Troj/Rustok-N help with removing please

Page 1 of 2 1, 2  Next

View previous topic View next topic Go down

Solved Troj/Rustok-N help with removing please

Post by zhengs on 2nd January 2009, 5:14 pm

i went to a website and than just happen today,it say:

Your computer (IP: 24.99.122.24) generates an attacking DOS requests at our servers caused by the spyware/virus named 'Troj/Rustok-N'

We cannot provide you with an access to our content for browsing purposes as it will lead to the inevitable crush of our website.

We strongly recommend you to run your antivirus edition and, if necessary, check it for the latest updates available.

You may also download recommended software, which has been approved by a number of our surfers who encountered the same problem and used this software to overcome it.

We apologize for the inconvenience, and hope we'll see you again

Find more comments on the software at: aumhaphpbb.com

thanks if you can help.

zhengs
Senior
Senior

Posts Posts : 228
Joined Joined : 2009-01-02
Gender Gender : Male
OS OS : Windows Vista
Points Points : 30475
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Troj/Rustok-N help with removing please

Post by Belahzur on 2nd January 2009, 5:48 pm

Please read here and post a Hijack This log.

[You must be registered and logged in to see this link.]


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Troj/Rustok-N help with removing please

Post by zhengs on 2nd January 2009, 6:07 pm

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:20:01 PM, on 1/2/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Sophos\Sophos Client Firewall\SCFManager.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Documents and Settings\user\Desktop\hijackgpthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = [You must be registered and logged in to see this link.]
R3 - URLSearchHook: (no name) - {982CB676-38F0-4D9A-BB72-D9371ABE876E} - (no file)
O2 - BHO: Thunder AtOnce - {01443AEC-0FD1-40fd-9C87-E93D1494C233} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {33BBE430-0E42-4f12-B075-8D21ACB10DCB} - (no file)
O2 - BHO: (no name) - {38928D50-8A48-44C2-945F-D2F23F771410} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: (no name) - {62EED7C6-9F02-42f9-B634-98E2899E147B} - (no file)
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {850B69E4-90DB-4F45-8621-891BF35A5B53} - (no file)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: (no name) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: (no name) - {F166BC04-3C84-44cc-A6E9-2315EC4844B9} - (no file)
O2 - BHO: (no name) - {FE3ECAE7-0A37-4506-8A7D-3CC9A04D2CA8} - (no file)
O4 - HKLM\..\Run: [C:\WINDOWS\system32\cfrog.exe] C:\WINDOWS\system32\cfrog.exe
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SCFTrayStartUp] C:\Program Files\Sophos\Sophos Client Firewall\SCFTray.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
O9 - Extra button: (no name) - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - (no file)
O9 - Extra button: ????? - {13b0c05c-ef05-4bf6-b0ea-f6111af25544} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: ???? - {DE607143-AC19-423e-865A-5D70ABDF119A} - [You must be registered and logged in to see this link.] (file missing)
O9 - Extra 'Tools' menuitem: ???? - {DE607143-AC19-423e-865A-5D70ABDF119A} - [You must be registered and logged in to see this link.] (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O15 - Trusted Zone: [You must be registered and logged in to see this link.]
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [You must be registered and logged in to see this link.]
O18 - Filter hijack: text/html - {F2BEF1B0-6B22-4697-B101-9E571EC73871} - (no file)
O20 - AppInit_DLLs: C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
O23 - Service: Sophos Client Firewall - Sophos Plc - C:\Program Files\Sophos\Sophos Client Firewall\SCFService.exe
O23 - Service: Sophos Client Firewall Manager - Sophos Plc - C:\Program Files\Sophos\Sophos Client Firewall\SCFManager.exe

--
End of file - 5359 bytes

zhengs
Senior
Senior

Posts Posts : 228
Joined Joined : 2009-01-02
Gender Gender : Male
OS OS : Windows Vista
Points Points : 30475
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Troj/Rustok-N help with removing please

Post by Belahzur on 2nd January 2009, 6:11 pm

Hello.


