Infected by rdriv.sys virus/trojan

system · July 9, 2005, 11:08pm

hi

ive already run adaware and avast, only avast get rid of the rdriv.sys, but every 2 min, the virus keeps comming, i cant clean it… what can i do??? this is my hijackthis log file… sorry if theres a problem, its in spanish

Logfile of HijackThis v1.99.0
Scan saved at 06:06:28 p.m., on 09/07/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Antivirus\Avast4\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
C:\Archivos de programa\Antivirus\Avast4\ashServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Tablet.exe
C:\WINDOWS\System32\upnpdrv.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\ARCHIV~1\ANTIVI~1\Avast4\ashDisp.exe
C:\Archivos de programa\HP\hpcoretech\hpcmpmgr.exe
C:\Archivos de programa\HP\HP Software Update\HPWuSchd2.exe
C:\Archivos de programa\Java\j2re1.4.2_08\bin\jusched.exe
C:\Archivos de programa\Utilidades\ZoneAlarm\zlclient.exe
C:\Archivos de programa\Mozilla Firefox\firefox.exe
C:\Archivos de programa\HP\Digital Imaging\bin\hpqgalry.exe
C:\Archivos de programa\Internet Explorer\IEXPLORE.EXE
C:\Archivos de programa\Windows Media Player\wmplayer.exe
C:\Archivos de programa\Antivirus\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\kcdnr.dll/sp.html#28129
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\kcdnr.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\kcdnr.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\kcdnr.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = new-search.net;x-google.net
R3 - Default URLSearchHook is missing
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM..\Run: [avast!] C:\ARCHIV~1\ANTIVI~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [QuickTime Task] “C:\Archivos de programa\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [®Windows Update] svchosts.exe
O4 - HKLM..\Run: [HP Component Manager] “C:\Archivos de programa\HP\hpcoretech\hpcmpmgr.exe”
O4 - HKLM..\Run: [HP Software Update] “C:\Archivos de programa\HP\HP Software Update\HPWuSchd2.exe”
O4 - HKLM..\Run: [mfcqb32.exe] C:\WINDOWS\mfcqb32.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Archivos de programa\Java\j2re1.4.2_08\bin\jusched.exe
O4 - HKLM..\Run: [Zone Labs Client] C:\Archivos de programa\Utilidades\ZoneAlarm\zlclient.exe
O4 - HKCU..\Run: [®Windows Update] svchosts.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Archivos de programa\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Inicio rápido de HP Image Zone.lnk = C:\Archivos de programa\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: Download with GetRight - C:\Archivos de programa\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Archivos de programa\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra ‘Tools’ menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: (HKLM)
O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.windowsecurity.com/trojanscan/TDECntrl.CAB
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Archivos de programa\HP\hpcoretech\comp\hpuiprot.dll
O23 - Service: Adobe LM Service - Unknown - C:\Archivos de programa\Archivos comunes\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service - Unknown - C:\Archivos de programa\Antivirus\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown - C:\Archivos de programa\Antivirus\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Archivos de programa\Antivirus\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Archivos de programa\Antivirus\Avast4\ashWebSv.exe
O23 - Service: Dabuhw - Creative Technology Ltd. - (no file)
O23 - Service: Servicio del administrador de discos lógicos - Unknown - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Registro de sucesos - Unknown - C:\WINDOWS\system32\services.exe
O23 - Service: WIN32 - Unknown - C:\WINDOWS\image.exe
O23 - Service: Servicio COM de grabación de CD de IMAPI - Unknown - C:\WINDOWS\System32\imapi.exe
O23 - Service: Escritorio remoto compartido de NetMeeting - Unknown - C:\WINDOWS\System32\mnmsrvc.exe
O23 - Service: DDE de red - Unknown - C:\WINDOWS\system32\netdde.exe
O23 - Service: DSDM de DDE de red - Unknown - C:\WINDOWS\system32\netdde.exe
O23 - Service: Plug and Play - Unknown - C:\WINDOWS\system32\services.exe
O23 - Service: Administrador de sesión de Ayuda de escritorio remoto - Unknown - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: Sistema de ayuda de tarjeta inteligente - Unknown - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: Tarjeta inteligente - Unknown - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: Registros y alertas de rendimiento - Unknown - C:\WINDOWS\system32\smlogsvc.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe
O23 - Service: Universal Plug and Play device driver - Unknown - C:\WINDOWS\System32\upnpdrv.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Instantáneas de volumen - Unknown - C:\WINDOWS\System32\vssvc.exe
O23 - Service: Adaptador de rendimiento de WMI - Unknown - C:\WINDOWS\System32\wbem\wmiapsrv.exe

