Attack of a " rdriv.sys" virus

Can someone tell my how I can remove this virus once and for all? Thanks alot!

Sure :), but you have manny, many more than one. Brace yourself, this could take some time.

Run HJT again, and select Do system scan only. Then check these items.

O2 - BHO: DosSpecFolder Object - {3496D13A-609A-407B-B181-8F47B4F28AE9} - C:\WINDOWS\System32\mlljh.dll

O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FLASHGET\jccatch.dll (file missing

O4 - HKLM\..\Run: [Microsoft Services] lsrv.exe

O4 - HKLM\..\Run: [Microsoft Update Machine] ntsystem.exe

O4 - HKLM\..\Run: [Microsoft Windows Update Logon] win-logon.exe

O4 - HKLM\..\Run: [Microsoft Update Loaders 2005] winusers.exe

O4 - HKLM\..\Run: [Miscrosoft Windows Explorer] IEEXPLORER.exe

O4 - HKLM\..\RunServices: [Microsoft Services] lsrv.exe

O4 - HKLM\..\RunServices: [Microsoft Update Machine] ntsystem.exe

O4 - HKLM\..\RunServices: [Microsoftf DDEs Control] soff.pif

O4 - HKLM\..\RunServices: [Microsoftf DDEs ContrDL] runm.pif

O4 - HKLM\..\RunServices: [Microsoft Update] wuamkop.exe

O4 - HKLM\..\RunServices: [Microsoftz turn Control] read.pif

O4 - HKLM\..\RunServices: [Microsoft Windows Update Logon] win-logon.exe

O4 - HKLM\..\RunServices: [AIM Instant Message Cookies] gjeau.exe

O4 - HKLM\..\RunServices: [Microsoft Update 32] mssetup32.exe

O4 - HKLM\..\RunServices: [Wind0ws Sharing] ssprotecter.exe

O4 - HKLM\..\RunServices: [Microsoft Updote] taskedit.exe

O4 - HKLM\..\RunServices: [Microsoft Update Loaders 2005] winusers.exe

O4 - HKLM\..\RunServices: [msngta32] msngta32.exe

O4 - HKLM\..\RunServices: [MSFTP Service Config] r3grun.exe

O4 - HKLM\..\RunServices: [Nortons Syncmon] dufnyovyotzm.exe

O4 - HKLM\..\RunServices: [Windows Process Manager] winproc.exe

O4 - HKLM\..\RunServices: [xWindows Securty] ucknicur.exe

O4 - HKLM\..\RunServices: [Provan Security] psecure.exe

O4 - HKLM\..\RunServices: [Microsoft TaskManager Updater] keyboard.exe

O4 - HKLM\..\RunServices: [Microsoft Gaming 32] msgame32.exe

O4 - HKLM\..\RunServices: [Microsoft Offices] msni.pif

O4 - HKLM\..\RunServices: [WINDOWS UPDATE] Beheks.exe

O4 - HKLM\..\RunServices: [Windows Update GUI Executable x32x] wupdategux32.exe

O4 - HKLM\..\RunServices: [MS Sy O4 - HKLM\..\RunServices: [Miscrosoft Windows Explorer] IEEXPLORER.exestem Security] mswin32.pif

