Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I have Troj/Rustok-N ... what is it and should it be removed?


  • Please log in to reply
27 replies to this topic

#1 jmb86

jmb86

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:19 PM

Posted 22 July 2009 - 01:18 AM

So apparently I have a 'Troj/Rustok-N' infecting my computer. When I go to some sites it says that "Your computer (IP: XX.XXX.XX.XX) generates an attacking DOS requests at our servers. This attack was provoked by the spyware/virus named 'Troj/Rustok-N'" and prompts me to download removal software. However, I have heard that in downloading this software it just installs further viruses/malware programs onto your computer. I have also seen that when I open 'processes' in the Task Manager there is a file there I haven't seen before... it is named '26860673.tmp' it doesn't use a great deal of memory or anything but should i be suspicious of that also? Not really sure what to do here. Is it okay to let the Trojan sit there? The program it got in with has been put into the 'Virus Vault' of AVG, but does that mean that this Trojan is immobile also?

Any advice would be great!

Thanks,

Jerome.

BC AdBot (Login to Remove)

 


#2 Stang777

Stang777

    Just Hoping To Help


  • Members
  • 1,821 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:02:19 AM

Posted 22 July 2009 - 01:56 AM

Hi and Welcome to BleepingComputer,

You absolutely want that trojan removed but do NOT dl the software that it wants you to. I would also use taskmanager to stop that process from running. Also, what operating system are you using?

I would start out by doing a scan with Malwarebytes...

It can be downloaded from any of these places...
http://www.malwarebytes.org/mbam.php

alternate download link 1 (easiest way)
http://malwarebytes.gt500.org/mbam-setup.exe

alternate download link 2
http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html

Double-click on mbam-setup.exe to install the application. (If it will not download, install, or open after installation, change the name of it to whatever you want and change the .exe extension to .bat or .com or .pif or scr and then double click on it to run.)

When the installation begins, follow the prompts and do not make any changes to default settings. When installation has finished, make sure you leave both of these checked:

Update Malwarebytes' Anti-Malware
Launch Malwarebytes' Anti-Malware

Then click Finish.

MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.

Make sure the "Perform Quick Scan" option is selected. Then click on the Scan button.
If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.

When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found". Click OK to close the message box and continue with the removal process.

After running that scan, post the complete log of the results here and then download, install, update and run a quick scan with SuperAntiSpyware and post the complete log of the results here. This scan may take some time to complete so please be patient.

That can be downloaded from SuperAntiSpyware.com

If it will not download, install, or open after installation, change the name of it to whatever you want and change the .exe extension to .bat or .com or .pif or scr and then double click on it to run.

If possible, both programs should be run in regular Windows, not safe mode. Allow both programs to remove whatever they find and if they tell you that you need to reboot your computer to complete the removal process, reboot into normal Windows.

Edited by Stang777, 22 July 2009 - 02:15 AM.


#3 Stang777

Stang777

    Just Hoping To Help


  • Members
  • 1,821 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:02:19 AM

Posted 22 July 2009 - 02:09 AM

This is what I found on about the 'Troj/Rustok-N' infection....

The below text is credited to BleepingComputer staff member Extremeboy
(Thank you for the detailed explaination Extremeboy and I hope it is ok that I used this)

It is related to a backdoor trojan.

Backdoor Threat

IMPORTANT NOTE: Unfortunatly One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
http://www.dslreports.com/faq/10451

When Should I Format, How Should I Reinstall
http://www.dslreports.com/faq/10063

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

Edited by Stang777, 22 July 2009 - 02:23 AM.