  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    R3 - URLSearchHook: (no name) - {982CB676-38F0-4D9A-BB72-D9371ABE876E} - (no file)
    O2 - BHO: Thunder AtOnce - {01443AEC-0FD1-40fd-9C87-E93D1494C233} - (no file)
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O2 - BHO: (no name) - {33BBE430-0E42-4f12-B075-8D21ACB10DCB} - (no file)
    O2 - BHO: (no name) - {38928D50-8A48-44C2-945F-D2F23F771410} - (no file)
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
    O2 - BHO: (no name) - {62EED7C6-9F02-42f9-B634-98E2899E147B} - (no file)
    O2 - BHO: (no name) - {850B69E4-90DB-4F45-8621-891BF35A5B53} - (no file)
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
    O2 - BHO: (no name) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - (no file)
    O2 - BHO: (no name) - {F166BC04-3C84-44cc-A6E9-2315EC4844B9} - (no file)
    O2 - BHO: (no name) - {FE3ECAE7-0A37-4506-8A7D-3CC9A04D2CA8} - (no file)
    O4 - HKLM\..\Run: [C:\WINDOWS\system32\cfrog.exe] C:\WINDOWS\system32\cfrog.exe
    O9 - Extra button: (no name) - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - (no file)
    O9 - Extra button: ???? - {DE607143-AC19-423e-865A-5D70ABDF119A} - [You must be registered and logged in to see this link.] (file missing)
    O9 - Extra 'Tools' menuitem: ???? - {DE607143-AC19-423e-865A-5D70ABDF119A} - [You must be registered and logged in to see this link.] (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
    O15 - Trusted Zone: [You must be registered and logged in to see this link.]
    O18 - Filter hijack: text/html - {F2BEF1B0-6B22-4697-B101-9E571EC73871} - (no file)


  • Press "Fix Checked"
  • Close Hijack This.


Delete this file in bold:
C:\WINDOWS\system32\cfrog.exe

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Troj/Rustok-N help with removing please

Post by zhengs on 2nd January 2009, 6:44 pm

can i do something else while Malwarebytes' Anti-Malware is scaning??

zhengs
Senior
Senior

Posts Posts : 228
Joined Joined : 2009-01-02
Gender Gender : Male
OS OS : Windows Vista
Points Points : 30475
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Troj/Rustok-N help with removing please

Post by Belahzur on 2nd January 2009, 6:45 pm

Yeah.
You can surf the net, but be careful what you surf, don't make this infection worse.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Troj/Rustok-N help with removing please

Post by zhengs on 2nd January 2009, 6:47 pm

like what surf can make it worse??

zhengs
Senior
Senior

Posts Posts : 228
Joined Joined : 2009-01-02
Gender Gender : Male
OS OS : Windows Vista
Points Points : 30475
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Troj/Rustok-N help with removing please

Post by zhengs on 2nd January 2009, 6:48 pm

and i already downloaded Malwarebytes' Anti-Malware... do i open it and do quick scan??

zhengs
Senior
Senior

Posts Posts : 228
Joined Joined : 2009-01-02
Gender Gender : Male
OS OS : Windows Vista
Points Points : 30475
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Troj/Rustok-N help with removing please

Post by Belahzur on 2nd January 2009, 6:53 pm

Yes, quick scan please.
Just don't surf porn/torrents or anything dangerous.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Troj/Rustok-N help with removing please

Post by zhengs on 2nd January 2009, 7:03 pm

what if like i went to this site to watch movie call [You must be registered and logged in to see this link.] and for the link of the movie,like near it show picture of porn.....will that be anything dangerous??

zhengs
Senior
Senior

Posts Posts : 228
Joined Joined : 2009-01-02
Gender Gender : Male
OS OS : Windows Vista
Points Points : 30475
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Troj/Rustok-N help with removing please

Post by Belahzur on 2nd January 2009, 7:06 pm

Yes, that's okay, they only link to sites like megavideo.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Troj/Rustok-N help with removing please

Post by zhengs on 2nd January 2009, 7:15 pm

but some are like zshare.....oh well

zhengs
Senior
Senior

Posts Posts : 228
Joined Joined : 2009-01-02
Gender Gender : Male
OS OS : Windows Vista
Points Points : 30475
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Troj/Rustok-N help with removing please