DavidR · July 9, 2005, 11:25pm

Your version of HijackThis is not the latest.
You need to visit windows update and bring your OS up to date.
The same for IE

There is lots of nasty and unknown stuff that you will need to check out using google, etc.
Here is an on-line analysis of your log file (available for 3 days) http://hijackthis.de/logfiles/91cd46e3a8fa3982ad7371d5af8b4aec.html ignore any 023 reference to avast!, this is a hiccup with HJT.

Seeing as to how out of date your OS and Browser are you have vulnerabilities that have been patched not to mention increased security functions, you need to urgently update them and probably AdAware signatures also.

If you haven’t already got this software (freeware), download, install, update and run it.

system · July 10, 2005, 3:39am

hi

i got all the programs you list (and uploaded my OS) and ive, scanned my pc in safe mode with avast, spybot, ad-aware, blaster and finally hijackthis… but the file is still comming back in avast… it says:

Filename: C:\WINDOWS\system32\rdriv.sys
malware: Win32:Trojan-gen. {Other}
Virus/Worm
VPS Version: 0527-2, 08/07/2005

i checked my Hijackthis log file, fixed it… but there still some lines returning (in bold)

Logfile of HijackThis v1.99.1
Scan saved at 10:37:02 p.m., on 09/07/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Antivirus\Avast4\aswUpdSv.exe
C:\Archivos de programa\Antivirus\Avast4\ashServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Tablet.exe
C:\ARCHIV~1\ANTIVI~1\Avast4\ashDisp.exe
C:\Archivos de programa\HP\hpcoretech\hpcmpmgr.exe
C:\Archivos de programa\HP\HP Software Update\HPWuSchd2.exe
C:\Archivos de programa\Java\j2re1.4.2_08\bin\jusched.exe
C:\Archivos de programa\Utilidades\ZoneAlarm\zlclient.exe
C:\Archivos de programa\Messenger\MSMSGS.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Archivos de programa\HP\Digital Imaging\bin\hpqgalry.exe
C:\Archivos de programa\Mozilla Firefox\firefox.exe
C:\Archivos de programa\Antivirus\Avast4\ashMaiSv.exe
C:\Archivos de programa\Antivirus\Avast4\ashWebSv.exe
C:\Archivos de programa\Antivirus\Avast4\ashSimpl.exe
C:\Archivos de programa\MSN Messenger\msnmsgr.exe
C:\Archivos de programa\Antivirus\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Archivos de programa\Antivirus\Spybot\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM..\Run: [avast!] C:\ARCHIV~1\ANTIVI~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [QuickTime Task] “C:\Archivos de programa\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [®Windows Update] svchosts.exe
O4 - HKLM..\Run: [HP Component Manager] “C:\Archivos de programa\HP\hpcoretech\hpcmpmgr.exe”
O4 - HKLM..\Run: [HP Software Update] “C:\Archivos de programa\HP\HP Software Update\HPWuSchd2.exe”
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Archivos de programa\Java\j2re1.4.2_08\bin\jusched.exe
O4 - HKLM..\Run: [Zone Labs Client] C:\Archivos de programa\Utilidades\ZoneAlarm\zlclient.exe
O4 - HKCU..\Run: [®Windows Update] svchosts.exe
O4 - HKCU..\Run: [MSMSGS] “C:\Archivos de programa\Messenger\MSMSGS.EXE” /background
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Archivos de programa\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Inicio rápido de HP Image Zone.lnk = C:\Archivos de programa\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: Download with GetRight - C:\Archivos de programa\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Archivos de programa\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra ‘Tools’ menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\MSMSGS.EXE
O9 - Extra ‘Tools’ menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\MSMSGS.EXE
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120954143593
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Archivos de programa\Archivos comunes\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Archivos de programa\Antivirus\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Archivos de programa\Antivirus\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Archivos de programa\Antivirus\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Archivos de programa\Antivirus\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Dabuhw - Creative Technology Ltd. - (no file)
O23 - Service: WIN32 (image) - Unknown owner - C:\WINDOWS\image.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe
O23 - Service: Universal Plug and Play device driver (upnpdrv) - Unknown owner - C:\WINDOWS\System32\upnpdrv.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Eddy · July 10, 2005, 3:46am