#4 jmb86

jmb86
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:19 PM

Posted 22 July 2009 - 02:47 AM

okay... I've run Malwarebytes and here is what it returned:

Malwarebytes' Anti-Malware 1.39
Database version: 2421
Windows 6.0.6000

22/07/2009 5:46:22 PM
mbam-log-2009-07-22 (17-46-07).txt

Scan type: Quick Scan
Objects scanned: 86686
Time elapsed: 8 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 12
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.114,85.255.112.115 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1be1f5ae-82c2-43bf-93e1-c3a490e2cbe9}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.114,85.255.112.115 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{c94f4747-d35d-4b5c-b56b-eec599020667}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.114,85.255.112.115 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{c94f4747-d35d-4b5c-b56b-eec599020667}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.114,85.255.112.115 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.114,85.255.112.115 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{1be1f5ae-82c2-43bf-93e1-c3a490e2cbe9}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.114,85.255.112.115 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{c94f4747-d35d-4b5c-b56b-eec599020667}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.114,85.255.112.115 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{c94f4747-d35d-4b5c-b56b-eec599020667}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.114,85.255.112.115 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.114,85.255.112.115 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{1be1f5ae-82c2-43bf-93e1-c3a490e2cbe9}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.114,85.255.112.115 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{c94f4747-d35d-4b5c-b56b-eec599020667}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.114,85.255.112.115 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{c94f4747-d35d-4b5c-b56b-eec599020667}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.114,85.255.112.115 -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Do i now use the 'remove selected' option?

#5 jmb86

jmb86
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:19 PM

Posted 22 July 2009 - 02:54 AM

I decided to remove the selected files... as they all had the word 'trojan' in it. Here is the report that followed. Now I'll do the next part...

Malwarebytes' Anti-Malware 1.39
Database version: 2421
Windows 6.0.6000

22/07/2009 5:53:34 PM
mbam-log-2009-07-22 (17-53-34).txt

Scan type: Quick Scan
Objects scanned: 86686
Time elapsed: 8 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 12
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.114,85.255.112.115 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1be1f5ae-82c2-43bf-93e1-c3a490e2cbe9}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.114,85.255.112.115 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{c94f4747-d35d-4b5c-b56b-eec599020667}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.114,85.255.112.115 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{c94f4747-d35d-4b5c-b56b-eec599020667}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.114,85.255.112.115 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.114,85.255.112.115 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{1be1f5ae-82c2-43bf-93e1-c3a490e2cbe9}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.114,85.255.112.115 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{c94f4747-d35d-4b5c-b56b-eec599020667}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.114,85.255.112.115 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{c94f4747-d35d-4b5c-b56b-eec599020667}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.114,85.255.112.115 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.114,85.255.112.115 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{1be1f5ae-82c2-43bf-93e1-c3a490e2cbe9}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.114,85.255.112.115 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{c94f4747-d35d-4b5c-b56b-eec599020667}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.114,85.255.112.115 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{c94f4747-d35d-4b5c-b56b-eec599020667}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.114,85.255.112.115 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#6 jmb86

jmb86
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:19 PM

Posted 22 July 2009 - 03:49 AM

SUPERAS gave me the following:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/22/2009 at 06:39 PM

Application Version : 4.26.1006

Core Rules Database Version : 4010
Trace Rules Database Version: 1950

Scan type : Quick Scan
Total Scan Time : 00:28:33

Memory items scanned : 785
Memory threats detected : 0
Registry items scanned : 461
Registry threats detected : 4
File items scanned : 16357
File threats detected : 0

Rootkit.Agent/Gen-ESQUL
HKLM\SYSTEM\CurrentControlSet\Services\ESQULSERV.SYS
HKLM\SYSTEM\CurrentControlSet\Services\ESQULSERV.SYS#start
HKLM\SYSTEM\CurrentControlSet\Services\ESQULSERV.SYS#type
HKLM\SYSTEM\CurrentControlSet\Services\ESQULSERV.SYS#imagepath

#7 Stang777

Stang777

    Just Hoping To Help


  • Members
  • 1,821 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:02:19 AM

Posted 22 July 2009 - 10:26 AM

Run another scan with Malwarebytes to see if it really got rid of those things and post that log.

Did you have SuperAntiSpyware get rid of the rootkit it found? If so, run another scan with it and see if it still picks it up, if not, have it do that and then rerun the scan. Post the new log from SuperAntiSpyware.

It looks like you are running Vista, is that correct?

Edited by Stang777, 22 July 2009 - 10:27 AM.


#8 jmb86

jmb86
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:19 PM

Posted 22 July 2009 - 06:02 PM

Yeah, I got SuperAnti to remove the RootKit. And yes, I'm running Vista. Here are the logs I ran this morning:

Malwarebytes' Anti-Malware 1.39
Database version: 2421
Windows 6.0.6000

23/07/2009 8:29:33 AM
mbam-log-2009-07-23 (08-29-33).txt

Scan type: Quick Scan
Objects scanned: 86983
Time elapsed: 5 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

SUPERAntiSpyware Scan Log
http://www.superantispyware.com



Generated 07/23/2009 at 08:56 AM

Application Version : 4.26.1006

Core Rules Database Version : 4010
Trace Rules Database Version: 1950

Scan type : Quick Scan
Total Scan Time : 00:26:05

Memory items scanned : 761
Memory threats detected : 0
Registry items scanned : 461
Registry threats detected : 0
File items scanned : 16409
File threats detected : 0

#9 Stang777

Stang777

    Just Hoping To Help


  • Members
  • 1,821 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:02:19 AM

Posted 22 July 2009 - 06:51 PM

Those look good but I would like to see if someone else comes along with other ideas for making sure that is gone and your system is clean. Remember what I posted in post #3 about this one being a backdoor trojan though.

I would make a new restore point now and label it something that will let you know that it is your first clean one so you do not use any old ones. Also, unless you know how to remove all but the most one in Vista, we need someone else to let you know how to do that as I do not know if the procedure is the same as it is in XP. I am sorry that I do not know, but I have never used Vista

#10 jmb86

jmb86
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:19 PM

Posted 22 July 2009 - 08:18 PM

Thanks so much for all your help! However I'm not entirely sure what you mean by the following:

Also, unless you know how to remove all but the most one in Vista, we need someone else to let you know how to do that as I do not know if the procedure is the same as it is in XP. I am sorry that I do not know, but I have never used Vista


So should I make a new restore point now?

#11 Stang777

Stang777

    Just Hoping To Help


  • Members
  • 1,821 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:02:19 AM

Posted 22 July 2009 - 08:32 PM

You are very welcome and yes make a new restore point now.

What I meant by that is, in XP there is a way to remove all but the most recent restore point, which should be done after cleaning out an infection and making a new clean restore point. The point in doing that is to make sure that an infected restore point that would put the infection back on the system is not used at some point in the future. I assume there is a way to do that in Vista but I do not know for sure or what that way would be.

I do believe someone from the staff will be coming along that might be able to explain how to do that and to make sure your system is as clean as it can be.

#12 jmb86

jmb86
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:19 PM

Posted 22 July 2009 - 08:33 PM

I get it no =) haha... I do remember seeing how to do that somewhere else on this site... hrmmm...

EDIT: I found the boards where I saw how to create a restore point in Vista. I have done that and am now running a full scan with AVG. I've changed my banking passwords on a clean computer (a Mac) so that should hopefully be no problem. Should I re-run scans in a couple of days to see if anything has come through the back door (or attempted to) at all?

Edited by jmb86, 22 July 2009 - 08:53 PM.


#13 jmb86

jmb86
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:19 PM

Posted 22 July 2009 - 09:24 PM

So I posted yesterday because I found I had a Troj/Rustok-N infection (see http://www.bleepingcomputer.com/forums/t/243466/i-have-trojrustok-n-what-is-it-and-should-it-be-removed/ for details of what was done to remove that) and I have just done a system restore (as advised) and decided to run AVG to see if would pick anything else up. It has detected that there is now a 'Trojan Horse Sheur2.ASHT' present in my system. Is it okay to just move this to the virus vault or should I run MBAM and SAS?

#14 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:19 AM

Posted 22 July 2009 - 09:27 PM

Hang on, let me get something clear for a second, did you Create a New Restore Point, or did you restore your computer to a Restore Point?
Computer Pro

#15 jmb86

jmb86
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:19 PM

Posted 22 July 2009 - 09:29 PM

I created a New Restore point. Was that bad? Also, I am running on Vista and use IE8.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users