Post by Belahzur on 2nd January 2009, 7:27 pm

Yes, don't download from zshare, you can do that once this is clean.
Standing by for MBAM scan.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Troj/Rustok-N help with removing please

Post by zhengs on 2nd January 2009, 7:33 pm

also for the file cfrog.exe i think i was deleted by hijack this

zhengs
Senior
Senior

Posts Posts : 228
Joined Joined : 2009-01-02
Gender Gender : Male
OS OS : Windows Vista
Points Points : 30475
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Troj/Rustok-N help with removing please

Post by zhengs on 2nd January 2009, 7:35 pm

ok im done scaning. here is the log

Malwarebytes' Anti-Malware 1.31
Database version: 1456
Windows 5.1.2600 Service Pack 2

1/2/2009 2:32:49 PM
mbam-log-2009-01-02 (14-32-49).txt

Scan type: Quick Scan
Objects scanned: 44664
Time elapsed: 43 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


what i do next??

zhengs
Senior
Senior

Posts Posts : 228
Joined Joined : 2009-01-02
Gender Gender : Male
OS OS : Windows Vista
Points Points : 30475
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Troj/Rustok-N help with removing please

Post by Belahzur on 2nd January 2009, 7:37 pm

Hello.
MBAM came back clean, lets see if there's any malware left on this machine.


  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Double click DDS.scr to run
  • When complete, DDS.txt will open.
  • Click No for Optional Scan.
  • Save the report to your Desktop.
  • Copy and paste the report back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Troj/Rustok-N help with removing please

Post by zhengs on 2nd January 2009, 7:50 pm

i got a question.i'm using firefox and when i do something,like go to website or open up stuff on firefox....there alway like this advertisement always pops up

zhengs
Senior
Senior

Posts Posts : 228
Joined Joined : 2009-01-02
Gender Gender : Male
OS OS : Windows Vista
Points Points : 30475
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Troj/Rustok-N help with removing please

Post by Belahzur on 2nd January 2009, 7:52 pm

Okay.
Please run DDS.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Troj/Rustok-N help with removing please

Post by zhengs on 2nd January 2009, 7:55 pm

DDS txt

\Malwarebytes
2008-12-29 23:06 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-12-29 23:06 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-29 23:06 --d----- c:\program files\Malwarebytes' Anti-Malware
2008-12-29 23:06 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2008-12-29 22:52 17,163 a------- c:\windows\system32\threat927y.d01
2008-12-29 22:52 14,055 a------- c:\windows\system32\cookies888.rar
2008-12-29 22:52 12,560 a------- c:\windows\system32\resource897.rar
2008-12-29 22:52 12,004 a------- c:\windows\system32\soap905.rar
2008-12-29 22:52 10,510 a------- c:\windows\system32\392.ace
2008-12-29 22:52 9,953 a------- c:\windows\system32\922base.ace
2008-12-29 22:52 8,459 a------- c:\windows\system32\cookies931.ace
2008-12-29 22:52 5,350 a------- c:\windows\system32\data037D.pk1
2008-12-29 22:52 3,856 a------- c:\windows\system32\resource901.pk1
2008-12-29 22:52 3,299 a------- c:\windows\system32\38e.d01
2008-12-29 22:52 2,743 a------- c:\windows\system32\user918.d01
2008-12-29 19:18 18,288 a------- c:\windows\system32\wtl_dt545.zip
2008-12-20 21:16 221,184 a------- c:\windows\system32\wmpns.dll
2008-12-20 19:54 --d----- c:\windows\.file_store_32
2008-12-20 12:35 --d----- c:\documents and settings\user\dwhelper
2008-12-20 11:14 --d----- c:\program files\SwiftKit
2008-12-20 11:02 --d----- c:\docume~1\alluse~1\applic~1\SwiftSwitch
2008-12-18 18:56 --d----- c:\windows\system32\msmq
2008-12-12 11:52 --d----- c:\docume~1\alluse~1\applic~1\Avg8
2008-12-09 22:07 24,288 a---h--- c:\windows\system32\mlfcache.dat
2008-12-09 17:12 --d----- c:\windows\SxsCaPendDel
2008-12-06 19:36 94,208 a------- c:\windows\ScUnin.exe
2008-12-06 19:36 35,382 a------- c:\windows\scunin.dat
2008-12-06 19:36 967 a------- c:\windows\ScUnin.pif

