Trojan Rustock-N Need help!

View previous topic View next topic Go down

Trojan Rustock-N Need help!

Post by Coldmeteor on 20th May 2009, 7:55 am

Any help would be highly appreciated as I've tried almost everything I can think of and had no luck. Heres my Hackthis log.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:49:51 PM, on 20/05/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Analog Devices\SoundMAX\SoundTray.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\Sivan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CV7X16XP\hijackgpthis[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SoundTray] C:\Program Files\Analog Devices\SoundMAX\SoundTray.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [ParetoLogic Anti-Virus PLUS] "C:\Program Files\ParetoLogic\Anti-Virus PLUS\Pareto_AV.lnk" -NM -hidesplash
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O10 - Unknown file in Winsock LSP: c:\windows\system32\inethttpfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inethttpfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inethttpfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inethttpfilter.dll
O13 - Gopher Prefix:
O17 - HKLM\System\CCS\Services\Tcpip\..\{0E22B20E-5C71-4279-9850-09EFFA919338}: NameServer = 85.255.112.134,85.255.112.10
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.134,85.255.112.10
O17 - HKLM\System\CS1\Services\Tcpip\..\{0E22B20E-5C71-4279-9850-09EFFA919338}: NameServer = 85.255.112.134,85.255.112.10
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.112.134,85.255.112.10
O17 - HKLM\System\CS2\Services\Tcpip\..\{0E22B20E-5C71-4279-9850-09EFFA919338}: NameServer = 85.255.112.134,85.255.112.10
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.134,85.255.112.10
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Andrea ADI Filters Service (AEADIFilters) - Andrea Electronics Corporation - C:\Windows\system32\AEADISRV.EXE
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\Windows\system32\PnkBstrB.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: plasservice (ZeppelinService) - ParetoLogic Inc. - C:\Program Files\Common Files\ParetoLogic\PLAS\plasservice.exe

--
End of file - 7442 bytes

Coldmeteor
Beginner
Beginner

Posts Posts : 4
Joined Joined : 2009-05-20
OS OS : Vista
Points Points : 27596
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Trojan Rustock-N Need help!

Post by Belahzur on 20th May 2009, 1:27 pm

Hello.
There's more than one active AV here, so I want to uninstall a few things before doing anything because it will only interfere with this.

  • Open HijackThis.
  • When Hijack This opens, click "Open the Misc Tools section"
  • Then select "Open Uninstall Manager"
  • Click on "Save List..." (generates uninstall_list.txt)
  • Click Save, copy and paste the results in your next post.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re Trojan Rustock-N Need help!

Post by Coldmeteor on 20th May 2009, 9:15 pm

AC3Filter (remove only)
Acrobat.com
Acrobat.com
Adobe AIR
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9
AlienRespawn v2.0
Apple Mobile Device Support
Apple Software Update
Audacity 1.2.6
AVG 8.5
Battlefield 1942
Bonjour
Call of Duty(R) 4 - Modern Warfare(TM)
Choice Guard
DebugMode Wax 2.0
DivX Codec
DivX Converter
DivX Player
DivX Plus DirectShow Filters
DivX Web Player
DivxFree
Fallout 3
Fraps (remove only)
Host OpenAL (ADI)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
iTunes
Java(TM) 6 Update 13
Java(TM) 6 Update 7
LimeWire 5.1.2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Games for Windows - LIVE
Microsoft Games for Windows - LIVE Redistributable
Microsoft Visual C++ 2005 Redistributable
mIRC
MSVCRT
Nero 7 Essentials
NVIDIA PhysX v8.10.13
OGA Notifier 1.7.0105.35.0
OpenOffice.org 3.0
ParetoLogic Anti-Virus PLUS
PowerDVD
QuickTime
ScanSpyware 3.9.1.7
SoundMAX
Spyware Doctor 6.0
Steam
VC80CRTRedist - 8.0.50727.762
Warhammer 40,000: Dawn of War II
Warhammer Online - Age of Reckoning
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Movie Maker 2.6
WinRAR archiver
World of Warcraft
Xvid 1.2.1 final uninstall

Coldmeteor
Beginner
Beginner

Posts Posts : 4
Joined Joined : 2009-05-20
OS OS : Vista
Points Points : 27596
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Trojan Rustock-N Need help!