Did you disable system restore before using those applications?

system · July 10, 2005, 3:58am

i dont know how to do that… im not good at all with this kind of situations

Eddy · July 10, 2005, 4:30am

Read HERE on how to do it.

FreewheelinFrank · July 10, 2005, 8:07am

rdriv.sys is a rootkit, possibly the FU rootkit. This is why it keeps coming back.

http://www.dslreports.com/forum/remark,13287635~mode=flat~days=9999~start=60

Does this program detect the rootkit?

http://www.greatis.com/unhackme/

(The FU rootkit is not detected by BlackLight or Rootkit Revealer.)

Run HijackThis! again and tick these entries then click ‘fix’.

O4 - HKLM..\Run: [®Windows Update] svchosts.exe

O4 - HKCU..\Run: [®Windows Update] svchosts.exe

O15 - Trusted Zone: *.frame.crazywinnings.com

O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)

O23 - Service: Universal Plug and Play device driver (upnpdrv) - Unknown owner - C:\WINDOWS\System32\upnpdrv.exe (file missing)

Boot into safe mode search for any instances of the file svchosts.exe and delete because it is malware:

http://www.liutilities.com/products/wintaskspro/processlibrary/svchosts/

If this fails, try these removal tools:

http://www.sophos.com/support/disinfection/sdbot.html

http://www.f-secure.com/download-purchase/tools.shtml

http://vil.nai.com/vil/stinger/

You will also need to update XP to SP2 which is much more secure, but you need to ensure your computer is clean first.

system · July 10, 2005, 9:05pm

hi

well, i ran unhackme and was unable to find any problem, the same with sophos and stinger… avast continued to popup the virus window…

now i have replaced the rdriv.sys file with another created by me completely blank, i dont know if the problem is fixed but avast dont popup the virus warning anymore…

can i leave things this way or whats the next thing to try?

hijackthis doesnt fix this 2 lines:

O15 - Trusted Zone: *.frame.crazywinnings.com

O23 - Service: Universal Plug and Play device driver (upnpdrv) - Unknown owner - C:\WINDOWS\System32\upnpdrv.exe (file missing)

FreewheelinFrank · July 10, 2005, 9:24pm

his may help with crazywinnings:

http://www.daniweb.com/techtalkforums/post132794-4.html

For the O23 entry, try this:

Delete it using XP's SC command you would type the following from a command prompt:
sc delete servicename

http://www.bleepingcomputer.com/forums/tutorial42.html#O23Diag

command prompt: Start>Run>CMD

system · July 15, 2005, 4:31pm

The reason you are having trouble removing this virus is because Avast is not detecting the actual virus. rdriv.sys is just part of it.

We have this virus, and I have been able to remove it manually.