==================== Find3M ====================

2009-01-02 10:52 31 a------- c:\documents and settings\user\jagex_runescape_preferences.dat
2008-12-29 22:51 22,016 a------- c:\windows\system32\rasha.exe
2008-12-29 19:18 3,486 a------- c:\windows\system32\uninstall30f.zip
2008-11-18 17:05 3,715 a------- c:\windows\system32\cid_store.dat
2008-11-10 05:43 410,984 a------- c:\windows\system32\deploytk.dll
2008-11-05 22:11 917,032 a------- c:\windows\system32\WgaTray.back.exe
2008-11-05 20:23 319,488 a------- c:\windows\HideWin.exe
2008-10-23 08:01 283,648 a------- c:\windows\system32\gdi32.dll

============= FINISH: 14:50:11.14 ===============

and attach txt

\msscript.ocx. This file was restored to the original version to maintain system stability. The file version of the bad file is 1.0.0.18000, the version of the system file is 1.0.0.8820.
12/28/2008 8:57:54 PM, information: Windows File Protection [64001] - File replacement was attempted on the protected system file c:\windows\system32\wshom.ocx. This file was restored to the original version to maintain system stability. The file version of the bad file is 5.7.0.18068, the version of the system file is 5.6.0.8820.
12/28/2008 12:54:30 AM, information: Windows File Protection [64001] - File replacement was attempted on the protected system file msscript.ocx. This file was restored to the original version to maintain system stability. The file version of the bad file is 1.0.0.18000, the version of the system file is 1.0.0.8820.
12/28/2008 12:54:30 AM, information: Windows File Protection [64001] - File replacement was attempted on the protected system file wshom.ocx. This file was restored to the original version to maintain system stability. The file version of the bad file is 5.7.0.18068, the version of the system file is 5.6.0.8820.
12/31/2008 9:53:02 AM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file dmadmin.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 2600.2180.503.0.
12/31/2008 9:53:02 AM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file dmremote.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 2600.2180.503.0.
12/31/2008 9:53:21 AM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\windows\system32\dmadmin.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 2600.2180.503.0.

==== End Of File ===========================

zhengs
Senior
Senior

Posts Posts : 228
Joined Joined : 2009-01-02
Gender Gender : Male
OS OS : Windows Vista
Points Points : 30475
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Troj/Rustok-N help with removing please

Post by Belahzur on 2nd January 2009, 7:58 pm

Okay, lets check for a rootkit.

Please run a GMER Rootkit scan:

Download GMER's application from here:
[You must be registered and logged in to see this link.]

Unzip it and start the GMER.exe
Click the Rootkit tab and click the Scan button.

Once done, click the Copy button.
This will copy the results to your clipboard.
Paste the results in your next reply.

Warning ! Please, do not select the "Show all" checkbox during the scan.

If you're having problems with running GMER.exe, try it in safe mode.
This tools works in safe mode. Other rootkitrevealers don't.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Troj/Rustok-N help with removing please

Post by zhengs on 2nd January 2009, 8:06 pm

i got a problem when i click scan for GMer.exe. when it was scaning something pop up saying this:

WARNING!!!!
GMEr has found system modification,which might have been caused by ROOTKIT activity. Dou you want to fully scan your system ?

zhengs
Senior
Senior

Posts Posts : 228
Joined Joined : 2009-01-02
Gender Gender : Male
OS OS : Windows Vista
Points Points : 30475
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Troj/Rustok-N help with removing please

Post by Belahzur on 2nd January 2009, 8:08 pm

Yes, we need to find the rootkit and remove it.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Troj/Rustok-N help with removing please

Post by zhengs on 2nd January 2009, 8:10 pm

okay.doing full scan

zhengs
Senior
Senior

Posts Posts : 228
Joined Joined : 2009-01-02
Gender Gender : Male
OS OS : Windows Vista
Points Points : 30475
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Troj/Rustok-N help with removing please

Post by Belahzur on 2nd January 2009, 8:10 pm

If the log turns out to be huge, upload it here:
sendspace.com


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Troj/Rustok-N help with removing please

Post by zhengs on 2nd January 2009, 8:46 pm

when i click copy it say it was copied to a clip board.

zhengs
Senior
Senior

Posts Posts : 228
Joined Joined : 2009-01-02
Gender Gender : Male
OS OS : Windows Vista
Points Points : 30475
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Troj/Rustok-N help with removing please

Post by Belahzur on 2nd January 2009, 8:51 pm

Copy all of it to a notepad file and save it somewhere, like your desktop.
Then if it's small, post it here. If not, upload it at sendspace.com


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Troj/Rustok-N help with removing please

Post by zhengs on 2nd January 2009, 8:52 pm

for the sendspace thing.it needs the recipient e-mail.....

zhengs
Senior
Senior

Posts Posts : 228
Joined Joined : 2009-01-02
Gender Gender : Male
OS OS : Windows Vista
Points Points : 30475
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Troj/Rustok-N help with removing please

Post by Belahzur on 2nd January 2009, 8:53 pm

No it doesn't, it says (optional)
Leave the optionals blank.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Troj/Rustok-N help with removing please

Post by zhengs on 2nd January 2009, 8:53 pm

nope.....it's to big

zhengs
Senior
Senior

Posts Posts : 228
Joined Joined : 2009-01-02
Gender Gender : Male
OS OS : Windows Vista
Points Points : 30475
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Troj/Rustok-N help with removing please

Post by zhengs on 2nd January 2009, 8:54 pm

oh okay,sorry didn't see it

zhengs
Senior
Senior

Posts Posts : 228
Joined Joined : 2009-01-02
Gender Gender : Male
OS OS : Windows Vista
Points Points : 30475
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Troj/Rustok-N help with removing please

Post by zhengs on 2nd January 2009, 8:54 pm

so all i do it upload it and how you gonna get it??

zhengs
Senior
Senior

Posts Posts : 228
Joined Joined : 2009-01-02
Gender Gender : Male
OS OS : Windows Vista
Points Points : 30475
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Troj/Rustok-N help with removing please

Post by Belahzur on 2nd January 2009, 8:55 pm

When you upload it, it gives you a URL to use.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Troj/Rustok-N help with removing please

Post by zhengs on 2nd January 2009, 8:59 pm

address not found.can't find the server. can't upload cause of this

zhengs
Senior
Senior

Posts Posts : 228
Joined Joined : 2009-01-02
Gender Gender : Male
OS OS : Windows Vista
Points Points : 30475
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Troj/Rustok-N help with removing please

Post by Belahzur on 2nd January 2009, 9:01 pm

Okay, look through the log yourself, probably down the bottom of the log somewhere, there might be a line that says this:

"<--- ROOTKIT !!!!"

If there is, please let me know.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Troj/Rustok-N help with removing please

Post by zhengs on 2nd January 2009, 9:05 pm

ok i fix out the problem.it was my firewall.

zhengs
Senior
Senior

Posts Posts : 228
Joined Joined : 2009-01-02
Gender Gender : Male
OS OS : Windows Vista
Points Points : 30475
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Troj/Rustok-N help with removing please

Post by zhengs on 2nd January 2009, 9:05 pm

im uploading the text of the scan now

zhengs
Senior
Senior

Posts Posts : 228
Joined Joined : 2009-01-02
Gender Gender : Male
OS OS : Windows Vista
Points Points : 30475
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Troj/Rustok-N help with removing please

Post by zhengs on 2nd January 2009, 9:08 pm

[You must be registered and logged in to see this link.] this is the download link

zhengs
Senior
Senior

Posts Posts : 228
Joined Joined : 2009-01-02
Gender Gender : Male
OS OS : Windows Vista
Points Points : 30475
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Troj/Rustok-N help with removing please

Post by zhengs on 2nd January 2009, 9:14 pm

and by the way is the ROOTKIT in red in the GMer scan??

zhengs
Senior
Senior

Posts Posts : 228
Joined Joined : 2009-01-02
Gender Gender : Male
OS OS : Windows Vista
Points Points : 30475
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Troj/Rustok-N help with removing please

Post by Belahzur on 2nd January 2009, 9:17 pm

Hello.
Yes, there is infact TWO rootkits we need to kill.

