troj/rustock

View previous topic View next topic Go down

Re: troj/rustock

Post by MacIntosh on Fri Jul 03, 2009 9:06 pm

Hi Guys, This stupid virus is stopping me from opening any anti-virus including hijack this. I was able to generate the report like reichstadt625 though so below I have posted the DDS. This is my first time on here Smile Thanks for the help. My main goal is to just restore the computer from a month ago since I got it last week. The Troj/rustok-n is preventing me from doing that also...

If I ever got a hold of the person who wrote this...

Anyways here is the DDS. Thanks again

DDS (Ver_09-06-26.01) - NTFSx86
Run by Administrator at 14:59:22.40 on Fri 07/03/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1024.576 [GMT -6:00]

AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Logitech\Gaming Software\LWEMon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Documents and Settings\Administrator\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = [You must be registered and logged in to see this link.]
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [EasyDVDMon]
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [Start WingMan Profiler] c:\program files\logitech\gaming software\LWEMon.exe /noui
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: DirectAnimation Java Classes - [You must be registered and logged in to see this link.]
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - [You must be registered and logged in to see this link.]
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - [You must be registered and logged in to see this link.]
TCP: NameServer = 85.255.112.121,85.255.112.123
TCP: {84845C88-8212-4061-9612-72B22B138354} = 85.255.112.121,85.255.112.123
Notify: !SASWinLogon - c:\program files\supersetup\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\supersetup\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\ke6i65yk.default\
FF - plugin: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\ke6i65yk.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000006.dll

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-7-3 130936]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2009-5-29 10384]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-7-3 348752]
R2 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-7-3 1095560]
S3 PRISM;D-Link Air Wireless Prism3 Adapter Driver;c:\windows\system32\drivers\PRISMNDS.sys [2008-8-26 652288]

=============== Created Last 30 ================

2009-07-03 14:52 159,600 a------- c:\windows\system32\drivers\pctgntdi.sys
2009-07-03 14:51 130,936 a------- c:\windows\system32\drivers\PCTCore.sys
2009-07-03 14:51 73,840 a------- c:\windows\system32\drivers\PCTAppEvent.sys
2009-07-03 14:51 64,392 a------- c:\windows\system32\drivers\pctplsg.sys
2009-07-03 14:51 --d----- c:\program files\common files\PC Tools
2009-07-03 14:51 --d----- c:\program files\Spyware Doctor
2009-07-03 14:51 --d----- c:\docume~1\alluse~1\applic~1\PC Tools
2009-07-03 14:51 --d----- c:\docume~1\admini~1\applic~1\PC Tools
2009-07-03 14:39 --d----- c:\program files\SUPERsetup
2009-07-03 14:39 --d----- c:\docume~1\admini~1\applic~1\SUPERAntiSpyware.com
2009-07-03 14:39 --d----- c:\program files\common files\Wise Installation Wizard
2009-07-03 14:27 --d----- c:\program files\Paul mac
2009-07-03 14:14 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-03 14:14 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-03 14:14 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-07-03 14:14 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-07-03 13:58 --d----- c:\program files\Trend Micro
2009-06-15 21:28 --d----- c:\program files\iPod
2009-06-15 21:28 --d----- c:\program files\iTunes
2009-06-15 21:28 --d----- c:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-06-03 16:24 1,101 a------- C:\net_save.dna
2009-06-03 16:24 --d----- c:\program files\support.com
2009-06-03 16:24 --d----- c:\program files\common files\SupportSoft

==================== Find3M ====================

2009-05-30 10:27 40 a------- c:\documents and settings\administrator\language.dat
2009-05-29 17:10 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2009-05-29 17:10 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_LHidFilt_01005.Wdf
2009-05-29 17:10 0 a---h--- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-05-07 09:32 345,600 a------- c:\windows\system32\localspl.dll
2009-04-28 22:56 827,392 a------- c:\windows\system32\wininet.dll
2009-04-28 22:55 78,336 -------- c:\windows\system32\ieencode.dll
2009-04-17 06:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-15 08:51 585,216 a------- c:\windows\system32\rpcrt4.dll

============= FINISH: 14:59:45.03 ===============

MacIntosh
Novice
Novice

Posts Posts : 5
Joined Joined : 2009-07-03
OS OS : Windows XP (Media pc) Vista Ultimate (Office comp)
Points Points : 27125
# Likes # Likes : 0

View user profile

Back to top Go down

Re: troj/rustock

Post by Belahzur on Fri Jul 03, 2009 9:10 pm


  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:





    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: troj/rustock

Post by MacIntosh on Fri Jul 03, 2009 9:16 pm

I am unable to run ComboFix just like hijackthis and all other programs of this nature. Thinking I might have something in addition to this virus or an updated version of this virus.

