My machine was rebooting unexpectedly. So I started the avast scanner, which found:
Rbot-akk on the file expl0rer.pif.

This was one was apparently fixed by avast. But then, avast found a Troj-gen on driv.sys. When moving it to the chest, avast was keeping asking what to do with the file… I think because the trojan was installed as a service, so I had to reboot in safe mode and remove all occurrencies in the registry. I found also entries with ssprotecter, which is bad.

The trojan is also known as TROJ_ROTKIT.E by Trend Micro.

Now, I am running again the scanner, not sure the machine is clean though.

I have: Win 2000 SP4, Avast 4.6, VPS 0540-3 6-10-2005.

No! Now avast says:
“The process cannot access the file because it is being used by another process”
D:\WINNT\system32\rdriv.sys

!!!

You have a rootkit running as a Windows service. You will have to disable the service before you can remove the malware. avast! cannot do this for you. Pleas see these threads:

http://forum.avast.com/index.php?topic=16580.0

http://forum.avast.com/index.php?topic=14618.0

I have done a reboot scan as described by one of your links, I have removed rdriv.sys with regedit… Nothing to do: it keeps coming back!!! Also another file under system32 is suspect:
msnmsdn.exe (registry name: MsnAutostart).

It will keep coming back unless you follow the instructions fully. Print out the threads so you can follow the relevant points step by step when you are off-line.

Start here because that is where the main actions start.
http://forum.avast.com/index.php?topic=16580.msg141543#msg141543

I read the thread. Tried:

1. uninstalled rdriv in the device manager
2. in safe mode manually deleted from system32
3. in safe mode manually deleted from registry

It is still there. Also the TrendMicro online scan claims it has removed it, but it keeps coming back… :o >:( What’s the bottom line here?

I don’t see any reference to having run hijackthis, these rootkits don’t just come as a single file there is often other elements to ensure that it is restored.

The problem is the nature of rootkit infections they are able to hide below system level to hide processes, which could in theory restore the file.
http://forum.avast.com/index.php?topic=16580.msg141670#msg141670

Have you done a google search on rdriv.sys there is lots of hits on it and one that would appear relevant indicates “Added by the W32.Spybot.NLX worm. This is the rootkit element of this infection.” Which is exploiting vulnerabilities long ago patched by MS so you need to ensure your OS is updated.
http://www.bleepingcomputer.com/startups/rdriv.sys-8753.html
Follow that on to the information about the W32.Spybot.NLX worm.

Hi tachles,

This is a program to have a go at these rootkits,
download the full working evaluation version here:
http://greatis.com/unhackme/download.htm.

greets,

polonus

DavidR, I cannot post from the infected machine. Anyway, the first run of hijackthis found ‘svhosts’ which is known to be ‘undesirable’ by bleepingcomputer. It was not enough to remove it: the rootkit was still there… The next suspect entry looks like this:
04 - HKLM..\RunServices: [MsnAutostart] msnmsdn.exe

But msnmsdn is not listed by bleepingcomputer.

Polonus, next step should be to to go to greatis.

Thanks.

Hi tachles,

Areyou sure you have the name right? Could it be MSNMSGR.EXE?

Even if the name is right, it’s almost certainly malware, as it doesn’t come up on Google, and an unknown service is highly suspect.

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_RBOT.KX&VSect=T

Could you post your full HijackThis! log? The 023 entries at the end are especially important. Then we can offer you better advice.

The name is msnmsdn.exe. There is only 1 hit with google on this name, and it’s an old page. I’m going to delete it now.

Here is the end of the log:
O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - D:\WINNT\System32\dmadmin.exe
O23 - Service: Host Services - Unknown owner - D:\WINNT\svhosts.exe
O23 - Service: Iomega App Services - Unknown owner - D:\PROGRA~1\Iomega\System32\AppServices.exe (file missing)
O23 - Service: MGABGEXE - Matrox Graphics Inc. - D:\WINNT\System32\mgabg.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - D:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated - D:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
O23 - Service: TSMService - T-Systems Nova, Berkom - D:\Program Files\T-DSL SpeedManager\tsmsvc.exe

O2 - BHO: iFinger plugin / Browser helper object - {A114D52B-870C-4F15-8021-B6D7F91A054B} - D:\PROGRA~1\iFinger\plugins\IE.ifp
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINNT\system32\msdxm.ocx
O4 - HKLM..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [Drag’n’Drop_Autolaunch] D:\Program Files\Iomega HotBurn\Autolaunch.exe
O4 - HKLM..\Run: [QuickTime Task] “D:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [Jet Detection] D:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe
O4 - HKLM..\Run: [WinampAgent] D:\Program Files\Winamp\winampa.exe
O4 - HKLM..\Run: [OpwareSE2] D:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
O4 - HKLM..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM..\Run: [SmcService] D:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM..\Run: [MsnAutostart] msnmsdn.exe
O4 - HKLM..\RunServices: [MsnAutostart] msnmsdn.exe
O8 - Extra context menu item: &WordWeb… - res://D:\WINNT\wweb32.dll/lookup.html

I would fix this in HJT, it does backup stuff that it will remove so it can be restored (check and ensure this default action is still set).

O23 - Service: Host Services - Unknown owner - D:\WINNT\svhosts.exe

Are you running two AVs as indicated by this entry, it often causes conflict and doesn’t provide twice the protection?
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated - D:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe

The others you will have to check (ignore the entries for avast obviously) are they programs that you have installed or do they relate to hardware that you installed, etc.

Assuming that you know the BHO iFinger then no problem?
Do you use the extra toolbar for windows media player?
You don’t need really need Quicktime or winamp to start at boot-up, they will start automatically according to the file associations for them when you click on a media file link.

The two entries for msnmsdn.exe should be fixed in HJT and the service will also need to be disabled. The fact that there is only one hit on google is suspicious as if it were anything to do with microsoft msn or msdn there would be lots of hits. Th single hit on google isn’t old 22/9/2005 you can click the translate this page to the right of the google hit (not that there is much of use, but the google translate is handy for the future).

Removed svhosts and msnmsdn, but rdriv.sys is still there!!!

I had disabled PC-Cillin, but apparently this does not stop the service. I’ll try to do more clean-up. iFinger is not a problem.

I am curious to solve this, but I think in this case it would be easier to reinstall w2k… this installation is pretty old.

If it is still there then you will have to repeat the exercise, once the other elements are removed that may stop it returning.

An fdisk, format and reinstall is likely to be the final option but that too is or can be a painful operation.

Have you tried the UnHackMe that Polonus gave the link for?
This is one of the only rootkit detectors that is able to actually remove rootkit infection, however, apparently it doesn’t take much modification to create another variant and avoid both detection or removal.

There is a removal tool/procedure for rdriv.sys

Please download the following programs, but do not run them yet:

*rdrivRem.zip
[*]Unzip it to your desktop.

*Ewido Security Suite
[*]Install ewido security suite
[*]Launch ewido, there should be a big E icon on your desktop, double-click it.
[*]The program will prompt you to update click the OK button
[*]The program will now go to the main screen
[*]You will need to update ewido to the latest definition files.
[*]On the left hand side of the main screen click update
[*]Click on Start
[*]The update will start and a progress bar will show the updates being installed
[*]After the updates are installed exit Ewido.

Reboot your computer into Safe Mode.

Open the rdrivrem folder and double-click rdrivRem.bat to run the program - follow the instructions on the screen. After it’s complete, rdriv.txt will be created in the rdrivRem folder.

Double-click the Ewido Security Suite icon to run the program.
[*]Click on scanner
[*]Click Complete System Scan
[*]Let the program scan the machine
While the scan is in progress you will be prompted to clean the first infected file it finds. Choose “remove”, then put a check next to “Perform action on all infections” in the left corner of the box so you don’t have to sit and watch Ewido the whole time. Click OK.

Once the scan has completed, there will be a button located on the bottom of the screen named Save report[list]
[]Click Save report
[]Save the report to your desktop
[*]Exit Ewido

Post back with the contents of rdriv.txt, the Ewido log and a new HijackThis log.

Nice one!

Could you tell us something about rdriv.sys and what rdrivRem does? (If it’s not a trade secret ;))

And also something about www.atribune.org? It looks like a useful site.

rdriv.sys is part an SDBot/Esbot infection. Some of the commonly seen associated entries in a HJT log are below.

O23 - Service: iTunes Music Service (iTunesMusic) - Apple - C:\WINDOWS\iTunesMusic.exe
O23 - Service: Windows lsass Service (lsass) - Unknown owner - C:\WINDOWS\lsass.exe
O23 - Service: Workstation Service Library (Microsoft Locator Service) - Unknown owner - C:\WINDOWS\wkssvc.exe
O23 - Service: Windows Management Construct (winmgmc) - Unknown owner - C:\WINDOWS\winmgc.exe
O23 - Service: Windows Update Service - Unknown owner - C:\WINDOWS\pwnsvc.exe
O23 - Service: AOL Instant Messanger (AIM) - Unknown owner - C:\WINDOWS\aim.exe
O23 - Service: AOL Instant Messenger - Unknown owner - C:\WINDOWS\aims.exe
O23 - Service: sdktemp - Unknown owner - C:\WINDOWS\sdktemp.exe

However, you might not see any indications at all. Only the AV detection of the file. You will also see this file in a HJT full startup report.

rdrivrem will remove all of the known registry entries and files to date. rdriv.sys is indeed a rootkit, and it’s recommended by many to do a complete format and re-install once a system has been compromised by a rootkit. However, I’m not completely convinced that it’s necessary. Once the files/regs are removed, it’s impossible for it to continue to work, except that it may have allowed other malware to be installed. Making sure a system is free of any other malware should remove any risk the rootkit may have introduced.

www.atribune.org is a site run by fellow malware fighter Atribune, and yes, it’s a very useful site.

Thanks noahdfear!

Is it possible to tackle such malware with either XP’s SC command or HijackThis!'s delete an NT Service tool?

Would either of these methods kill the rootkit and allow avast!/Ewido to delete the malware?

As described here:

http://www.bleepingcomputer.com/forums/tutorial42.html

We’ve seen quite a few of these rootkit infections at the forum and it would be really useful to have some sort of generic method of tackling them,.