Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32/Rustock.gen!C


  • This topic is locked This topic is locked
17 replies to this topic

#1 darthbluebird

darthbluebird

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:34 PM

Posted 29 January 2009 - 03:13 PM

Hi not very good with PC's! Basic story bought PC of mate blue screen all the time. was on the other post being helped by BOOPME - Thanks for your help. He told me to post here the problem was this:

This problem was caused by Win32/Rustock.gen!C, a known computer virus.

Win32/Rustock.gen!C is also known by the following names:

* Win32/Vxidl.B
* Troj/Dorf-Fam
* Trojan.Peacomm
* TROJ_SMALL.EDW



This is what he said:
These are coming from malware laden PSP or torrent downloads. the only way to clean this other thana Full wipe of the drive is thru our HJY team.
We need to run HJT.
Please follow this guide. go and do steps 6 and 7 ,, Preparation Guide For Use Before Using Hijackthis. Then go here HijackThis Logs and Virus/Trojan/Spyware/Malware Removal ,click New Topic,give it a relevant Title and post that complete log.

Let me know it it went OK !

So I think I need the logs now: DDS -
DDS (Ver_09-01-19.01) - NTFSx86
Run by Swanbo at 20:02:32.78 on 29/01/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_01
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1464 [GMT 0:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
AV: ZoneAlarm Security Suite Antivirus *On-access scanning enabled* (Updated)
FW: *disabled*
FW: ZoneAlarm Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Dell Network Assistant\hnm_svc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Belkin\F5D9050\Belkinwcui.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\PixArt\PAC7302\Monitor.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Logitech\Profiler\lwemon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Swanbo\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.ie/
mWinlogon: SFCDisable=4 (0x4)
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\2.0.301.5672\swg.dll
BHO: ZoneAlarm Spy Blocker BHO: {f0d4b231-da4b-4daf-81e4-dfee4931a4aa} - c:\program files\zonealarmsb\bar\1.bin\SPYBLOCK.DLL
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: ZoneAlarm Spy Blocker: {f0d4b239-da4b-4daf-81e4-dfee4931a4aa} - c:\program files\zonealarmsb\bar\1.bin\SPYBLOCK.DLL
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uRun: [OM2_Monitor] "c:\program files\olympus\olympus master 2\MMonitor.exe" -NoStart
uRun: [Start WingMan Profiler] "c:\program files\logitech\profiler\lwemon.exe" /noui
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [AudioDrvEmulator] "c:\program files\creative\shared files\module loader\dllml.exe" -1 audiodrvemulator "c:\program files\creative\shared files\module loader\audio emulator\AudDrvEm.dll"
mRun: [F5D9050] c:\program files\belkin\f5d9050\Belkinwcui.exe
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [DLCFCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLCFtime.dll,_RunDLLEntry@16
mRun: [PAC7302_Monitor] c:\windows\pixart\pac7302\Monitor.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [PCSuiteTrayApplication] c:\program files\nokia\nokia pc suite 6\LaunchApplication.exe -startup
dRun: [Nokia.PCSync] c:\program files\nokia\nokia pc suite 6\PcSync2.exe /NoDialog
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6662.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: LMIinit - LMIinit.dll
AppInit_DLLs: WIKI.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\swanbo\applic~1\mozilla\firefox\profiles\p00q247a.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.google.ie
FF - prefs.js: network.proxy.http - 212.170.156.46:80
FF - prefs.js: network.proxy.type - 1
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg8\toolbarff\components\vmAVGConnector.dll
FF - plugin: c:\documents and settings\swanbo\application data\mozilla\firefox\profiles\p00q247a.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPZoneSB.dll
FF - plugin: c:\program files\veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\veetle\vlc\npvlc.dll

============= SERVICES / DRIVERS ===============

R1 Asapi;Asapi;c:\windows\system32\drivers\asapi.sys [2007-1-29 10240]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-11-1 325128]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-11-1 27656]
R1 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2008-10-15 127768]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-1-15 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-1-15 55024]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2008-10-15 394952]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-1-15 7408]
R3 StreamSurge;StreamSurge Driver (miniport);c:\windows\system32\drivers\ss.sys [2008-10-9 19968]
R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-11-1 298264]
R4 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2008-10-14 47640]
R4 RVIEGVST;VSC VST Engine;c:\program files\roland\virtual sound canvas vst\RVIEg01VST.sys [2007-2-1 188276]
R4 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
S1 IKFileFlt;File Filter Driver;c:\windows\system32\drivers\ikfileflt.sys --> c:\windows\system32\drivers\ikfileflt.sys [?]
S1 IKFileSec;File Security Driver;c:\windows\system32\drivers\ikfilesec.sys --> c:\windows\system32\drivers\ikfilesec.sys [?]
S1 IkSysFlt;System Filter Driver;c:\windows\system32\drivers\iksysflt.sys --> c:\windows\system32\drivers\iksysflt.sys [?]
S1 IKSysSec;System Security Driver;c:\windows\system32\drivers\iksyssec.sys --> c:\windows\system32\drivers\iksyssec.sys [?]
S3 PAC7302;PC VGA Camer@ Plus;c:\windows\system32\drivers\PAC7302.SYS [2007-9-10 457984]
S3 vsc32;Virtual Sound Canvas 3.2;c:\windows\system32\drivers\vsc.sys [2007-2-1 951284]
S4 DNSCacheReader;dns cache reader;c:\windows\system32\j6231639.exe --> c:\windows\system32\j6231639.exe [?]
S4 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\logmein\x86\rainfo.sys --> c:\program files\logmein\x86\RaInfo.sys [?]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
S4 sdAuxService;Spyware Doctor Auxiliary Service;c:\program files\spyware doctor\svcntaux.exe --> c:\program files\spyware doctor\svcntaux.exe [?]
S4 sdCoreService;Spyware Doctor Service;c:\program files\spyware doctor\swdsvc.exe --> c:\program files\spyware doctor\swdsvc.exe [?]

=============== Created Last 30 ================

2009-01-28 18:57 <DIR> --d----- c:\docume~1\swanbo\applic~1\Malwarebytes
2009-01-28 18:57 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-28 18:57 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-28 18:57 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-28 18:57 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-27 22:22 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-01-27 22:22 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-01-27 22:22 <DIR> --d----- c:\docume~1\swanbo\applic~1\SUPERAntiSpyware.com
2009-01-27 21:59 <DIR> --d----- c:\documents and settings\swanbo\.housecall6.6
2009-01-25 13:59 <DIR> --d----- c:\docume~1\swanbo\applic~1\PPStream
2009-01-25 13:58 <DIR> --d----- c:\program files\360DeskSearch
2009-01-17 19:25 <DIR> --d----- c:\docume~1\swanbo\applic~1\AVS4YOU
2009-01-17 19:25 <DIR> --d----- c:\docume~1\alluse~1\applic~1\AVS4YOU
2009-01-17 19:24 <DIR> --d----- c:\program files\common files\AVSMedia
2009-01-17 19:23 1,700,352 a------- c:\windows\system32\GdiPlus.dll
2009-01-17 19:23 24,576 a------- c:\windows\system32\msxml3a.dll
2009-01-17 19:23 <DIR> --d----- c:\program files\AVS4YOU
2009-01-17 18:24 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Nokia
2009-01-15 22:40 1,112,288 a------- c:\windows\system32\wdfcoinstaller01007.dll
2009-01-15 22:40 659,968 a------- c:\windows\system32\nmwcdcocls.dll
2009-01-15 21:56 <DIR> --d----- c:\documents and settings\swanbo\Phone Browser
2009-01-15 21:39 <DIR> --d----- c:\program files\common files\PCSuite
2009-01-15 21:39 <DIR> --d----- c:\program files\common files\Nokia
2009-01-15 21:39 <DIR> --d----- c:\program files\PC Connectivity Solution
2009-01-15 21:39 <DIR> --d----- c:\program files\Nokia
2009-01-15 19:57 666,112 a------- c:\windows\system32\SET41.tmp
2009-01-15 19:57 619,520 a------- c:\windows\system32\SET42.tmp
2009-01-15 19:57 666,112 -------- c:\windows\system32\dllcache\wininet.dll
2009-01-15 19:57 619,520 -------- c:\windows\system32\dllcache\urlmon.dll
2009-01-15 19:57 1,499,136 a------- c:\windows\system32\SET43.tmp
2009-01-15 19:57 1,499,136 -------- c:\windows\system32\dllcache\shdocvw.dll
2009-01-15 19:57 2,145,280 -------- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-01-15 19:57 2,189,184 -------- c:\windows\system32\dllcache\ntoskrnl.exe
2009-01-15 19:56 2,023,936 -------- c:\windows\system32\dllcache\ntkrpamp.exe
2009-01-15 19:56 2,066,048 -------- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-01-15 19:56 3,067,904 a------- c:\windows\system32\SET31.tmp
2009-01-15 19:56 3,067,904 -------- c:\windows\system32\dllcache\mshtml.dll
2009-01-15 19:56 455,296 -------- c:\windows\system32\dllcache\mrxsmb.sys
2009-01-15 19:53 337,408 a------- c:\windows\system32\SET20.tmp
2009-01-15 19:53 337,408 -------- c:\windows\system32\dllcache\netapi32.dll
2009-01-15 19:43 <DIR> --d----- c:\windows\system32\scripting
2009-01-15 19:43 <DIR> --d----- c:\windows\system32\en
2009-01-15 19:43 <DIR> --d----- c:\windows\system32\bits
2009-01-15 19:43 <DIR> --d----- c:\windows\l2schemas
2009-01-15 19:40 <DIR> --d----- c:\windows\ServicePackFiles
2009-01-15 19:38 <DIR> --d----- c:\windows\network diagnostic
2009-01-13 20:05 333,952 -------- c:\windows\system32\dllcache\srv.sys
2009-01-07 12:46 <DIR> --d----- c:\docume~1\swanbo\applic~1\uTorrent

==================== Find3M ====================

2009-01-29 20:02 17,278,496 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-01-28 21:16 234,116 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-01-27 21:09 8,450 a--sh--- c:\windows\system32\KGyGaAvL.sys
2009-01-27 18:43 325,128 a------- c:\windows\system32\drivers\avgldx86.sys
2009-01-27 18:43 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-01-15 19:45 79,431 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-12-11 10:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-11-08 23:29 48,396 a------- c:\windows\UninstVeetleTVPlayer.exe
2008-11-01 17:01 921,632 ac------ C:\PA7302.DAT
2008-11-01 16:41 4,212 ----h--- c:\windows\system32\zllictbl.dat
2007-07-05 15:12 140 a------- c:\docume~1\swanbo\applic~1\wklnhst.dat
2007-02-02 23:04 137,104 a------- c:\program files\INSTALL.LOG
2001-01-05 16:51 162,304 a------- c:\program files\UNWISE.EXE

============= FINISH: 20:03:23.10 ===============

There is another LOG - ATTACH? it says not to attach unless directed so will leave it off for now. Thanks in advance.

BC AdBot (Login to Remove)

 


#2 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:12:34 AM

Posted 05 February 2009 - 05:38 AM

Hi,

If you still need help with this post a fresh dds log, please.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#3 darthbluebird

darthbluebird
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:34 PM

Posted 05 February 2009 - 01:43 PM

Hi Thanks for getting back to me.

here are the new logs:

Attached Files



#4 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:12:34 AM

Posted 05 February 2009 - 02:33 PM

Hi again :thumbup2:


Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
    Remember to re-enable them afterwards.

  • Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.


A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#5 darthbluebird

darthbluebird
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:34 PM

Posted 06 February 2009 - 06:51 AM

Hi, did the combofix.... Caused major problems. lost all internet access. I have just managed to get it back..... here are the logs:

Attached Files



#6 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:12:34 AM

Posted 06 February 2009 - 01:52 PM

Ok. Let's continue then :thumbup2:


Show hidden files
-----------------
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.


Upload following file (if found) to http://www.virustotal.com and post back the results:
c:\windows\system32\WIKI.DLL


Open notepad and copy/paste the text in the quotebox below into it:

Driver::
pe386

File::
c:\windows\system32\lzx32.sys


Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.


Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 12.
  • Click the
    Download
    button to the right.
  • Select Windows on platform combobox and check the box that says:
    Accept License Agreement. Click continue.
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u12-windows-i586-p.exe to install the newest version. Uncheck MSN toolbar if it's offered there.
Download ATF (Atribune Temp File) Cleanerę by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache

*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Please run an online scan with Kaspersky Online Scanner as instructed in the screenshot here.


Post back its report, a fresh hjt log and above mentioned ComboFix resultant log.

Edited by Blade81, 06 February 2009 - 01:53 PM.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#7 darthbluebird

darthbluebird
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:34 PM

Posted 09 February 2009 - 09:00 AM

Hi again, Kaspersky came up clean. Here are the other logs:

Attached Files



#8 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:12:34 AM

Posted 09 February 2009 - 12:25 PM

Hi again,

Did you upload wiki.dll to virustotal? What were the results?


Open notepad and copy/paste the text in the quotebox below into it:

Driver::
pe386

ADS::
c:\windows\system32:lzx32.sys

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SManager]


Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log & a fresh hjt log.


Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#9 darthbluebird

darthbluebird
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:34 PM

Posted 10 February 2009 - 02:25 AM

Hi there, could not locate wiki.dll? Will post again when log ready. Thanks so much for your help.

#10 darthbluebird

darthbluebird
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:34 PM

Posted 10 February 2009 - 03:46 AM

Hi her are the new logs:

Attached Files



#11 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:12:34 AM

Posted 10 February 2009 - 01:22 PM

Hi again,

Download http://www.uploads.ejvindh.net/rustbfix.exe

...and save it to your desktop.
Double click on rustbfix.exe to run the tool.

If a Rustock.b-infection is found, you will shortly hereafter be asked to reboot the computer.
The reboot will probably take quite a while, and perhaps 2 reboots will be needed. But this will happen automatically.

After the reboot two logfiles will open (%root%\avenger.txt & %root%\rustbfix\pelog.txt).
Post these two logs.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#12 darthbluebird

darthbluebird
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:34 PM

Posted 10 February 2009 - 02:17 PM

Hi Blade, it look's like it found something here are the log's:

Attached Files



#13 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:12:34 AM

Posted 11 February 2009 - 10:43 AM

Good :thumbup2:

Please post a fresh hjt log and let me know how's the system running.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#14 darthbluebird

darthbluebird
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:34 PM

Posted 11 February 2009 - 03:53 PM

:thumbup2: Hi Blade, here is the new Hijack log. I had a blue screen yesterday when tried to upload MP3s to my phone..... But I think the system is running a lot lot better! Thanks a million. Do you think the system is clean (ish)?

Attached Files



#15 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:12:34 AM

Posted 12 February 2009 - 09:34 AM

Hi,

There's one thing there in the log that I don't like. Let's clean it off :thumbup2:


Start hjt, do a system scan, check:
O23 - Service: Boonty Games - BOONTY - C:\Program Files\Common Files\BOONTY Shared\Service\Boonty.exe

Close browsers and fix checked.


Creating & executing batch file
-------------------------------

Open notepad and then copy and paste the bolded lines below into it. Go to File > save as and name the file fixes.bat, change the Save as type to all files and save it to your desktop. (If you are still unsure on how to do this there is a little tutorial with pictures here)
@echo off
sc stop "Boonty Games"
sc delete "Boonty Games"

Double-click on fixes.bat file to execute it.


Delete following folder if found:
C:\Program Files\Common Files\BOONTY Shared


Also, if you didn't install ZoneAlarm Spy Blocker toolbar on purpose uninstall it thru add/remove programs.


Reboot and post a fresh hjt log.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users