Rustock.gen!B, keeps coming back

June 13, 2009 at 13:50:45
Specs: Windows XP
I have somehow contracted the Rustock.gen!B virus. The Windows malicious software removal tool says it has removed it, which is good, but it says it everytime I boot up so it is reproducing itself.
Following is my combofix log.

ComboFix 09-06-13.03 - New Owner 06/13/2009 16:33.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.661 [GMT -4:00]
Running from: c:\documents and settings\New Owner\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\UACucfmqxtpdwfwqvx.dat
c:\windows\system32\UACvmitdavbkgrjjbq.log
C:\cleanup.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys


((((((((((((((((((((((((( Files Created from 2009-05-13 to 2009-06-13 )))))))))))))))))))))))))))))))
.

2009-06-13 20:04 . 2009-06-13 20:04 -------- d-----w- C:\Rustbfix
2009-06-13 18:26 . 2009-06-13 18:26 -------- d-----w- c:\program files\Trend Micro
2009-06-13 16:00 . 2009-06-13 18:02 1870880 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-06-13 16:00 . 2009-06-13 18:02 11552 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-06-13 15:36 . 2009-06-13 17:55 -------- d-----w- c:\program files\Common Files\ParetoLogic
2009-06-13 15:36 . 2009-06-13 17:55 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic
2009-06-13 15:36 . 2009-06-13 15:36 -------- d-----w- c:\documents and settings\New Owner\Local Settings\Application Data\Downloaded Installations
2009-06-13 15:08 . 2009-06-13 15:08 -------- d-----w- c:\documents and settings\New Owner\Application Data\McAfee
2009-06-11 13:48 . 2006-03-03 12:07 143360 ----a-w- c:\windows\system32\dunzip32.dll
2009-06-11 13:44 . 2007-11-22 10:44 33832 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-06-11 13:44 . 2007-12-02 16:51 40488 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-06-11 13:44 . 2007-11-22 10:44 35240 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-06-11 13:44 . 2007-11-22 10:44 79304 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-06-11 13:44 . 2007-11-22 10:44 201320 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-06-11 13:44 . 2007-07-13 10:20 113952 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2009-06-11 13:43 . 2009-06-11 13:43 -------- d-----w- c:\program files\McAfee.com
2009-06-11 13:43 . 2009-06-11 13:44 -------- d-----w- c:\program files\Common Files\McAfee
2009-06-11 13:43 . 2009-06-11 20:16 -------- d-----w- c:\program files\McAfee
2009-06-11 13:38 . 2009-06-11 13:38 132 ----a-w- c:\documents and settings\New Owner\Local Settings\Application Data\fusioncache.dat
2009-06-11 02:17 . 2009-06-11 02:17 -------- d-----w- c:\windows\system32\wbem\Repository
2009-05-29 22:12 . 2009-06-05 13:33 -------- d-----w- c:\documents and settings\New Owner\Application Data\Pogo Games
2009-05-29 18:52 . 2009-06-05 13:33 -------- d-----w- c:\documents and settings\All Users\Application Data\WildTangent
2009-05-29 18:52 . 2009-06-05 13:33 -------- d-----w- c:\program files\Gateway Games
2009-05-26 18:46 . 2009-05-27 14:31 -------- d-----w- c:\documents and settings\New Owner\Local Settings\Application Data\Intuit
2009-05-26 18:43 . 2009-05-26 18:43 -------- d-----w- c:\program files\Common Files\supportsoft
2009-05-26 18:38 . 2009-05-27 14:32 -------- d-----w- c:\program files\Quickbooks
2009-05-26 18:38 . 2009-05-27 14:32 -------- d-----w- c:\program files\Common Files\Intuit
2009-05-26 18:38 . 2009-05-27 12:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Intuit
2009-05-26 18:36 . 2009-05-26 19:03 -------- d-----w- c:\documents and settings\All Users\Application Data\SQL Anywhere 10
2009-05-26 18:36 . 2009-05-26 18:36 -------- d-----w- c:\documents and settings\All Users\Application Data\COMMON FILES
2009-05-26 18:17 . 2009-05-26 18:17 -------- d-----w- c:\program files\Akamai
2009-05-23 15:13 . 2009-05-23 15:13 -------- d-----w- c:\documents and settings\New Owner\Application Data\Alien Skin
2009-05-17 22:05 . 2009-05-17 22:05 -------- d-----w- c:\documents and settings\New Owner\Application Data\Malwarebytes
2009-05-17 22:05 . 2009-04-06 19:32 15504 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-05-17 22:05 . 2009-04-06 19:32 38496 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-17 22:05 . 2009-05-17 22:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-05-17 22:05 . 2009-05-17 22:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-17 21:49 . 2009-05-17 21:49 0 ----a-w- C:\backup.reg
2009-05-17 21:49 . 2009-05-17 21:49 574 ----a-w- C:\cleanup.bat
2009-05-17 21:49 . 2009-05-17 21:49 135168 ----a-w- C:\zip.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-13 18:02 . 2009-06-13 16:00 27176 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-06-13 18:02 . 2009-06-13 16:00 2156 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2009-06-12 02:02 . 2007-12-14 22:43 -------- d-----w- c:\program files\Common Files\Adobe
