Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91634 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

RDRIV.SYS INFECTION


  • Please log in to reply
5 replies to this topic

#1 kaudiyo

kaudiyo

    New Member

  • New Member
  • Pip
  • 3 posts

Posted 25 February 2007 - 07:18 AM

Hello,

Im newbie on this forum. You offer a great help to people infected with spyware/malware.

Today NOD32 alerted me that my server is infected with Trojan/backdoor rdriv.sys. Im not able to clean system and NOD32 has put in quarantine more than 35K copies of the infected file.

I run a W2K3 server with SP2 and automatic updates ON.

This is my log from hijackthis:

====
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\serverappliance\appmgr.exe
C:\WINDOWS\System32\dns.exe
C:\WINDOWS\system32\serverappliance\elementmgr.exe
c:\program files\ensim\webppliance\pe\provengine\ensim.provenginemonitor.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\IPCheck Server Monitor 4\Firebird\bin\fbguard.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\PROGRA~1\MAILEN~1\BIN\MEHTTPS.EXE
C:\PROGRA~1\MAILEN~1\Bin\MEIMAPS.exe
C:\PROGRA~1\MAILEN~1\BIN\MELSC.EXE
C:\PROGRA~1\MAILEN~1\BIN\MEMTA.EXE
C:\PROGRA~1\MAILEN~1\BIN\MEPOC.EXE
C:\PROGRA~1\MAILEN~1\BIN\MEPOPC.EXE
C:\PROGRA~1\MAILEN~1\BIN\MEPOPS.EXE
C:\PROGRA~1\MAILEN~1\BIN\MESMTPC.EXE
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\mysql\bin\mysqld-nt.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\serverappliance\srvcsurg.exe
C:\Program Files\Tenable\Nessus\nessusd.exe
C:\Program Files\Urchin\bin\urchind.exe
C:\Program Files\Urchin\bin\urchinwebd.exe
C:\PROGRA~1\BACKUP~1\BAService.exe
C:\Program Files\Urchin\bin\urchinwebd.exe
C:\PROGRA~1\BACKUP~1\BAMonSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\IPCheck Server Monitor 4\Firebird\bin\fbserver.exe
C:\WINDOWS\System32\svchost.exe
c:\windows\system32\inetsrv\w3wp.exe
c:\windows\system32\inetsrv\w3wp.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\dllhost.exe
c:\windows\system32\inetsrv\w3wp.exe
c:\windows\system32\inetsrv\w3wp.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
c:\windows\system32\inetsrv\w3wp.exe
c:\windows\system32\inetsrv\w3wp.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\1\Rar$EX00.281\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [Outpost Firewall] C:\Program Files\Agnitum\Outpost Firewall\outpost.exe /waitservice
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O9 - Extra button: Barra de Outpost Firewall Pro - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\Program Files\Agnitum\Outpost Firewall\Plugins\BrowserBar\ie_bar.dll (file missing)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1120855003531
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = digitalfutura1.es
O17 - HKLM\Software\..\Telephony: DomainName = digitalfutura1.es
O17 - HKLM\System\CCS\Services\Tcpip\..\{9D0F0034-2ACF-41A7-A73A-69E365A53C32}: NameServer = 216.219.239.7,216.219.239.8
O20 - AppInit_DLLs: C:\PROGRA~1\Agnitum\OUTPOS~1\wl_hook.dll
O23 - Service: Logical Disk Manager Client Services (dmclient) - Unknown owner - C:\WINDOWS\system32\dmclih.exe (file missing)
O23 - Service: EnsimProvEngineMonitor - - c:\program files\ensim\webppliance\pe\provengine\ensim.provenginemonitor.exe
O23 - Service: Firebird Guardian - DefaultInstance (FirebirdGuardianDefaultInstance) - The Firebird Project - C:\Program Files\IPCheck Server Monitor 4\Firebird\bin\fbguard.exe
O23 - Service: Firebird Server - DefaultInstance (FirebirdServerDefaultInstance) - The Firebird Project - C:\Program Files\IPCheck Server Monitor 4\Firebird\bin\fbserver.exe
O23 - Service: MailEnable SMTP Relay Service - Unknown owner - C:\WINDOWS\mesmtpsvc.exe
O23 - Service: MailEnable HTTPMail Service (MEHTTPS) - MailEnable Pty Ltd - C:\PROGRA~1\MAILEN~1\BIN\MEHTTPS.EXE
O23 - Service: MailEnable IMAP Service (MEIMAPS) - MailEnable Pty Ltd - C:\PROGRA~1\MAILEN~1\Bin\MEIMAPS.exe
O23 - Service: MailEnable List Connector (MELCS) - MailEnable Pty Ltd - C:\PROGRA~1\MAILEN~1\BIN\MELSC.EXE
O23 - Service: MailEnable Mail Transfer Agent (MEMTAS) - MailEnable Pty Ltd - C:\PROGRA~1\MAILEN~1\BIN\MEMTA.EXE
O23 - Service: MailEnable Postoffice Connector (MEPOCS) - MailEnable Pty Ltd - C:\PROGRA~1\MAILEN~1\BIN\MEPOC.EXE
O23 - Service: MailEnable POP Connector (MEPOPCS) - MailEnable Pty Ltd - C:\PROGRA~1\MAILEN~1\BIN\MEPOPC.EXE
O23 - Service: MailEnable POP Service (MEPOPS) - Unknown owner - C:\PROGRA~1\MAILEN~1\BIN\MEPOPS.EXE
O23 - Service: MailEnable SMTP Connector (MESMTPCS) - MailEnable Pty Ltd - C:\PROGRA~1\MAILEN~1\BIN\MESMTPC.EXE
O23 - Service: MySql - Unknown owner - C:\mysql\bin\mysqld-nt.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Tenable Nessus - Tenable Network Security - C:\Program Files\Tenable\Nessus\nessusd.exe
O23 - Service: Urchin Scheduler (urchind) - Unknown owner - C:\Program Files\Urchin\bin\urchind.exe
O23 - Service: Urchin Webserver (UrchinWebserver) - Unknown owner - C:\Program Files\Urchin\bin\urchinwebd.exe
O23 - Service: BackupAssist (wBackupAssist) - Cortex IT - C:\PROGRA~1\BACKUP~1\BAService.exe
O23 - Service: BackupAssist Monitor (wBAMon) - Cortex IT - C:\PROGRA~1\BACKUP~1\BAMonSvc.exe
====

I have read other post of this trojans cleaning but I dont find similar entries on my hijackthis log.

My server runs Ensim control panel, MailEnable (mail server) and Urchin (stats software).

Any help would be really appreciated.

Edited by kaudiyo, 25 February 2007 - 07:24 AM.

    Advertisements

Register to Remove


#2 kaudiyo

kaudiyo

    New Member

  • New Member
  • Pip
  • 3 posts

Posted 25 February 2007 - 11:43 AM

Can anybody help me with this issue?.

#3 LongTom89

LongTom89

    New Member

  • New Member
  • Pip
  • 2 posts

Posted 28 February 2007 - 06:43 AM

We found a similar item on a server running MailEnable. The bad guy is a service called MailEnable SMTP Relay Service. It is set up so that you cannot stop it from the Services snap-in. We could see the process running in TaskManager but couldn't stop it from there either. We used a Microsoft program called AutoRuns which show all the program/services etc that run at startup. We found an entry for MailEnable SMTP Relay Service in the registry and were able to delete the key. This stopped the service. Then we searched the registry and found a key in the LEGACY section which mentioned MailEnable SMTP Relay Service so we deleted that also. The server has been OK since then JohnG

#4 LongTom89

LongTom89

    New Member

  • New Member
  • Pip
  • 2 posts

Posted 28 February 2007 - 06:48 AM

I also found an article on the MailEnable KB

http://www.mailenabl...asp?ID=me020475

JohnG

#5 kaudiyo

kaudiyo

    New Member

  • New Member
  • Pip
  • 3 posts

Posted 28 February 2007 - 07:05 AM

Sorry for not posting that solution, I already found it the next day of incident, its a Trojan affecting not patched MailEnable.

#6 little eagle

little eagle

    spyware hawk

  • Visiting Fellow
  • PipPipPipPipPipPip
  • 8,968 posts
  • Interests:spyware

Posted 24 March 2007 - 07:02 PM

We are sorry that your topic was overlooked. The new infections that are coming out require us to spend more time on each topic, that and the lack of qualified helpers means that some of the topics will get passed over. Yours was one of those.

The reason for closing this topic is because you would not have been notified, should somebody have replied. Because the thread had gone 20 days without a reply.

Should you return to the forums and still require assistance, please started a thread (topic). After doing so please post in this thread, with a link to this topic, and the new one you started. :wavey:

To help keep your PC clean follow the recommendations in Tony Klein's article So how did I get infected in the first place?

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users