

To delete zero-byte files in Windows 95/98/Me/NT/2000
On the Windows taskbar, click Start > Find (or b) > Files or Folders.
Make sure that "Look in" is set to (C:) and that "Include subfolders" is checked.
In the "Named" or "Search for..." box, type, or copy and paste, the following file name:

tftp*.*


Click Find Now or Search Now.
Delete the files that are zero bytes in size and contained within any folder whose name ends with "Startup."

To delete zero-byte files in Windows XP
On the Windows taskbar, click Start > Search.
Click All files and folders.
In the "All or part of the file name" box, type, or copy and paste, the following file name:

tftp*.*


Make sure that "Look in" is set to "Local Hard Drives" or to (C:).
Click More advanced options.
Check Search system folders.
Check Search subfolders.
Click Search.
Delete the files that are zero-bytes in size and contained within any folder whose name ends with "Startup."

6. To reenable the SharedAccess service (Windows 2000/XP only)
The SharedAccess service is responsible for maintaining Internet Connection Sharing and the Windows Firewall/Internet Connection Firewall applications in Windows. (The presence and names of these applications vary depending on the operating system and service pack you are using.) To protect your computer and maintain network functionality, re-enable this service if you are using any of these programs.


Windows XP Service Pack 2
If you are running Windows XP with Service Pack 2 and are using the Windows Firewall, the operating system will alert you when the SharedAccess service is stopped, by displaying an alert balloon saying that your Firewall status is unknown. Perform the following steps to ensure that the Windows Firewall is re-enabled:

Click Start > Control Panel.


Double-click the Security Center.


Ensure that the Firewall security essential is marked ON.

Note: If the Firewall security essential is marked on, your Windows Firewall is on and you do not need to continue with these steps.

If the Firewall security essential is not marked on, click the "Recommendations" button.


Under "Recommendations," click Enable Now. A window appears telling you that the Windows Firewall was successfully turned on.


Click Close, and then click OK.


Close the Security Center.


Windows 2000 or Windows XP Service Pack 1 or earlier
Complete the following steps to re-enable the SharedAccess service:

Click Start > Run.
Type services.msc

Then click OK.


Do one of the following:

Windows 2000: Under the Name column, locate the "Internet Connection Sharing (ICS)" service and double-click it.
Windows XP: Under the Named column, locate the "Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS)" service and double-click it.


Under "Startup Type:", select "Automatic" from the drop-down menu.


Under "Service Status:", click the Start button.


Once the service has completed starting, click OK.


Close the Services window.

Back to Software Forum
4 total posts (Page 1 of 1)  

Related Discussions

Related Forums