2009-06-11 13:48 . 2009-01-06 13:59 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-06-11 02:32 . 2008-09-20 19:32 -------- d-----w- c:\program files\Windows Desktop Search
2009-06-05 13:32 . 2009-05-14 15:39 -------- d-----w- c:\documents and settings\New Owner\Application Data\uTorrent
2009-05-31 02:36 . 2008-11-11 14:36 19056 ----a-w- c:\documents and settings\New Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-26 01:24 . 2009-04-22 03:14 -------- d-----w- c:\documents and settings\New Owner\Application Data\Move Networks
2009-05-25 04:24 . 2008-05-27 02:18 350208 ------w- c:\windows\system32\mssph.dll
2009-05-17 22:51 . 2009-04-08 14:45 -------- d-----w- c:\program files\Common
2009-05-17 21:33 . 2009-01-06 20:28 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-05-14 15:40 . 2009-05-14 15:40 -------- d-----w- c:\program files\uTorrent
2009-05-12 19:12 . 2007-12-14 22:22 26144 ----a-w- c:\windows\system32\spupdsvc.exe
2009-05-08 22:23 . 2009-05-08 22:22 -------- d-----w- c:\program files\DivX
2009-05-08 22:22 . 2009-05-08 22:22 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-05-08 20:00 . 2009-04-26 18:03 -------- d-----w- c:\program files\Common Files\Macromedia
2009-05-08 20:00 . 2009-04-26 18:01 -------- d-----w- c:\program files\Macromedia
2009-05-08 20:00 . 2007-12-14 21:44 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-05-07 15:32 . 2004-08-04 10:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:56 . 2006-03-04 03:33 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2004-08-04 10:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-22 03:14 . 2009-04-22 03:14 34062 ----a-w- c:\documents and settings\New Owner\Application Data\Move Networks\ie_bin\Uninst.exe
2009-04-17 12:26 . 2004-08-04 10:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-08-04 10:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-02-26 00:49 . 2009-02-26 00:49 3420160 ----a-w- c:\program files\cuppycake.wav
2009-02-25 02:19 . 2009-02-26 00:32 388563 ----a-w- c:\program files\Cuppycake.mp3
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 2156368]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dell Wireless Manager UI"="c:\windows\system32\WLTRAY" [X]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-01 1392640]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-09-15 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-09-15 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-09-15 118784]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-05 136600]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-07-07 344064]
"NeroCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-11 53248]
"lxdnmon.exe"="c:\program files\Lexmark 2600 Series\lxdnmon.exe" [2008-10-30 664232]
"EzPrint"="c:\program files\Lexmark 2600 Series\ezprint.exe" [2008-10-30 107176]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"McAfee Backup"="c:\program files\McAfee\MBK\McAfeeDataBackup.exe" [2007-01-16 4838952]
"MRT"="c:\windows\system32\MRT.exe" [2009-06-01 23635392]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-12-12 9555968]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\msncall.exe"=
"c:\\Program Files\\IncrediMail\\bin\\ImApp.exe"=
"c:\\Program Files\\IncrediMail\\bin\\IncMail.exe"=
"c:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=
"c:\\WINDOWS\\system32\\lxdncoms.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdnpswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdntime.exe"=
"c:\\Program Files\\Lexmark 2600 Series\\lxdnmon.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdnjswx.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
"c:\\Program Files\\Macromedia\\Fireworks MX\\Fireworks.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Documents and Settings\\New Owner\\Desktop\\utorrent.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R2 lxdn_device;lxdn_device;c:\windows\system32\lxdncoms.exe -service --> c:\windows\system32\lxdncoms.exe -service [?]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [12/14/2007 6:00 PM 88192]
S2 lxdnCATSCustConnectService;lxdnCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdnserv.exe [1/7/2009 11:38 PM 98984]
S2 milykdmm;milykdmm;\??\c:\windows\system32\drivers\jkekfq.sys --> c:\windows\system32\drivers\jkekfq.sys [?]
S3 IPN2120;INPROCOMM IPN2120 Wireless LAN Card Driver;c:\windows\system32\drivers\i2120ntx.sys [12/14/2007 6:14 PM 116736]
S3 PCX504;Cisco Systems Wireless LAN Adapter Driver;c:\windows\system32\drivers\PCX504.sys [12/15/2007 2:01 PM 124928]
.
Contents of the 'Scheduled Tasks' folder

2009-06-11 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-06-11 17:32]

2009-06-11 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-06-11 17:32]

2009-06-13 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-01 02:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Page_URL = hxxp://www.google.com
mDefault_Page_URL = hxxp://www.google.com
mStart Page = hxxp://www.google.com
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-13 16:39
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(660)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3412)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\windows\system32\scardsvr.exe
c:\windows\system32\CF6258.exe
c:\program files\Apoint\ApntEx.exe
c:\program files\Apoint\hidfind.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\lxdncoms.exe
c:\windows\system32\searchindexer.exe
c:\windows\system32\wscntfy.exe
c:\progra~1\McAfee\MSC\mcuimgr.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\McAfee\MPF\MpfSrv.exe
.
**************************************************************************
.
Completion time: 2009-06-13 16:42 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-13 20:42

Pre-Run: 45,956,132,864 bytes free
Post-Run: 45,909,323,776 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

230 --- E O F --- 2009-06-11 02:28


See More: Rustock.gen!B, keeps coming back

Report •


#1
June 14, 2009 at 06:58:16
Please don't run Combofix until requested by a malware removal person, this per its author. Also did you read its disclaimer? If you still haven't resolved the issue and need help write back.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#2
June 14, 2009 at 19:17:05
Yes still havent resolved the issue. I posted the log because it seems thats what everyone is told to do so I wanted to save some time.
Anyway, do you have any suggestions?

Report •

#3
June 14, 2009 at 19:28:53
These are advanced tools that require some knowledge and training if you don't use it right it mess the system up more and then cleaning up the system is like finding a pebble in an ocean. Suggestion for what? Please do share how you fixed your problem for other people in similar situation.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

Related Solutions

#4
June 15, 2009 at 03:52:33
I wanted a suggestion on how to fix the problem. I havent fixed it yet. I may just do a full recovery.

Report •

#5
June 15, 2009 at 04:42:00
Note: I can help you remove virus manually. Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible. First Track this topic. Then follow:

1) Can you please post your AVZ log:
Note: Run AVZ in windows normal mode. If avz.exe doesn't start, then try to rename the file avz.exe to something else and try to run it again. Make sure you have your web browser open in background before following the steps below.

i) To create the logfile, download AVZ by clicking HERE. Please save this file to your desktop or "My Documents" folder.

ii) Next, unpack the file to a new folder using the Compressed (zipped) folders wizard built into Windows XP/Vista, or a zip utility of your choice.

iii) Once you have unpacked the contents of the zip archive, please launch the file AVZ.exe by double clicking on it or right clicking and selecting Open.
Note: If you are running Windows vista launch AVZ.exe by right clicking and selecting Run as Administrator.

You should now see the main window of the AVZ utility. Please navigate to File->Custom Scripts. Copy the script below by using the keyboard shortcut CTRL+C or the corresponding option via right click.

begin
ExecuteStdScr(3);
RebootWindows(true);
end.


Paste the script into the execution window by using CTRL+V keyboard shortcut, or the "paste" option via the right click menu. Click on Run to run the script, the PC will reboot. After the reboot the LOG subfolder is created in the folder with AVZ, with a file called virusinfo_syscure.zip inside. Upload that file to rapidshare.com and paste the link here.

Image Tutorial

2) Download and Run DDS which will create a Pseudo HJT Report as part of its log: DDS Tool Download Link. When done, DDS will open two (2) logs

   1. DDS.txt
   2. Attach.txt

Upload the logs to rapidshare.com and paste download link in your next reply.
Note: Disable any script-blocking programs and then double-click on the DDS.scr icon to start the program. If you did not disable a script-blocker that may be part of your antimalware program, you may receive a warning from your antimalware product asking if you would like DDS.scr to run. Please allow it to do so.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#6
Report •

#7
June 15, 2009 at 06:32:45
Follow these Steps in order numbered. Don't proceed to next step unless you have sucessfully completed previous step:

1) Run this script in AVZ like before, your computer will reboot:

begin
SetAVZGuardStatus(True);
SearchRootkit(true, true);
 DeleteService('milykdmm');
 StopService('milykdmm');
 QuarantineFile('c:\windows\SWREG.exe','');
 QuarantineFile('c:\windows\PEV.exe','');
 QuarantineFile('c:\windows\sed.exe','');
 QuarantineFile('c:\windows\system32\CF6258.exe','');
 QuarantineFile('C:\WINDOWS\system32\drivers\jkekfq.sys','');
 DeleteFile('C:\WINDOWS\system32\drivers\jkekfq.sys');
BC_ImportAll;
ExecuteSysClean;
BC_Activate;
SetAVZPMStatus(True);
RebootWindows(true);
end.

2) After reboot execute following script in AVZ:

begin
CreateQurantineArchive('C:\quarantine1.zip');    
end.


A file called quarantine1.zip should be created in C:\. Upload that file to rapidshare.com and private message me download link.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#8
June 15, 2009 at 07:30:28
Download http://www.uploads.ejvindh.net/rust...

...and save it to your desktop.
Double click on rustbfix.exe to run the tool.

If a Rustock.b-infection is found, you will shortly hereafter be asked to reboot the computer.
The reboot will probably take quite a while, and perhaps 2 reboots will be needed. But this will happen automatically.

After the reboot 2 logfiles will open (%root%\avenger.txt & %root%\rustbfix\pelog.txt).
Post the content of these logfiles along with a new HijackThis log.

In addition Redo Response Number 5 again and post new set of logs.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#9
June 15, 2009 at 07:35:42
No Rustock.b-rootkits found.
Sooo, I guess its getting deleted alright, but something is regenerating it...hmmm

Report •

#10
June 15, 2009 at 07:37:41
Another note...since running the tools you had me run today, upon boot it wants to install an unamed hardeware and is looking for drivers. I have been cancelling it.

Report •

#11
June 15, 2009 at 07:41:30
It also disables part of my McAffee and shuts down the inernet connection

Report •

#12
June 15, 2009 at 07:51:19
Leave hardware for now. Follow Response Number 8.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#13
June 15, 2009 at 07:58:57
rustbfix still says nothing found
http://rapidshare.com/files/2448337...

Report •

#14
Report •

#15
June 15, 2009 at 08:19:56
Still need: After the reboot 2 logfiles will open (%root%\avenger.txt & %root%\rustbfix\pelog.txt)

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#16
June 15, 2009 at 08:23:15
But it doesnt reboot. Figured thats because it didnt find anything

Report •

#17
June 15, 2009 at 08:35:07
Yeh i don't see any thing in your log files either. Microsoft tool might be looking at cached or temp files. I suggest you uninstall it and run a full scan with:

Download and run Kaspersky AVP tool: http://devbuilds.kaspersky-labs.com...
Once you download and start the tool:

# Check below options:

    * Select all the objects/places to be scanned. 
    * Settings > Customize > Heuristic analyzer > Enable deep rootkit search

# Click Scan
# Fix what it detects
# Attach Scan log/Summary to your next message.

Illustrated tutorial: http://img32.imageshack.us/img32/76...

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#18
June 15, 2009 at 16:47:03
Ok, ran Kapersky and it found 1 item called cleanup.exe and I had it delete it. I then reinstalled the windows malware remover and rebooted. It was still detected. UGH
Heres the log form Kapersky
http://rapidshare.com/files/2449910...

Report •

#19
June 15, 2009 at 17:28:51
It seems like it might be false positive. Does it give you filename or place at which it detects? What is the download link of malware tool at microsoft site that you are using?

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#20
June 16, 2009 at 03:04:04
The program downloads automatically in a Windows update, but it can also be manually downloaded from Microsft's site. Its full name is Microsoft Windows Malicious Software Removal Tool
This is what it gives me:
Malware:
Backdoor:WinNT/Rustock.gen!B
Scan Results:
Removed

And since yeasterday its wanting to instal 2 pieces of unknown hardware.

I would hate to have to format it. It has XP Pro on it but I only have a Home disk and would have to use that. I didnt come with a recover partition, cheap b---tards.


Report •

#21
June 16, 2009 at 06:38:28
Run these two:

1) http://onecare.live.com/site/en-Us/...

2) http://onecare.live.com/site/en-Us/...

See if that solves your hardware problem if it doesn't post screen shot of device properties of each hardware (detail tab).

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#22
June 16, 2009 at 14:18:48
Success!
One of those scans eliminated the hardware issue.
I got rid of the virus by disableing spybot because I figured out it wasnt allowing the registry change that the malware removal tool was trying to make. I rebooted and it was gone.

Thanks so much for your help!


Report •

#23
June 16, 2009 at 14:21:46
Yeh spybot tea timer can be troublesome some times. Glad problem got sorted out.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •


Ask Question