The actual virus is
O23 - Service: WIN32 (image) - Unknown owner - C:\WINDOWS\image.exe

If you check your services you will see a service named Win32. You cannot stop the services, but if you open it up, you can set the service to disabled on start up.
Reboot
Now delete image.exe and the rdriv.sys files.
Edit the registry and remove the “image” service from CurrentControlSet/Services and ControlSet001/Services

Reboot and you should be good for it actually running. The image.exe appears to be a variant of SDBOT, so it does some of the standard SDbot stuff as well. Here is a list of changes we have seen it do:

Disables Notifications in Security Center
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center] “AntiVirusDisableNotify”=1 “FirewallDisableNotify”=1 “UpdatesDisableNotify”=1 “AntiVirusOverride”=1 “FirewallOverride”=1

It changes the registry as follow to inactivate automatic update function.
[HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\WindowsUpdate\AU] “AUOption”=1 “NoAutoUpdate”=1

It changes the configuration of remote support.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole] “EnableDcom”=N -Inactivate DCOM(Distributed Component Object Model) service.

It interrupts WinXp Service Pack 2 installation.
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window\WindowsUpdate] “DoNotAllow XPSP2”=1

It interrupts the following services.
MS security center [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc] “start”=dword:00000004
telnet [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr] “Type”=10 “Start”=4 “ErrorControl”=1 “ImagePath”=“%system%\tlntsvr.exe” “DisplayName”=“Telnet” “DependOnService”=RPCSS,TCPIP,NTLMSSP “ObjectName”=“LocalSystem” “Description”=“A remote user can execute a program with logon, UNIX and support various TCP/IP telnet client including Windows base computer. If this service is stop, the remote user cannot access to the program, if this service becomes inactivated, the other services that depends upon this service can not be started.”
remote Registry [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry] “Description”=“A remote user can configure the registry. If the service is stopped, only the user of this computer can modify the registry. If the service settings becomes inactivated, all related services cannot be used.” “DependOnService”=“RPCSS” “DisplayName”=“Remote Registry” “ErrorControl”=1 “ImagePath”=“%system%svchost.exe -k LocalService “ObjectName”=“NT AUTHORITY\LocalService” “Group”=”" “Start”=4 “Type”=20 “FailureActions”="If failed, does not work. "

Changes IE’s security by changing the following regsistry keys.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones=> 0 : My computer => 1 : Local intranet => 2 : Reliable site => 3 : Internet => 4 : Restricted site It changes the value of 0,1,2,3,4 keys that are sub key of above zone.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 “1004”=0 “1201”=0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 “1004”=0 “1201”=0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 “1004”=0 “1201”=0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 “1004”=0 “1201”=0 “1406”=0 “1A04”=0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 “1004”=0 “1201”=0 “1001”=0 “1200”=0 “1400”=0 “1606”=0 “1607”=0
Each values has dword:00000000 value, and has the following meaning:
“1004”=0 : Unregistered ActiveX Control download allowance
“1200”=0 : ActiveX Control and Plug in execution allowance
“1201”=0 : Initialize unsafe ActiveX control and script allowance
“1400”=0 : Active script allowance
“1406”=0 : Data source access allowance
“1606”=0 : Allow user date saving
“1607”=0 : Allow sub domain search between domains
“1A04”=0 : Allow a client authentication for those who does not have authentication and only one authentication.

It adds the following registry into the service list to execute itself whenever Windows starts.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\image] “Type”=110 “Start”=2 “ErrorControl”=0 “ImagePath”=“systemroot%\image.exe” “DisplayName”=“Win32” “ObjectName”=“LocalSystem” “FailureActions”="If fialed, restart the service "

system · July 15, 2005, 4:32pm

Also, where can I submit the virus executable so that avast can get it into the definitions?

Thanks,
~Jake~

Eddy · July 15, 2005, 4:52pm

virus@avast.com

Infected by rdriv.sys virus/trojan

Announcements