Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rustock.b Rootkit? Maybe Not!


  • This topic is locked This topic is locked
5 replies to this topic

#1 Brian 23

Brian 23

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:57 AM

Posted 18 September 2007 - 04:41 PM

I have been working on this one for about two weeks. It started when I noticed some weird traffic in my firewall logs. It was showing that my computer was trying to connect to 111.111.111.111 port X (x would just count by one). I ran the following:

HiJack This = nothing
SpyBot = nothing
Adaware = nothing
SUPERAntiSpyware Free Edition = nothing

GMER = noticed that there was an Iexplore.exe hidden process. Everytime I kill it, it comes back
RootKit Unhooker = same as above


Once I kill the process I can see it reloading in Process Explorer. As soon as I kill the process in RKU, NTGUARD.EXE flashes in Process Explorer and then IEXPLORE.EXE then they both disappear. Only to find the hidden process back in RKU.

I ran Combo Fix and it shows that I have the Rustok.b rootkit
________________________________________________________________________
Rootkit driver pe386 is still present. A rootkit scan is required
Rootkit driver msguard is still present. A rootkit scan is required
Rootkit driver lzx32 is still present. A rootkit scan is required
Rootkit driver huy32 is still present. A rootkit scan is required
Rootkit driver xpdt is still present. A rootkit scan is required
_______________________________________________________________________

I downloaded rustbfix.exe and it says:
No Rustock.b-rootkits found

Please if you can offer any help, it would be appreciated.

Running Win XP Pro
Intel 3.4Ghz
1 GB RAM
Up to date on all Windows Patches
Use Symantec Corp Edi for Anti-Virus (Def files are up to date)

BC AdBot (Login to Remove)

 


#2 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:05:57 AM

Posted 18 September 2007 - 06:39 PM

Hi Brian,

My advice would be for you to post an HJT log in the HijackThis Logs and Malware Removal forum. The HJT team will work with you using the advanced tools of spyware removal. Rootkit infections are serious.

Good luck with the cleaning...

rigel

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#3 Brian 23

Brian 23
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:57 AM

Posted 19 September 2007 - 09:17 AM

Thanks I will do that now.

#4 jgweed

jgweed

  • Members
  • 28,473 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chicago, Il.
  • Local time:04:57 AM

Posted 19 September 2007 - 11:34 AM

Until the log is reviewed by our Team, and any problems resolved, please refrain from making any significant changes to your computer or its applications. Members should consider this topiic temporarily closed.
Regards,
John
Whereof one cannot speak, thereof one should be silent.

#5 Brian 23

Brian 23
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:57 AM

Posted 20 September 2007 - 11:28 AM

I added it to the Hijack Logs forum just a couple of days ago and the topic is already on page 3. I have no idea you guys had that much traffic. No replies yet. This one is very hard to figure out.

http://www.bleepingcomputer.com/forums/t/109077/rustockb-rootkit-maybe-not/

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,908 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:57 AM

Posted 20 September 2007 - 01:02 PM

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

If after 5 days you still have received no response, then post a link to your HJT log in the thread titled "Haven't Had A Reply In Five Days?".

After posting a log you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make may cause confusion for the member assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

To avoid confusing, I am closing this topic until you are cleared by the HJT Team. If you still need assistance after your log has been reviewed and you have been cleared, please PM me or another moderator and we will re-open this topic.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users