HELP! rdriv.sys trojan

Thank you in advance to anyone who helps me, I really appreciate it. Here is what I have tried so far: My problem started when I had trouble with both Internet Explorer and Netscape openening any pages, so after running Symantec, I found no viruses. I then ran both spybot and adaware but found nothing that helped. Lately, Symantec's Auto-Protection has been constantly deleting a file called rdriv.sys every few seconds. For example, over the past few hours Symantec has given me 5904 notivications of this. I tried running the antivirus program in safe mode but it found nothing. I also tried searching for the file itself but could not find it in safe mode as well. When I rebooted windows normally, the Auto-Protection resumed notifying me. I have tried running a program from pandasoftware.com but it didnt work because my browsers are pretty screwed up. I have also run a program called a2. I have run HiJackThis if you would like me to post. Thanks again!

 

First, please follow ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

After doing ALL of the above if you still have a problem:


http://www.majorgeeks.com/images/grenade.gif Download HijackThis 1.99.1

http://www.majorgeeks.com/images/grenade.gif Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

http://www.majorgeeks.com/images/grenade.gif Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the ZIP file as your backups will not be safely stored.

http://www.majorgeeks.com/images/grenade.gifBefore running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

http://www.majorgeeks.com/images/grenade.gifRun HijackThis and save your log file.

http://www.majorgeeks.com/images/grenade.gif Post your log as an ATTACHMENT to your next post. (Do NOT copy/paste the log into your post as it will be removed).

http://www.majorgeeks.com/images/grenade.gifNeed help with HJT? See this thread: NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

 

I tried the Basic Spyware, Trojan And Virus Removal steps but to no avail. I hope you don't mind my posting my Hijack This log. Thanks again for the help!

 

I want you to run SpyBot and get into the Advanced mode by selecting Mode and then
Advanced mode. Then select Settings and the in the left column select Ignore Products.
In the right window pane make sure the All products tab is selected. Then in that
window, right click your mouse and choose "Deselect all". Now in the left pane click
at the top on SpyBot S&D and then choose Search for Updates. Download any updates
required. Now click Check for Problems. Fix any that are found.


After you have completed the above, reboot and get me a fresh HJT log.

 

Ok. I followed all your instructions and ran spybot in the manner that you asked. Just so you know halfway through it said "there were problems in the file C:\Program Files\Spybot - Search_Destroy\Includes\Hijacks.sbi See 'Include errors.log' for details. Also at the end it said it could not delete 3 things. The new Hijack This log is attached. Thanks so much again!

 

Make sure you have Spybot S&D 1.4 with all of the updates. Look in Add/Remove Programs for NewDotNet and uninstall if found.

Then run Spybot as previously requested, be sure that the ignored items are unchecked before running it.

 

ok i had spybot 1.3 but now i downloaded 1.4 and reran everything the way specified. Below is my newest hijack this file. NewDotNet was not in Add/Remove Programs. Thanks again.

 

The O10 entries still remain, you must run Spybot exactly as requested for it to remove these entries.

You must get all updates and uncheck the ignored items. NewDotNew is ignored by default.

Run Spybot S&D with the ignored items UNCHECKED and then post a fresh HJT log.

 

Ok. I ran spybot again as requested and this time when it said it could not delete one thing i went in and deleted it myself. It was showing 8 instances of NewNet and the one it couldnt delete was the folder. It should be the right way now I sure hope. Thanks!

 

Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled


Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage

O2 - BHO: CInterfaceObj Object - {58F07DD3-924D-4141-BC74-299F523A95F1} - C:\WINDOWS\pxwma.dll
O2 - BHO: C:\WINDOWS\lbbho.dll - {E783357B-92E3-4A0C-BF07-32B638715BC7} - C:\WINDOWS\lbbho.dll

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O23 - Service: ProcessEnumerator32 (pe32) - Unknown owner - C:\WINDOWS\fi49.exe

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Click Start > Run > type services.msc and Click OK

Locate ProcessEnumerator32 (pe32) and RightClick on it to bring up the Service Properties Window.
First: Stop the service by clicking the Stop Button.
Next: Disable it by changing the Startup Type to Disabled and click Apply

NOW:
Navigate to and DELETE the following if they should remain:

C:\WINDOWS\fi49.exe

C:\WINDOWS\pxwma.dll

C:\WINDOWS\lbbho.dll

NEXT:
Run CCleaner

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


Reboot to Normal Windows , Scan with HijackThis and attach the new log.

 

ok followed all the instructions. Here's the newest log...hopefully I've done everything correctly...

 

Your HJT log is clean, are you having any further problems?

 

sorry it took so long to reply, our internet was out. It appears to be working ok now. Symantec is no longer popping up with the warning and i ran spybot again and it seems as if everything is gone. My only other question is that on the symantec site it says something about cleaning the registry? Do you think I need to go in and change it back to some sort of original values or should i be ok now? Thanks again so much for all of your help!

 

Really quick, sorry to bug you, but do you have any suggestions for how to protect my computer a little better in the future from these pesky infections? thanks again!

 

We got pretty much everything, if your not getting any warnings its gone.

Check out this article on How to Protect yourself from malware!