My Girlfriend is not allowed to use the media PC ever again.

MacIntosh
Novice
Novice

Posts Posts : 5
Joined Joined : 2009-07-03
OS OS : Windows XP (Media pc) Vista Ultimate (Office comp)
Points Points : 27125
# Likes # Likes : 0

View user profile

Back to top Go down

Re: troj/rustock

Post by Belahzur on Fri Jul 03, 2009 9:18 pm

Did you download it as renamed?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: troj/rustock

Post by MacIntosh on Fri Jul 03, 2009 9:37 pm

It is hard being stupid. I read your instructions like I was supposed to remove the dash. When I downloaded it I just figured the file was update without it. Anyways, here is my log. Thanks for taking a look.

Spyware Doctor with AntiVirus- I tried this today to get rid of it but it didnt download anything, stopped by Virus I think. I normally don't use any software to protect this computer. This computer is not used for any downloads usually.

ComboFix 09-07-03.03 - Administrator 07/03/2009 15:26.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1024.774 [GMT -6:00]
Running from: c:\documents and settings\Administrator\Desktop\Combo-Fix.exe
AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Installer\8086c.msi
c:\windows\Installer\9b90.msi
c:\windows\system32\drivers\MSIVXrqobymbpxdqlgwqeyxnspwcpkbmnyrlv.sys
c:\windows\system32\MSIVXcount
c:\windows\system32\MSIVXhfxxbimotgqxmftsvpmcmiooaklinhep.dll
c:\windows\system32\MSIVXoyarmyxyxtetjcbjbrfqjrmifueasvpg.dll
c:\windows\Tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_MSIVXserv.sys


((((((((((((((((((((((((( Files Created from 2009-06-03 to 2009-07-03 )))))))))))))))))))))))))))))))
.

2009-07-03 20:52 . 2008-12-11 14:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-07-03 20:51 . 2009-04-03 17:18 130936 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-07-03 20:51 . 2008-12-18 18:16 73840 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-07-03 20:51 . 2009-07-03 21:14 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-07-03 20:51 . 2009-07-03 20:52 -------- d-----w- c:\program files\Common Files\PC Tools
2009-07-03 20:51 . 2008-12-10 17:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-07-03 20:51 . 2009-07-03 20:53 -------- d-----w- c:\program files\Spyware Doctor
2009-07-03 20:51 . 2009-07-03 20:51 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-07-03 20:51 . 2009-07-03 20:51 -------- d-----w- c:\documents and settings\Administrator\Application Data\PC Tools
2009-07-03 20:39 . 2009-07-03 20:39 -------- d-----w- c:\program files\SUPERsetup
2009-07-03 20:39 . 2009-07-03 20:39 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-07-03 20:39 . 2009-07-03 20:39 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-07-03 20:27 . 2009-07-03 20:27 -------- d-----w- c:\program files\Paul mac
2009-07-03 20:14 . 2009-06-17 17:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-03 20:14 . 2009-07-03 20:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-03 20:14 . 2009-06-17 17:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-03 20:14 . 2009-07-03 20:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-03 19:58 . 2009-07-03 19:58 -------- d-----w- c:\program files\Trend Micro
2009-06-28 19:43 . 2009-06-28 19:44 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Adobe
2009-06-16 03:28 . 2009-06-16 03:28 -------- d-----w- c:\program files\iPod
2009-06-16 03:28 . 2009-06-16 03:29 -------- d-----w- c:\program files\iTunes
2009-06-16 03:28 . 2009-06-16 03:29 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-06-16 03:25 . 2009-06-16 03:25 -------- d-----w- c:\program files\QuickTime
2009-06-16 03:22 . 2009-06-16 03:22 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-06-06 04:41 . 2009-06-06 04:42 -------- d-----w- c:\program files\Common Files\Adobe
2009-06-06 04:38 . 2009-06-06 04:43 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2009-06-06 04:37 . 2009-06-07 17:34 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-06-06 04:37 . 2009-06-07 17:34 -------- d-----w- c:\program files\NOS
2009-06-03 22:24 . 2009-06-03 22:28 -------- d-----w- c:\program files\support.com
2009-06-03 22:24 . 2009-06-03 22:24 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\SupportSoft
2009-06-03 22:24 . 2009-06-03 22:24 -------- d-----w- c:\program files\Common Files\SupportSoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-02 04:51 . 2008-08-27 00:53 -------- d-----w- c:\program files\Common Files\Apple
2009-06-23 01:56 . 2009-05-28 02:06 -------- d-----w- c:\documents and settings\Administrator\Application Data\Move Networks
2009-05-31 19:30 . 2009-05-31 19:30 -------- d-----w- c:\program files\Common Files\Logitech
2009-05-31 19:30 . 2009-05-29 23:09 -------- d-----w- c:\program files\Logitech
2009-05-30 16:27 . 2009-05-30 16:27 40 ----a-w- c:\documents and settings\Administrator\language.dat
2009-05-29 23:11 . 2009-05-29 23:11 -------- d-----w- c:\documents and settings\Administrator\Application Data\Logitech
2009-05-29 23:11 . 2009-05-29 23:11 -------- d-----w- c:\documents and settings\All Users\Application Data\LogiShrd
2009-05-29 23:10 . 2009-05-29 23:10 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2009-05-29 23:10 . 2009-05-29 23:10 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_LHidFilt_01005.Wdf
2009-05-29 23:10 . 2009-05-29 23:10 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-05-29 23:10 . 2009-05-29 23:09 -------- d-----w- c:\program files\Common Files\Logishrd
2009-05-29 23:09 . 2009-05-29 23:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Logitech
2009-05-29 23:09 . 2008-08-26 21:52 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-05-28 23:29 . 2008-08-27 00:46 13104 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-28 22:27 . 2009-05-28 22:27 -------- d-----w- c:\program files\MSBuild
2009-05-28 22:27 . 2009-05-28 22:27 -------- d-----w- c:\program files\Reference Assemblies
2009-05-07 15:32 . 2002-09-03 19:42 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:56 . 2002-09-03 20:03 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2004-08-04 07:56 78336 ------w- c:\windows\system32\ieencode.dll
2009-04-17 12:26 . 2002-09-03 20:03 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2002-09-03 19:53 585216 ----a-w- c:\windows\system32\rpcrt4.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-07-16 61440]
"Start WingMan Profiler"="c:\program files\Logitech\Gaming Software\LWEMon.exe" [2009-01-21 92168]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2008-12-19 76304]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-5-29 809488]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERsetup\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 18:05 356352 ----a-w- c:\program files\SUPERsetup\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2009-02-19 06:30 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [7/3/2009 2:51 PM 130936]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [5/29/2009 5:11 PM 10384]
S3 PRISM;D-Link Air Wireless Prism3 Adapter Driver;c:\windows\system32\drivers\PRISMNDS.sys [8/26/2008 4:14 PM 652288]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [7/3/2009 2:51 PM 348752]
.
Contents of the 'Scheduled Tasks' folder

2009-06-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-12 18:34]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-EasyDVDMon - (no file)


.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
DPF: DirectAnimation Java Classes - [You must be registered and logged in to see this link.]
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ke6i65yk.default\
FF - plugin: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ke6i65yk.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-07-03 15:31
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(644)
c:\program files\SUPERsetup\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll
.
Completion time: 2009-07-03 15:33
ComboFix-quarantined-files.txt 2009-07-03 21:33

Pre-Run: 44,064,239,616 bytes free
Post-Run: 44,473,954,304 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

160 --- E O F --- 2009-06-10 01:54

MacIntosh
Novice
Novice

Posts Posts : 5
Joined Joined : 2009-07-03
OS OS : Windows XP (Media pc) Vista Ultimate (Office comp)
Points Points : 27125
# Likes # Likes : 0

View user profile

Back to top Go down

Re: troj/rustock

Post by Belahzur on Fri Jul 03, 2009 9:41 pm

Hello.
This looks fine now.

Please use antivirus software. Once a machine is infected, it is responsible for helping spread the malware. I can't help you if you can't help yourself. Smile

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.

How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: troj/rustock

Post by MacIntosh on Fri Jul 03, 2009 9:44 pm

Reset my restore points? Does this have to be done? Since I installed a bunch of stupid stuff already trying to get rid of this I was hoping to use one of those to go back a month to when I didn't have the virus, or any of the programs I have now downloaded. If you say so I will do it though.

MacIntosh
Novice
Novice

Posts Posts : 5
Joined Joined : 2009-07-03
OS OS : Windows XP (Media pc) Vista Ultimate (Office comp)
Points Points : 27125
# Likes # Likes : 0

View user profile

Back to top Go down

Re: troj/rustock

Post by MacIntosh on Fri Jul 03, 2009 9:54 pm

Everything is running well right now, am I safe to use a restore if it lets me? Thank You!

MacIntosh
Novice
Novice

Posts Posts : 5
Joined Joined : 2009-07-03
OS OS : Windows XP (Media pc) Vista Ultimate (Office comp)
Points Points : 27125
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum