Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Troj/Rustok_N


  • This topic is locked This topic is locked
2 replies to this topic

#1 FinalKonekt

FinalKonekt

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:19 PM

Posted 11 February 2009 - 01:24 PM

I was recently warned by a website that my computer has been infected with the Rustok_N virus.
Your computer (IP: ##.##.##.##) generates an attacking DOS requests at our servers. This attack was provoked by the spyware/virus named 'Troj/Rustok-N'

We cannot provide you with an access to our content for browsing purposes as it will lead to the inevitable crush of our website.

We strongly recommend you to run your antivirus edition and, if necessary, check it for the latest updates available.

You may also download recommended software, which has been approved by a number of our surfers who encountered the same problem and used this software to overcome it.

Make sure your computer is protected before continue browsing. Without this antivirus software your computer becomes a pushover for hackers.

Leaving computer unprotected may lead to:
- Computer performance slowdown and operating system crash
- Serious drop of traffic caused by hidden advertising
- Leak of personal and credit card information
- The inappropriate use of your personal photos by web sites
- Using you machine as a source for spam spreading
- Infection spreading to other removable devices such as memory cards, writable CD and DVD disks
- Getting your cell phone infected through USB. The first sign of infection in your cell phone device will appear as sms-messages sent to paid numbers
- etc

I ran malwarebytes, avg, and ccleaner in safe mode and they have rid my system of other trojans but not this particular one.
From what I understand this virus likes to hide by changing its name.
I did a search on my c: drive for the files cfrog.exe and baloon.exe and have found nothing.
I tried to install kaspersky and it was unable to run. Spyware doctor is unable to reach its update servers. Spybot is unable to reach its update servers as well.
So I downloaded dds.scr and below is the log it produced:
Attach.txt is also attached.

Any help would be greatly appreciated.


DDS (Ver_09-02-01.01) - NTFSx86
Run by JAEGER at 13:15:59.46 on Wed 02/11/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_10
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1151.759 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe
C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe
C:\Program Files\Sound Station\SNXUACP.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
c:\altera\81\quartus\bin\jtagserver.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\Documents and Settings\JAEGER\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {0ED403E8-470A-4a8a-85A4-D7688CFE39A3} - No File
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [Active Desktop Calendar] c:\program files\xemicomputers\active desktop calendar\ADC.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [DeviceDiscovery] c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\point32.exe"
mRun: [smapp] c:\program files\analog devices\soundmax\SMTray.exe
mRun: [basicsmssmenu] "c:\program files\seagate\basics\basics status\MaxMenuMgrBasics.exe"
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\sounds~1.lnk - c:\program files\sound station\SNXUACP.exe
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1160186847171
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: umhnvu.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jaeger\applic~1\mozilla\firefox\profiles\8d9xgw2d.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - component: c:\documents and settings\jaeger\application data\mozilla\firefox\profiles\8d9xgw2d.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - component: c:\program files\mozilla firefox\components\iamfamous.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll

============= SERVICES / DRIVERS ===============

R0 IKFileSec;File Security Driver;c:\windows\system32\drivers\ikfilesec.sys [2009-2-10 42376]
R1 IKSysFlt;System Filter Driver;c:\windows\system32\drivers\iksysflt.sys [2009-2-10 66952]
R1 IKSysSec;System Security Driver;c:\windows\system32\drivers\iksyssec.sys [2009-2-10 81288]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2009-2-9 170640]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-2-9 15504]
R3 uafilter;uafilter;c:\windows\system32\drivers\UAFilter.sys [2007-7-27 9874]
S3 CSVirtA;Cisco Systems SSL VPN Adapter;c:\windows\system32\drivers\CSVirtA.sys [2006-10-13 20136]
S3 Intsvnsesr;Intsvnsesr; [x]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [2008-3-30 40832]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-2-10 356920]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-2-10 1073544]
S3 SeratoUsb;SeratoUsb driver;c:\windows\system32\drivers\SeratoUsb.sys [2008-1-30 29696]

============== File Associations ===============

regfile=regedit.exe "%1" %*
scrfile="%1" %*

=============== Created Last 30 ================

2009-02-10 23:53 81,288 a------- c:\windows\system32\drivers\iksyssec.sys
2009-02-10 23:53 66,952 a------- c:\windows\system32\drivers\iksysflt.sys
2009-02-10 23:53 42,376 a------- c:\windows\system32\drivers\ikfilesec.sys
2009-02-10 23:53 29,576 a------- c:\windows\system32\drivers\kcom.sys
2009-02-10 23:53 <DIR> --d----- c:\docume~1\jaeger\applic~1\PC Tools
2009-02-10 23:53 <DIR> --d----- c:\program files\Spyware Doctor
2009-02-10 23:53 <DIR> --d----- c:\program files\common files\Download Manager
2009-02-10 23:24 <DIR> --d----- C:\TAUDELT
2009-02-10 20:27 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files
2009-02-10 19:52 25,720 a------- C:\cc_20090210_195223.reg
2009-02-10 19:46 430,264 a------- C:\cc_20090210_194619.reg
2009-02-09 03:36 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-09 03:36 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-09 03:36 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-02-07 21:18 84,992 a------- c:\windows\system32\Zoomquilt II Screensaver(3)_uninst.exe
2009-02-07 21:18 155 a------- C:\DelUS.bat
2009-02-07 21:17 84,992 a------- c:\windows\system32\Zoomquilt II Screensaver_uninst.exe
2009-02-07 21:15 12 a------- c:\windows\dirsaver.ini
2009-02-05 20:21 <DIR> --d----- C:\my_pix
2009-02-02 17:41 471,040 a------- c:\windows\system32\hhactivex.dll
2009-02-02 17:41 76,288 a------- c:\windows\system32\drivers\SENTINEL.SYS
2009-02-02 17:41 50,176 a------- c:\windows\system32\SNTI386.DLL
2009-02-02 17:41 18,432 a------- c:\windows\system32\RNBOVDD.DLL
2009-02-02 17:41 26,120 a------- c:\windows\system32\drivers\SNTNLUSB.SYS
2009-02-02 17:41 9,949 -------- c:\windows\system32\SENTINEL.HLP
2009-02-02 17:41 <DIR> --d----- c:\windows\system32\RNBOSENT
2009-02-02 17:41 7,680 a------- c:\windows\system32\drivers\pgdhdlc.sys
2009-02-02 17:32 <DIR> --d----- C:\altera
2009-01-30 00:37 1,483,952 a--sh--- c:\windows\system32\xcduhggy.ini
2009-01-29 15:12 <DIR> --d----- c:\program files\Guitar Pro 5
2009-01-29 15:11 378 ---shr-- C:\autorun.inf
2009-01-29 14:43 <DIR> --d----- c:\docume~1\jaeger\applic~1\Individual Software
2009-01-29 14:40 244,024 a------- c:\windows\system32\Msflxgrd.ocx
2009-01-29 14:40 82,744 a------- c:\windows\system32\Picclp32.ocx
2009-01-29 14:39 158,992 a------- c:\windows\system32\ComCt232.ocx
2009-01-29 14:39 287,504 a------- c:\windows\system32\msxbse35.dll
2009-01-29 14:39 250,128 a------- c:\windows\system32\msexcl35.dll
2009-01-29 14:39 169,984 a------- c:\windows\system32\msltus35.dll
2009-01-29 14:39 165,648 a------- c:\windows\system32\mstext35.dll
2009-01-29 14:39 250,128 a------- c:\windows\system32\mspdox35.dll
2009-01-29 14:39 415,504 a------- c:\windows\system32\msrepl35.dll
2009-01-29 14:39 89,360 a------- c:\windows\system32\Vb5db.dll
2009-01-29 14:39 <DIR> --d----- c:\program files\ResumeMaker
2009-01-29 14:39 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Individual Software
2009-01-20 19:11 <DIR> --d----- C:\NJIT09
2009-01-17 21:56 62,716 a------- C:\Coprgtl.TTF
2009-01-17 21:56 61,552 a------- C:\Coprgtb.TTF

==================== Find3M ====================

2009-01-29 15:13 96,752 a------- c:\windows\system32\GDIPFONTCACHEV1.DAT
2008-11-29 17:51 14,247,216 a------- C:\full.exe
2008-03-30 18:22 92,064 a------- c:\documents and settings\jaeger\mqdmmdm.sys
2008-03-30 18:22 79,328 a------- c:\documents and settings\jaeger\mqdmserd.sys
2008-03-30 18:22 66,656 a------- c:\documents and settings\jaeger\mqdmbus.sys
2008-03-30 18:22 25,600 a------- c:\documents and settings\jaeger\usbsermptxp.sys
2008-03-30 18:22 22,768 a------- c:\documents and settings\jaeger\usbsermpt.sys
2008-03-30 18:22 9,232 a------- c:\documents and settings\jaeger\mqdmmdfl.sys
2008-03-30 18:22 6,208 a------- c:\documents and settings\jaeger\mqdmcmnt.sys
2008-03-30 18:22 5,936 a------- c:\documents and settings\jaeger\mqdmwhnt.sys
2008-03-30 18:22 4,048 a------- c:\documents and settings\jaeger\mqdmcr.sys
2008-09-01 04:31 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090120080902\index.dat

============= FINISH: 13:16:48.09 ===============

Edited by FinalKonekt, 11 February 2009 - 04:36 PM.


BC AdBot (Login to Remove)

 


#2 FinalKonekt

FinalKonekt
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:19 PM

Posted 17 February 2009 - 06:53 PM

I know you guys are busy but I couldn't wait any longer so I went along and reformatted my PC

Please close post.

#3 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Members
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:07:19 PM

Posted 18 February 2009 - 06:23 PM

Thanks for telling us.

This Topic is closed.

Should you need it reopened, please contact a Forum Moderator. Include the address of this thread in your request.

If you have a new issue, please start a New Topic.

This applies only to the original poster. Everyone else please begin a New Topic.

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users