Post by Belahzur on 20th May 2009, 9:24 pm

Hello.

I see that you are running Limewire.
P2P(Peer to peer) applications are designed to help you easily share and distribute files between you and a group of people. But they can also be used to distribute malware, and thus are not considered safe.
The removal of these programs is optional, but highly recommended.

If Limewire is not removed, then I won't help you.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

  • Java(TM) 6 Update 7
  • Limewire 5.1.2
  • ParetoLogic Anti-Virus PLUS
  • ScanSpyware 3.9.1.7

Next,

  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:





    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV. (AVG8)
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re Trojan Rustock-N

Post by Coldmeteor on 21st May 2009, 8:09 am

ComboFix 09-05-20.A0 - Sivan 21/05/2009 17:49.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.61.1033.18.2047.998 [GMT 10:00]
Running from: c:\users\Sivan\Desktop\Combo-Fix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
c:\windows\system32\drivers\gxvxciumvmddbfovlpbkxthvlttxtcknwxjcd.sys
c:\windows\system32\gxvxccounter
c:\windows\system32\gxvxcpggwqsiwmdbpihfigbyhgesfcpxopmmf.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_GXVXCSERV.SYS


((((((((((((((((((((((((( Files Created from 2009-04-21 to 2009-05-21 )))))))))))))))))))))))))))))))
.

2009-05-21 07:52 . 2009-05-21 07:53 -------- d-----w c:\users\Sivan\AppData\Local\temp
2009-05-20 21:07 . 2009-05-21 07:39 333856 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-05-20 07:33 . 2009-05-21 07:37 -------- d-----w c:\users\Sivan\AppData\Roaming\ScanSpyware
2009-05-20 07:30 . 2009-05-21 07:37 -------- d-----w c:\program files\Common Files\ParetoLogic
2009-05-20 07:29 . 2009-05-20 07:29 -------- d-----w c:\users\Sivan\AppData\Local\Downloaded Installations
2009-05-19 12:57 . 2009-05-19 12:57 -------- d-----w C:\SDFix
2009-05-19 12:56 . 2009-05-19 12:56 -------- d-----w C:\Rustbfix
2009-05-19 08:57 . 2009-05-19 12:48 -------- d-----w c:\program files\TrojanHunter 5.1
2009-05-19 08:15 . 2009-05-19 08:15 -------- d-----w c:\program files\DivxFree
2009-05-19 06:33 . 2009-05-19 06:33 138920 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2009-05-19 06:33 . 2009-05-19 07:20 189072 ----a-w c:\windows\system32\PnkBstrB.exe
2009-05-19 06:33 . 2009-05-19 06:33 75064 ----a-w c:\windows\system32\PnkBstrA.exe
2009-05-19 06:15 . 2009-05-19 06:15 -------- d-----w c:\users\Sivan\AppData\Local\PunkBuster
2009-05-15 14:00 . 2008-03-05 05:56 1420824 ----a-w c:\windows\system32\D3DCompiler_37.dll
2009-05-15 14:00 . 2008-02-05 13:07 462864 ----a-w c:\windows\system32\d3dx10_37.dll
2009-05-15 14:00 . 2008-03-05 05:56 3786760 ----a-w c:\windows\system32\D3DX9_37.dll
2009-05-15 14:00 . 2007-04-04 08:53 81768 ----a-w c:\windows\system32\xinput1_3.dll
2009-05-06 04:25 . 2009-05-12 09:59 -------- d-----w c:\users\Sivan\AppData\Roaming\mIRC
2009-05-06 04:25 . 2009-05-06 04:25 -------- d-----w c:\program files\mIRC
2009-04-27 08:25 . 2009-04-27 08:25 -------- d-----w c:\program files\AC3Filter
2009-04-21 14:20 . 2009-04-21 14:20 14311680 ----a-w c:\windows\system32\xlive.dll
2009-04-21 14:20 . 2009-04-21 14:20 13642496 ----a-w c:\windows\system32\xlivefnt.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-21 07:48 . 2009-05-19 13:31 4838 ----a-w c:\windows\system32\PerfStringBackup.TMP
2009-05-21 07:41 . 2009-02-17 06:03 -------- d-----w c:\program files\Steam
2009-05-21 07:39 . 2009-05-20 21:07 4988 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-05-21 07:35 . 2009-02-17 06:11 -------- d-----w c:\program files\Java
2009-05-20 07:25 . 2009-02-21 02:18 -------- d-----w c:\program files\World of Warcraft
2009-05-19 08:37 . 2009-02-17 06:03 -------- d-----w c:\program files\Common Files\Steam
2009-05-16 03:12 . 2009-01-20 03:05 -------- d--h--w c:\program files\InstallShield Installation Information
2009-05-16 03:02 . 2009-02-17 06:48 -------- d-----w c:\program files\Activision
2009-05-13 12:40 . 2006-11-02 11:18 -------- d-----w c:\program files\Windows Mail
2009-05-01 23:55 . 2009-03-22 00:45 11952 ----a-w c:\windows\system32\avgrsstx.dll
2009-05-01 23:55 . 2009-03-22 00:45 325896 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-05-01 23:55 . 2009-03-22 00:45 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-04-08 06:19 . 2009-03-19 08:15 -------- d-----w c:\program files\Electronic Arts
2009-03-26 20:02 . 2009-02-16 05:42 103720 ----a-w c:\users\Sivan\AppData\Local\GDIPFONTCACHEV1.DAT
2009-03-26 06:02 . 2009-03-26 06:02 532 ----a-w c:\windows\eReg.dat
2009-03-26 05:53 . 2009-03-26 05:53 -------- d-----w c:\program files\EA GAMES
2009-03-25 20:16 . 2009-02-17 05:36 -------- d-----w c:\program files\Warcraft III
2009-03-24 07:32 . 2009-01-20 03:28 -------- d-----w c:\program files\Common Files\Ahead
2009-03-24 07:25 . 2009-03-24 07:25 -------- d-----w c:\program files\Movie Maker 2.6
2009-03-24 05:52 . 2009-03-24 05:52 -------- d-----w c:\program files\Sonic Foundry
2009-03-24 05:52 . 2009-03-24 05:52 -------- d-----w c:\program files\Pure Motion
2009-03-24 05:52 . 2009-03-24 05:52 -------- d-----w c:\program files\DebugMode
2009-03-24 05:23 . 2009-03-24 05:23 -------- d-----w c:\program files\Audacity
2009-03-17 03:38 . 2009-04-23 05:04 13824 ----a-w c:\windows\system32\apilogen.dll
2009-03-17 03:38 . 2009-04-23 05:04 24064 ----a-w c:\windows\system32\amxread.dll
2009-03-08 18:19 . 2009-02-17 06:12 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-08 11:34 . 2009-04-07 06:00 914944 ----a-w c:\windows\system32\wininet.dll
2009-03-08 11:34 . 2009-04-07 06:00 43008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-08 11:33 . 2009-04-07 06:00 18944 ----a-w c:\windows\system32\corpol.dll
2009-03-08 11:33 . 2009-04-07 06:00 109056 ----a-w c:\windows\system32\iesysprep.dll
2009-03-08 11:33 . 2009-04-07 06:00 109568 ----a-w c:\windows\system32\PDMSetup.exe
2009-03-08 11:33 . 2009-04-07 06:00 132608 ----a-w c:\windows\system32\ieUnatt.exe
2009-03-08 11:33 . 2009-04-07 06:00 107520 ----a-w c:\windows\system32\RegisterIEPKEYs.exe
2009-03-08 11:33 . 2009-04-07 06:00 107008 ----a-w c:\windows\system32\SetIEInstalledDate.exe
2009-03-08 11:33 . 2009-04-07 06:00 103936 ----a-w c:\windows\system32\SetDepNx.exe
2009-03-08 11:33 . 2009-04-07 06:00 420352 ----a-w c:\windows\system32\vbscript.dll
2009-03-08 11:32 . 2009-04-07 06:00 72704 ----a-w c:\windows\system32\admparse.dll
2009-03-08 11:32 . 2009-04-07 06:00 71680 ----a-w c:\windows\system32\iesetup.dll
2009-03-08 11:32 . 2009-04-07 06:00 66560 ----a-w c:\windows\system32\wextract.exe
2009-03-08 11:32 . 2009-04-07 06:00 169472 ----a-w c:\windows\system32\iexpress.exe
2009-03-08 11:31 . 2009-04-07 06:00 34816 ----a-w c:\windows\system32\imgutil.dll
2009-03-08 11:31 . 2009-04-07 06:00 48128 ----a-w c:\windows\system32\mshtmler.dll
2009-03-08 11:31 . 2009-04-07 06:00 45568 ----a-w c:\windows\system32\mshta.exe
2009-03-08 11:22 . 2009-04-07 06:00 156160 ----a-w c:\windows\system32\msls31.dll
2009-03-03 04:46 . 2009-04-23 05:04 3599328 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-03-03 04:46 . 2009-04-23 05:04 3547632 ----a-w c:\windows\system32\ntoskrnl.exe
2009-03-03 04:39 . 2009-04-23 05:04 183296 ----a-w c:\windows\system32\sdohlp.dll
2009-03-03 04:39 . 2009-04-23 05:04 551424 ----a-w c:\windows\system32\rpcss.dll
2009-03-03 04:39 . 2009-04-23 05:04 26112 ----a-w c:\windows\system32\printfilterpipelineprxy.dll
2009-03-03 04:37 . 2009-04-23 05:04 98304 ----a-w c:\windows\system32\iasrecst.dll
2009-03-03 04:37 . 2009-04-23 05:04 54784 ----a-w c:\windows\system32\iasads.dll
2009-03-03 04:37 . 2009-04-23 05:04 44032 ----a-w c:\windows\system32\iasdatastore.dll
2009-03-03 03:04 . 2009-04-23 05:04 666624 ----a-w c:\windows\system32\printfilterpipelinesvc.exe
2009-03-03 02:38 . 2009-04-23 05:04 17408 ----a-w c:\windows\system32\iashost.exe
2009-02-23 05:48 . 2009-02-23 05:48 107888 ----a-w c:\windows\system32\CmdLineExt.dll
2008-01-21 02:43 . 2006-11-02 12:50 174 --sha-w c:\program files\desktop.ini
2009-02-12 18:58 . 2009-02-12 18:58 22 --sha-w c:\windows\SMINST\HPCD.sys
.

Coldmeteor
Beginner
Beginner

Posts Posts : 4
Joined Joined : 2009-05-20
OS OS : Vista
Points Points : 27596
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Trojan Rustock-N Need help!

Post by Coldmeteor on 21st May 2009, 8:10 am

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1233920]
"Steam"="c:\program files\Steam\Steam.exe" [2009-05-19 1217784]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]
"WindowsWelcomeCenter"="oobefldr.dll" - c:\windows\System32\oobefldr.dll [2008-01-21 2153472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundTray"="c:\program files\Analog Devices\SoundMAX\SoundTray.exe" [2007-05-21 49152]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2006-11-29 65120]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-11-13 52832]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-11 34672]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-06-06 1261568]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-01 1947928]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-08 148888]

c:\users\Sivan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-12-15 384000]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"TCP Query User{901DE89F-D072-40B5-89FF-C209BA9F599A}c:\\program files\\warcraft iii\\war3.exe"= UDP:c:\program files\warcraft iii\war3.exe:Warcraft III
"UDP Query User{315C0169-57F7-4A3E-8C31-1B50CF5EED6C}c:\\program files\\warcraft iii\\war3.exe"= TCP:c:\program files\warcraft iii\war3.exe:Warcraft III
"TCP Query User{E99751D2-E897-4D29-9542-3B884A9CE554}c:\\program files\\limewire\\limewire.exe"= UDP:c:\program files\limewire\limewire.exe:LimeWire
"UDP Query User{BA9BB17C-AD52-4C4D-AC64-19ED898A55B9}c:\\program files\\limewire\\limewire.exe"= TCP:c:\program files\limewire\limewire.exe:LimeWire
"{AAD81DC3-8E23-4287-8C8B-17099D7468FA}"= UDP:c:\program files\uTorrent\uTorrent.exe:µTorrent (TCP-In)
"{2942925F-62A0-4089-912A-EA2887936416}"= TCP:c:\program files\uTorrent\uTorrent.exe:µTorrent (UDP-In)
"{7D26DCD3-4487-43F6-A5D6-DF2623B81062}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{E9D487DA-0BB4-44B8-819B-AC723CB3C5ED}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{2191BF71-209C-41AB-A3BC-0436B6256DDC}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{12D53125-20A9-4C17-B6B7-26B334DB19B5}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"TCP Query User{29C345B5-ABB7-416F-B769-B3BBA936F9F8}c:\\program files\\world of warcraft\\repair.exe"= UDP:c:\program files\world of warcraft\repair.exe:Blizzard Repair Utility
"UDP Query User{0CC33409-610D-4DA2-B28B-35EFE8CB2A0F}c:\\program files\\world of warcraft\\repair.exe"= TCP:c:\program files\world of warcraft\repair.exe:Blizzard Repair Utility
"TCP Query User{CE67DD53-E763-49A4-88F9-9562FDDD5D54}c:\\users\\sivan\\appdata\\local\\microsoft\\windows\\temporary internet files\\content.ie5\\9de6wrrj\\wow-3.0.1.8874-ptr-us-installer-downloader[1].exe"= UDP:c:\users\sivan\appdata\local\microsoft\windows\temporary internet files\content.ie5\9de6wrrj\wow-3.0.1.8874-ptr-us-installer-downloader[1].exe:wow-3.0.1.8874-ptr-us-installer-downloader[1].exe
"UDP Query User{38950E48-0ED8-4340-B35A-AE9852F910E6}c:\\users\\sivan\\appdata\\local\\microsoft\\windows\\temporary internet files\\content.ie5\\9de6wrrj\\wow-3.0.1.8874-ptr-us-installer-downloader[1].exe"= TCP:c:\users\sivan\appdata\local\microsoft\windows\temporary internet files\content.ie5\9de6wrrj\wow-3.0.1.8874-ptr-us-installer-downloader[1].exe:wow-3.0.1.8874-ptr-us-installer-downloader[1].exe
"TCP Query User{1F39B16B-0240-444D-A849-F33ABA460F7B}c:\\users\\public\\games\\world of warcraft public test\\launcher.exe"= UDP:c:\users\public\games\world of warcraft public test\launcher.exe:Blizzard Launcher
"UDP Query User{B3133547-C502-4284-BE8C-CE0C6213AD88}c:\\users\\public\\games\\world of warcraft public test\\launcher.exe"= TCP:c:\users\public\games\world of warcraft public test\launcher.exe:Blizzard Launcher
"TCP Query User{2404A74B-B9F5-47CE-A3DC-B9FE627B82E4}c:\\program files\\bethesda softworks\\fallout 3\\fallout3.exe"= UDP:c:\program files\bethesda softworks\fallout 3\fallout3.exe:Fallout3
"UDP Query User{3AC92C70-1647-403F-BB07-37D8A1DC64ED}c:\\program files\\bethesda softworks\\fallout 3\\fallout3.exe"= TCP:c:\program files\bethesda softworks\fallout 3\fallout3.exe:Fallout3
"TCP Query User{75339B40-6ED7-41E6-96DE-AF2C4B18B33F}c:\\program files\\steam\\steamapps\\common\\dawn of war 2\\dow2.exe"= UDP:c:\program files\steam\steamapps\common\dawn of war 2\dow2.exe:DOW2
"UDP Query User{48182E6B-F295-40EE-ACCC-B0C3CAEFFFA3}c:\\program files\\steam\\steamapps\\common\\dawn of war 2\\dow2.exe"= TCP:c:\program files\steam\steamapps\common\dawn of war 2\dow2.exe:DOW2
"TCP Query User{82E38915-C018-431C-9876-2E9E392B6320}c:\\users\\public\\games\\world of warcraft public test\\launcher.exe"= UDP:c:\users\public\games\world of warcraft public test\launcher.exe:Blizzard Launcher
"UDP Query User{8DED9493-D69A-4010-A98A-C8AA6FE67A9A}c:\\users\\public\\games\\world of warcraft public test\\launcher.exe"= TCP:c:\users\public\games\world of warcraft public test\launcher.exe:Blizzard Launcher
"{F0F421B2-491A-4CDA-BFAB-77E0B020F472}"= UDP:c:\users\Public\Documents\Blizzard Entertainment\World of Warcraft\WoW-0.1.0.9626-to-0.1.0.9637-enUS-downloader.exe:Blizzard Downloader
"{0B3C300D-E33F-44F4-91D6-595A08D555D3}"= TCP:c:\users\Public\Documents\Blizzard Entertainment\World of Warcraft\WoW-0.1.0.9626-to-0.1.0.9637-enUS-downloader.exe:Blizzard Downloader
"{E9B1E857-D3E4-4CAD-B6D9-35E579E80DA5}"= UDP:3724:Blizzard Downloader: 3724
"TCP Query User{D1E19718-D563-4DCC-8DFA-B81D975B0179}c:\\program files\\utorrent\\utorrent.exe"= UDP:c:\program files\utorrent\utorrent.exe:µTorrent
"UDP Query User{A8EBA045-EF6E-4C96-9BE3-5E449459BD9E}c:\\program files\\utorrent\\utorrent.exe"= TCP:c:\program files\utorrent\utorrent.exe:µTorrent
"TCP Query User{BB18AD2A-1DBE-4C01-9E2E-E68FC30739C5}c:\\program files\\limewire\\limewire.exe"= UDP:c:\program files\limewire\limewire.exe:LimeWire
"UDP Query User{A0E053EF-3270-4402-B27A-05C71CA88413}c:\\program files\\limewire\\limewire.exe"= TCP:c:\program files\limewire\limewire.exe:LimeWire
"{56070087-1A3D-4A52-97E0-99996063AD7D}"= TCP:88:Dow2
"{FE564910-30E3-4D87-BCC5-326AF08FCABF}"= TCP:3074:Dow2
"{218E7935-5AF8-4E34-B1E1-A5E14944A6B8}"= TCP:53:Dow2
"{A37E6AEB-ACB3-4BAE-8DDD-8E99E6628459}"= UDP:53:Dow2
"{8469F656-EEC4-4819-B828-3AA45AF0E3FB}"= c:\program files\AVG\AVG8\avgupd.exe:avgupd.exe
"{2C41BD4A-AA32-4A95-AB3E-B33F842300C3}"= c:\program files\AVG\AVG8\avgnsx.exe:avgnsx.exe
"TCP Query User{5AE0A2EA-1A5B-4338-B1C9-C1F6104E3249}c:\\program files\\ea games\\battlefield 1942\\bf1942.exe"= UDP:c:\program files\ea games\battlefield 1942\bf1942.exe:BF1942
"UDP Query User{507F8448-A5EA-4DCA-82BF-1E633A89B885}c:\\program files\\ea games\\battlefield 1942\\bf1942.exe"= TCP:c:\program files\ea games\battlefield 1942\bf1942.exe:BF1942
"{1AA95404-F656-4DA5-B422-BF14D193A72B}"= UDP:c:\users\Public\Documents\Blizzard Entertainment\World of Warcraft\WoW-3.0.9.9551-to-3.1.0.9767-enUS-downloader.exe:Blizzard Downloader
"{12646324-6F7D-4A93-860B-760591E1FD8F}"= TCP:c:\users\Public\Documents\Blizzard Entertainment\World of Warcraft\WoW-3.0.9.9551-to-3.1.0.9767-enUS-downloader.exe:Blizzard Downloader
"{29731160-41EF-48CD-826C-8D4BED5B1E5D}"= UDP:3724:Blizzard Downloader: 3724
"TCP Query User{0C633AD3-DDE5-4E9D-AD0B-D205C48F2956}c:\\program files\\world of warcraft\\launcher.exe"= UDP:c:\program files\world of warcraft\launcher.exe:Blizzard Launcher
"UDP Query User{50CE4CD7-F21A-4A13-8895-C00BE5114A84}c:\\program files\\world of warcraft\\launcher.exe"= TCP:c:\program files\world of warcraft\launcher.exe:Blizzard Launcher
"TCP Query User{B4A667EB-3457-48CF-BFBA-63E8743B9F8C}c:\\program files\\mirc\\mirc.exe"= UDP:c:\program files\mirc\mirc.exe:mIRC
"UDP Query User{DD5B01FB-0656-46E2-B002-DA16472FC739}c:\\program files\\mirc\\mirc.exe"= TCP:c:\program files\mirc\mirc.exe:mIRC
"{84088BDC-E1F6-4711-8061-36225045324A}"= UDP:c:\users\Public\Documents\Blizzard Entertainment\World of Warcraft\WoW-0.1.2-enUS-downloader.exe:Blizzard Downloader
"{EFD5B30E-E727-430C-959D-3E9A1DEF55ED}"= TCP:c:\users\Public\Documents\Blizzard Entertainment\World of Warcraft\WoW-0.1.2-enUS-downloader.exe:Blizzard Downloader
"{8F635AF0-1FEC-4418-8A35-8B1CB0521741}"= UDP:c:\program files\Activision\Call of Duty 4 - Modern Warfare\iw3mp.exe:Call of Duty(R) 4 - Modern Warfare(TM)
"{30E838E3-085C-4D0D-88CF-4444F8B23F1E}"= TCP:c:\program files\Activision\Call of Duty 4 - Modern Warfare\iw3mp.exe:Call of Duty(R) 4 - Modern Warfare(TM)

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [22/03/2009 10:45 AM 325896]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\drivers\avgtdix.sys [22/03/2009 10:45 AM 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [22/03/2009 10:45 AM 298776]
S3 LycoFltr;Lycosa Keyboard;c:\windows\System32\drivers\Lycosa.sys [18/01/2008 5:43 AM 16128]
S3 UsbFltr;Razer Copperhead Driver;c:\windows\System32\drivers\copperhd.sys [2/11/2005 9:54 AM 11596]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-05-21 c:\windows\Tasks\User_Feed_Synchronization-{74521C2D-5195-4AD1-BE18-64186D9B66A3}.job
- c:\windows\system32\msfeedssync.exe [2009-04-07 11:31]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-05-21 17:52
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD\000.fcl"
.
Completion time: 2009-05-21 17:53
ComboFix-quarantined-files.txt 2009-05-21 07:53

Pre-Run: 94,600,851,456 bytes free
Post-Run: 95,136,468,992 bytes free

215 --- E O F --- 2009-05-15 14:00

Coldmeteor
Beginner
Beginner

Posts Posts : 4
Joined Joined : 2009-05-20
OS OS : Vista
Points Points : 27596
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Trojan Rustock-N Need help!

Post by Belahzur on 21st May 2009, 8:41 am

Hello.

I see that you are running Limewire and uTorrent.
P2P(Peer to peer) applications are designed to help you easily share and distribute files between you and a group of people. But they can also be used to distribute malware, and thus are not considered safe.
The removal of these programs is optional, but highly recommended.

If Limewire and uTorrent are not removed, then I won't help you.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

  • uTorrent
  • Limewire

Now open a new notepad file.
Input this into the notepad file:

KILLALL::

Folder::
c:\program files\limewire
c:\program files\uTorrent

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"TCP Query User{E99751D2-E897-4D29-9542-3B884A9CE554}c:\\program files\\limewire\\limewire.exe"=-
"UDP Query User{BA9BB17C-AD52-4C4D-AC64-19ED898A55B9}c:\\program files\\limewire\\limewire.exe"=-
"{AAD81DC3-8E23-4287-8C8B-17099D7468FA}"=-
"{2942925F-62A0-4089-912A-EA2887936416}"=-
"TCP Query User{D1E19718-D563-4DCC-8DFA-B81D975B0179}c:\\program files\\utorrent\\utorrent.exe"=-
"UDP Query User{A8EBA045-EF6E-4C96-9BE3-5E449459BD9E}c:\\program files\\utorrent\\utorrent.exe"=-
"TCP Query User{BB18AD2A-1DBE-4C01-9E2E-E68FC30739C5}c:\\program files\\limewire\\limewire.exe"=-
"UDP Query User{A0E053EF-3270-4402-B27A-05C71CA88413}c:\\program files\\limewire\\limewire.exe"=

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum