PPRuNe Forums

PPRuNe Forums (https://www.pprune.org/)
-   Computer/Internet Issues & Troubleshooting (https://www.pprune.org/computer-internet-issues-troubleshooting-46/)
-   -   Yet another (irremovable) trojan (https://www.pprune.org/computer-internet-issues-troubleshooting/191583-yet-another-irremovable-trojan.html)

Groundgripper 26th September 2005 08:49
Yet another (irremovable) trojan
 
I recently had a series of problems with my PC that I thought might be related to a replacement PSU as the problems started at about the same time as it was fitted. I took it to a local shop which diagnosed a BIOS fault, completely wiped all sectors of my hard drive to remove Windows ME and installed XP Professional (without SP2) and AVG anti-virus.

Despite the AV running, while re-installing my broadband software I seem to have acquired a virus on my machine that AVG cannot shift. Each time I run the AV program it assures me that it has found and deleted the virus, after which the virus alert comes straight back. The file cannot be deleted, healed or transported to the virus vault, the alert returning as soon as I hit the Delete File, Heal or Send to Virus Vault buttons. During the full scan, AVG also found two others viruses, also Trojans that arrived at the same time, which it did (apparently) delete.

AVG identifies the Virus as Trojan horse Generic GM
in C : \WINDOWS\System32\rdriv.sys

This is the HJT Logfile

Logfile of HijackThis v1.98.2
Scan saved at 08:46:22, on 26/09/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C : \WINDOWS\System32\smss.exe
C : \WINDOWS\system32\winlogon.exe
C : \WINDOWS\system32\services.exe
C : \WINDOWS\system32\lsass.exe
C : \WINDOWS\system32\svchost.exe
C : \WINDOWS\System32\svchost.exe
C : \WINDOWS\Explorer.EXE
C : \WINDOWS\system32\spoolsv.exe
C : \PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C : \PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C : \WINDOWS\system32\ZoneLabs\vsmon.exe
C : \PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C : \PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C : \WINDOWS\SOUNDMAN.EXE
C : \WINDOWS\System32\gsicon.exe
C : \WINDOWS\System32\dslagent.exe
C : \PROGRA~1\BTBROA~2\SMARTB~1\BTHelpNotifier.exe
C : \WINDOWS\System32\VSStatmn8.exe
C : \Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C : \Program Files\Messenger\msmsgs.exe
C : \Program Files\BT Broadband Help\bin\mpbtn.exe
C : \Documents and Settings\User\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
C : \Documents and Settings\User\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C : \WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] C : \PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C : \PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [Motive SmartBridge] C : \PROGRA~1\BTBROA~2\SMARTB~1\BTHelpNotifier.exe
O4 - HKLM\..\Run: [Mcafee Antivirus Monitoring System8] VSStatmn8.exe
O4 - HKLM\..\Run: [Zone Labs Client] C : \Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\RunServices: [Mcafee Antivirus Monitoring System8] VSStatmn8.exe
O4 - HKCU\..\Run: [MSMSGS] "C : \Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Mcafee Antivirus Monitoring System8] VSStatmn8.exe
O4 - Global Startup: BT Broadband Help.lnk = C : \Program Files\BT Broadband Help\bin\matcli.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C : \WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C : \WINDOWS\web\related.htm

Note C : \ is deliberately spaced because without the spaces it is read as a smiley and I get shouted at for using too many!

Any help would be much appreciated.

GG

Evo 26th September 2005 09:46
Note C : \ is deliberately spaced because without the spaces it is read as a smiley and I get shouted at for using too many!
Selecting Disable Smilies in This Post fixes that one.

As for the rest, you're not using the latest HJT (1.99.1) but I don't think that matters. I googled rdriv.sys and this looks helpful, although I haven't gone through it in detail. In particular:

The reason you are having trouble removing this virus is because ... rdriv.sys is just part of it.

We have this virus, and I have been able to remove it manually.

The actual virus is
O23 - Service: WIN32 (image) - Unknown owner - C:\WINDOWS\image.exe
edit: d'oh, forgot my own advice about disable smilies... :)

Spinflight 26th September 2005 13:19
Groundgripper,

Go to your winX/System32 directory and list detailed files. Click the modified tab to see which files have been created or modified recently.

Any files which have been modified or created in the last couple of months should be tested through this website.

Also test these files...

C : \WINDOWS\SOUNDMAN.EXE
C : \WINDOWS\System32\gsicon.exe
C : \WINDOWS\System32\dslagent.exe
C : \PROGRA~1\BTBROA~2\SMARTB~1\BTHelpNotifier.exe
C : \Program Files\Messenger\msmsgs.exe
C : \WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB

It appears that you are running hjt from a temporary directory. Re-install the latest version to a normal directory and repaste the hjt log if Jotti's dosn't clear the problem up.

It also looks as though you are running two AV programs, AVG and McAfee. These can conflict with each other, I'd go for AVG myself and use the McAfee online virus checker as backup as you appear to have broadband.

Groundgripper 26th September 2005 22:03
Evo
Selecting Disable Smilies in This Post fixes that one.
Ah, yes, should have thought of that shouldn't I?

Thanks for the link, I'll try that one (f I can understand it!)

Spinflight
Any files which have been modified or created in the last couple of months should be tested through this website.
This happened just about as soon as I got the PC back from the shop after they had wiped the C drive and installed XP - one of the first things I did was to re-install broadband, so it's all newly installed (or re-installed) software on the C drive. Looks like I could spend some time on Jotti's site!

It also looks as though you are running two AV programs, AVG and McAfee.
I was surprised to see any mention of McAfee, I certainly haven't put it on the machine. Does it come as part of XP? I usually use AVG anyway.

Thanks to both of you - oh well, Registry, here I come!! Tomorrow could be exciting!

GG

Spinflight 27th September 2005 18:39
Groundgripper,

Jotti's website is a godsend. :ok:

Every AV program has its strengths and weaknesses, some catch virusses which others dont, however having two AV on your system can cause problems, even cancelling each other out.

You will often find virusses in threes if your system seems to be badly affected. Generally a security loophole will be used to get a backdoor virus on to your computer. The backdoor then opens the way for a downloader virus which can bring some pretty nasty stuff onto your computer. Obviously just because your AV has picked up a downloader it dosn't mean that it has also picked up the backdoor which allowed it on there in the first place....

Sometimes you just have to wait until the AV bods get an update out which identifies the virus you have, though Jotti's ensures that if any of them have a handle on said beastie then you can get rid of it.

Even though all Microsoft products are !!!!e I suggest you go to their website with IE and pick up any security patches or updates which are available.

Honestly running a Win32 system which is used by multiple users is probably good training for being a professional sysadmin nowadays.

Groundgripper 30th September 2005 22:10
You will often find virusses in threes if your system seems to be badly affected
How true - mine was! AVG got rid of two of them without any trouble just leaving this awkward so-and-so.

I rummaged around on the two sites mentioned, and also on MajorGeeks site, and plunged into the Registry,deleting files as I thought appropriate - to absolutely no effect. (I'm a bit of a novice at this sort of thing!).

As a last resort I updated AVG and ran it - and it got rid of it! Strange that, I presumed that the version the shop put on was only a day or so old, maybe I was wrong.

Anyhow, it all appeared fine and dandy today, no problems and internet working fine (I also checked it on Trend micro's Housecall which also pronounced it clean) so I was happy with it and spent the morning doing several things I should have done sooner....................except that I then started reloading all my other software and, as of this evening, on boot up it now crashes halfway through loading up XP - screen goes blank and nothing works except for the mouse and I have to switch off by pulling the plug - strange!

Back to the shop tomorrow, I think, they loaded XP so let them sort it out (and explain why the Microsoft site thinks this copy of XP is pirated - there's a surprise!)

Anyway, many thanks for all the suggestions. That Jotti site is very good; the trouble is that you have to know which file to scan, otherwise it could take a very long time especially if, like me, you don't really know what you are doing!

GG

glyn thrash 30th September 2005 22:39
sorry for the troubles,, i had the same kinds, that why i went to Linux.. now, no more problems!!!!:O :O :ok:


All times are GMT. The time now is 16:07.


Copyright © 2026 MH Sub I, LLC dba Internet Brands. All rights reserved. Use of this site indicates your consent to the Terms of Use.