O4 - HKLM\..\RunServices: [Windows ASNX Service] asnxupdate.exe

O4 - HKLM\..\RunServices: [MS DATABASE] MSDATA32.EXE

O4 - HKLM\..\RunServices: [SVCH Service] svch32.pif

O4 - HKLM\..\RunServices: [Intex Service Driver] msserv.exe

O4 - HKLM\..\RunServices: [Microsft Confige 32] msaconfigurez.exe

O4 - HKLM\..\RunServices: [Mlcr0s0ftf DDEs C0ntr0i] WAed.pif

O4 - HKLM\..\RunServices: [Micr0c0fth DDEs C0ntb0l] WOnu.pif

O4 - HKLM\..\RunServices: [Microsoft Visual Studio] xnxyxey.exe

O4 - HKLM\..\RunServices: [Windows notepad] notpad.exe

O4 - HKLM\..\RunServices: [Microsoft Spng] stfnplug.exe

O4 - HKLM\..\RunServices: [Winzip Application] winzip81.exe

O4 - HKLM\..\RunServices: [AdobeReaderPro] svxhost.exe

O4 - HKLM\..\RunServices: [System Service] S4B3R.exe

O4 - HKLM\..\RunServices: [msconfig38] mssvcc.exe

O4 - HKLM\..\RunServices: [Microsoft Windows Schedule] sched.exe

O4 - HKLM\..\RunServices: [dll services] asysqofro.exe

O4 - HKLM\..\RunServices: [Microsoft Internet Explorer] lEXPLORE.EXE

O4 - HKLM\..\RunServices: [Microsoft Fixgf] tgujbvydc.exe

O4 - HKLM\..\RunServices: [Fire Well service] yaegkde.exe

O4 - HKLM\..\RunServices: [nero1] zv.exe

O4 - HKCU\..\Run: [Microsoft Services] lsrv.exe

O4 - HKCU\..\Run: [Microsoft Update Machine] ntsystem.exe

O4 - HKCU\..\Run: [Miscrosoft Windows Explorer] IEEXPLORER.exe

O4 - HKCU\..\RunServices: [AIM Instant Message Cookies] gjeau.exe

O4 - HKCU\..\RunServices: [msngta32] msngta32.exe

O4 - HKCU\..\RunServices: [MS System Security] mswin32.pif

O4 - HKCU\..\RunServices: [SVCH Service] svch32.pif

O4 - HKCU\..\RunServices: [Intex Service Driver] msserv.exe

O4 - HKCU\..\RunServices: [Miscrosoft Windows Explorer] IEEXPLORER.exe

O4 - HKCU\..\RunServices: [Windows notepad] notpad.exe

O4 - HKCU\..\RunServices: [Microsoft Spng] stfnplug.exe

O4 - HKCU\..\RunServices: [Microsoft Windows Schedule] sched.exe

O16 - DPF: HKJC Applet - https://bet.hongkongjockeyclub.com/ib/ch/HKJC.cab

O16 - DPF: i.Game MJImpressYHK - http://202.43.223.150/client/MJc/com...ImpressYHK.cab

O16 - DPF: {003FACAF-40CB-4358-96D2-B0D8CEF4DBF5} (SKeyHelper Class) - https://bet.hongkongjockeyclub.com/i...b/EWinSKey.CAB

O16 - DPF: {03177121-226B-11D4-B0BE-005004AD3039} (UploaderCtrl Class) - http://members6.clubphoto.com/_img/u...l_uploader.cab

O16 - DPF: {3AC7F64E-6154-47B0-82B5-764ED4077F77} (DataStorage Class) - http://txn.hkjc.com/BetSlip/object/HKJCSecKey.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by17fd.bay17.hotmail.msn.com/...s/MsnPUpld.cab

O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/...lInstaller.exe

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (趨勢科技線上掃毒程 ;) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab

O20 - Winlogon Notify: mlljh - C:\WINDOWS\System32\mlljh.dll

O20 - Winlogon Notify: Nls - C:\WINDOWS\system32\szriptpw.dll (file missing)

O20 - Winlogon Notify: Reliability - C:\WINDOWS\system32\mcxml4.dll (file missing)

O23 - Service: ATIintergrated - Unknown owner - C:\WINDOWS\atigraphics.exe (file missing)

O23 - Service: BusinessC (BusinessContinuity) - Unknown owner - C:\WINDOWS\msstl.exe (file missing)

O23 - Service: Win32Sr - Unknown owner - C:\WINDOWS\win32ssr.exe (file missing)

O23 - Service: wincrypter - Unknown owner - C:\WINDOWS\SYSTEM32\DRIVERS\ETC\install.exe

O23 - Service: wxpdll32 - Unknown owner - C:\WINDOWS\wxpdll32.exe (file missing)

Click Fix Checked.

_____________________________________________________

Please download VundoFix.exe to your desktop.

• Double-click VundoFix.exe to run it.
• Put a check next to Run VundoFix as a task.
• You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
• When VundoFix re-opens, click the Scan for Vundo button.
• Once it's done scanning, click the Remove Vundo button.
• You will receive a prompt asking if you want to remove the files, click YES
• Once you click yes, your desktop will go blank as it starts removing Vundo.
• When completed, it will prompt that it will shutdown your computer, click OK.
• Turn your computer back on.
• Please post the contents of C:\vundofix.txt and a new HiJackThis log.

________________________________________________

I see you have ewido installed. Please scan with that and post that log, along with a new HJT log.

Thanks fo your help~:)
i hope it will not spend you too much time~

i follow your step to fix hjack, the problem is not appear after i restart the pc
i dont know it is clear or not

for the Vundo
after i double click and receive a message saying vundofix will close
and re-open in a minute or less, i cant execute the Vundo
the problem show lke this:
http://www.pixpond.com/1/3wax4i.JPG

it said C:\windows\system32\svchost.exe
C:\windows\system32\autoexec.nt is not available to execute ms dos & microsoft windows application program.
please choose close to stop the program

however, either close or skip, i still cant execute this program

here is my new HJT log

Logfile of HijackThis v1.99.1
Scan saved at 12:16:07, on 23/5/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpcc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\System32\conime.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\DllHost.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\phillis\LOCALS~1\Temp\Rar$EX04.360\HijackThis.exe
O2 - BHO: DosSpecFolder Object - {3496D13A-609A-407B-B181-8F47B4F28AE9} - C:\WINDOWS\System32\mlljh.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\fgiebar.dll
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O3 - Toolbar: 收音機(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] ; C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\RunServices: [Microsoftf DDEs ContDLL] rune.pif
O4 - HKLM\..\RunServices: [Microsoftf Avpx Control] avpx.exe
O4 - HKLM\..\RunServices: [Miscrosoft Windows Explorer] IEEXPLORER.exe
O4 - HKLM\..\RunServices: [Realtek Sound Manager] uhsqygd.exe
O4 - HKLM\..\RunServices: [DRam prosesor] uzwwwdd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: 使用 FlashGet 下載 - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: 全部使用 FlashGet 下載 - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: 匯出至 Microsoft Excel(&X) - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1124075389020
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} (MediaGatewayX) - http://static.zangocash.com/cab/Zango/ie/bridge-c32.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/dj/qdiagh.cab?306
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: mlljh - C:\WINDOWS\System32\mlljh.dll
O23 - Service: AVP Control Centre Service (AVPCC) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpcc.exe" /service (file missing)
O23 - Service: BusinessC (BusinessContinuity) - Unknown owner - C:\WINDOWS\msstl.exe (file missing)
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DynamicHost (DLHOST) - Unknown owner - C:\WINDOWS\dlhost.exe (file missing)
O23 - Service: Driver Signatures (Driver Signature Services) - Unknown owner - C:\WINDOWS\drvsig.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: KAV Monitor Service (KAVMonitorService) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpm.exe" /service (file missing)
O23 - Service: mansorr here (mans0r) - Unknown owner - C:\WINDOWS\finderd.exe (file missing)
O23 - Service: cyberz mansor (mansor) - Unknown owner - C:\WINDOWS\mansor.exe (file missing)
O23 - Service: Microsoft Windows System32 - Unknown owner - C:\WINDOWS\zaber.exe (file missing)
O23 - Service: FireDaemon Service: msg62 (msg62) - Unknown owner - C:\WINDOWS\system32\DirectX\bin\\FireDaemon.EXE (file missing)
O23 - Service: netinfo - Unknown owner - C:\WINDOWS\netinfo.exe (file missing)
O23 - Service: NETWORK SERVICE - Unknown owner - C:\WINDOWS\ctfmonn.exe (file missing)
O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NTLOAD - Unknown owner - c:\windows\system32\dllcache\win32\winlogon.exe
O23 - Service: NTSVCMGR - Unknown owner - c:\windows\system32\dllcache\win32\winlogon.exe
O23 - Service: nvidGUIv (nvidGUIv2) - Unknown owner - C:\WINDOWS\nvidGUIv.exe (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe (file missing)
O23 - Service: WindowsSysBoot - Unknown owner - C:\WINDOWS\winsys.exe (file missing)

Lets have this scanner take out what it can. IT may be able to miss the vundo that VF couldn't get becasue it wouldn't work. I am not usre why it wouldn't work...

Please download ewido anti-malware it is a free version of the program.

1. Install ewido anti-malware
2. When installing, under "Additional Options" uncheck..
   • Install background guard
   • Install scan via context menu
3. Launch ewido, there should be an icon on your desktop, double-click it.
4. The program will now open to the main screen.
5. When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
   
6. You will need to update ewido to the latest definition files.
   • On the left hand side of the main screen click update.
   • Then click on Start Update.
7. The update will start and a progress bar will show the updates being installed.
   (the status bar at the bottom will display ("Update successful" )

If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates

Once the updates are installed do the following:

• Open up Ewido
• Click on scanner
• Click on Complete System Scan and the scan will begin.
• You will be prompted to clean the first infection.
• Select "Perform action on all infections", then proceed.
• Once the scan has completed, there will be a button located on the bottom of the screen named Save report
• Click Save report.
• Save the report .txt file to your desktop or a location where you can find it easily.
• Close ewido anti-malware.

Reboot.

__________________________________________________

Also,

Run this .exe, choose the one for your Operating System:

For Windows XP Home download this file - http://downloads.malwareteks.com/XPHomeFiles.exe
For Windows XP Professional download this file - http://downloads.malwareteks.com/XPProfiles.exe

Post a new HJT log, and the ewido log

I am not sure how you guys do this, but from the looks to me he was infected due to not having any Service Packs installed. Maleware affects the Installa
tion of Sp2, but not sp1.

Please follow my instructions, then continue with theirs please.

We can definitely help you, but first you need to help us. The first step in this process is to apply Service Pack 1a for Windows XP. Without this update, you're wide open to re-infection, and we're both just wasting our time.
Click here: http://www.microsoft.com/windowsxp/downloads/updates/sp1/default.mspx
Apply the update, reboot, and post a fresh Hijack This log.

I am not sure how you guys do this, but from the looks to me he was infected due to not having any Service Packs installed...

Good catch Burton; that's why we appreciate other pairs of eyeballs on the problems. :)
That is indeed a "virgin" install of XP by the looks of it, and yes- we do advise that SP1a be applied (if possible) before anything else.

Please note: One thing often becomes evident at this point- the member is denied access to the upgrade because the version of XP installed on their system is not a legal copy, and it therefore fails Microsoft's "Genuine Advantage" validation check.
Unfortunately, regardless of how/why the member got an illegal load of Windows installed on their machine, we cannot continue the troubleshoot until the member obtains a valid copy of the operating system or a valid product key for their current install.

As stated in our Forum Rules:

"Keep it clean and do not post pornographic material or link to it. In addition, do not post anything warez related or related to other illegal acts. This includes tech support troubleshooting pirated software or P2P programs (i.e. Gnutella, Kazaa) used to obtain pirated software. Exceptions are helping to remove spyware or browser hijacks (that may or may not be related to illegal material) from a computer. "

-