1. Please download The Avenger by Swandog46 to your Desktop
Link: [You must be registered and logged in to see this link.] or [You must be registered and logged in to see this link.]. <== the first link maybe blocked, so use the second link

  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop


2. Now, start The Avenger program by clicking on its icon on your desktop.

  • Leave the script box blank.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
3. Please copy/paste the content of c:\avenger.txt into your reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Troj/Rustok-N help with removing please

Post by zhengs on 2nd January 2009, 9:26 pm

isn't 6 rootkit we need to kill??

zhengs
Senior
Senior

Posts Posts : 228
Joined Joined : 2009-01-02
Gender Gender : Male
OS OS : Windows Vista
Points Points : 30475
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Troj/Rustok-N help with removing please

Post by Belahzur on 2nd January 2009, 9:27 pm

I just had a brief look at the log and noticed two rootkits, if there's more, the avenger will take them down also.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Troj/Rustok-N help with removing please

Post by zhengs on 2nd January 2009, 9:30 pm

and so i check the box for "scan for rootkits" and check the box "disable any rootkits found" ??

zhengs
Senior
Senior

Posts Posts : 228
Joined Joined : 2009-01-02
Gender Gender : Male
OS OS : Windows Vista
Points Points : 30475
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Troj/Rustok-N help with removing please

Post by Belahzur on 2nd January 2009, 9:32 pm

Scan for rootkits should already be ticked.
Then tick the "Disable any rootkits found"

Then press the execute button.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Troj/Rustok-N help with removing please

Post by zhengs on 2nd January 2009, 9:37 pm

it say:
first step completed --- The Avenger has been successfully set up to run on next boot . reboot now?

yes no

zhengs
Senior
Senior

Posts Posts : 228
Joined Joined : 2009-01-02
Gender Gender : Male
OS OS : Windows Vista
Points Points : 30475
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Troj/Rustok-N help with removing please

Post by Belahzur on 2nd January 2009, 9:37 pm

Yes.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Troj/Rustok-N help with removing please

Post by zhengs on 2nd January 2009, 9:50 pm

okay it's done....this what it says:

Logfile of The Avenger Version 2.0, (c) by Swandog46
[You must be registered and logged in to see this link.]

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

Hidden driver "msqpdxserv.sys" found!
ImagePath: \systemroot\system32\drivers\msqpdxntidbwuc.sys
Driver disabled successfully.

Rootkit scan completed.


Completed script processing.

*******************

Finished! Terminate.

zhengs
Senior
Senior

Posts Posts : 228
Joined Joined : 2009-01-02
Gender Gender : Male
OS OS : Windows Vista
Points Points : 30475
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Troj/Rustok-N help with removing please

Post by Belahzur on 2nd January 2009, 9:57 pm

Hello.
We need to delete the rootkit now.

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+CCrying


Drivers to delete:
msqpdxserv.sys

Files to delete:
C:\WINDOWS\system32\drivers\msqpdxntidbwuc.sys

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.

  • Under "Input script here:", paste in the script from the quote box above.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Troj/Rustok-N help with removing please

Post by zhengs on 2nd January 2009, 10:04 pm

what text contained in the code box?? and what clip board??

zhengs
Senior
Senior

Posts Posts : 228
Joined Joined : 2009-01-02
Gender Gender : Male
OS OS : Windows Vista
Points Points : 30475
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Troj/Rustok-N help with removing please

Post by Belahzur on 2nd January 2009, 10:14 pm

Clipboard is that copy/paste is called in tech terms.
The code box above with the Drivers to delete/files to delete.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Troj/Rustok-N help with removing please

Post by zhengs on 2nd January 2009, 10:22 pm

so do i also copy and paste the driver to delete and file to delete thing to the avenger box??

another question is do i just copy and paste the files name and drivers name above to delete in the avenger box??

zhengs
Senior
Senior

Posts Posts : 228
Joined Joined : 2009-01-02
Gender Gender : Male
OS OS : Windows Vista
Points Points : 30475
# Likes # Likes : 0

View user profile

Back to top Go down

Page 1 of 2 1, 2  Next

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum