Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help! Infected with 'Troj/Rustok-N'


  • This topic is locked This topic is locked
16 replies to this topic

#1 burning_tires

burning_tires

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:26 PM

Posted 24 July 2009 - 02:05 PM

Hello! I think I am infected here...

First thing I noticed is norton antivirus won't run or update. Then the system starts crashing at startup and shutdown, requiring multiple reboots, etc. Finally I start getting suspicious pop-up ads for anti-virus software, and today got a message that I am infected with 'Troj/Rustok-N'. After some searching I learned that it is likely blocking access to norton, and I've installed MBAM, but it won't update or run. I get "server not found" when I try to access http://www.malwarebytes.org/.

Please help me if you can! Thanks!!


DDS (Ver_09-06-26.01) - NTFSx86
Run by User at 14:39:52.17 on Fri 07/24/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2039.1469 [GMT -4:00]

FW: Norton AntiVirus *enabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\PreSonus\1394AudioDriver_FIREPOD\FIREPOD.exe
C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\User\My Documents\downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = cdn;*.local
uInternet Settings,ProxyServer = actsvr.comcastonline.com:8100
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton antivirus\norton antivirus\engine\16.5.0.134\IPSBHO.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RemoteControl] "c:\program files\asustek\asusdvd\PDVDServ.exe"
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [NSWosCheck] c:\program files\norton systemworks basic edition\osCheck.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\firepo~1.lnk - c:\program files\presonus\1394audiodriver_firepod\FIREPOD.exe
uPolicies-explorer: NoViewOnDrive = 0 (0x0)
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {5E638779-1818-4754-A595-EF1C63B87A56} - c:\program files\norton systemworks basic edition\norton cleanup\WCQuick.lnk
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} - hxxps://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 85.255.112.23,85.255.112.126
TCP: {FEC8D877-3515-4993-BF5F-C1EC1D369CB7} = 85.255.112.23,85.255.112.126
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\1zln1nvv.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\mozilla firefox\plugins\nppsynth.dll
FF - plugin: c:\windows\system32\photosynth\nppsynth.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nav\1005000.086\SymEFA.sys [2009-3-5 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\nav\1005000.086\BHDrvx86.sys [2009-3-5 258608]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nav\1005000.086\cchpx86.sys [2009-3-5 482352]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20090707.001\IDSXpx86.sys [2009-7-7 276344]
R1 prcmondrv;prcmondrv;c:\windows\system32\drivers\prcmondrv1041.sys [2008-2-24 18432]
R2 ACEDRV09;ACEDRV09;c:\windows\system32\drivers\ACEDRV09.sys [2009-3-11 110304]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-1-25 149352]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-1-25 149352]
R2 Norton AntiVirus;Norton AntiVirus;c:\program files\norton antivirus\norton antivirus\engine\16.5.0.134\ccSvcHst.exe [2009-3-5 115560]
R2 NProtectService;Norton UnErase Protection;c:\progra~1\norton~2\norton~1\NPROTECT.EXE [2005-11-3 95832]
R2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-8-4 1245064]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-7-6 101936]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2006-7-12 36352]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090708.034\NAVENG.SYS [2009-7-8 89104]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090708.034\NAVEX15.SYS [2009-7-8 876144]
S3 CEUSBAUD;DigiTech USB MIDI Driver;c:\windows\system32\drivers\ceusbaud.sys [2003-11-1 17920]
S3 cmudau32;Audio Advantage Micro Interface;c:\windows\system32\drivers\cmudaxu.sys [2008-2-29 1391104]
S3 EMUXMIDI;E-MU Xmidi Driver;c:\windows\system32\drivers\EMUXMIDI.sys [2006-8-19 134912]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\magix\common\database\bin\fbserver.exe [2009-3-11 1527900]
S3 KS-959;Kingsun KS-959 USB Infrared Adapter;c:\windows\system32\drivers\KS-959.sys [2006-8-16 19034]
S3 MayPro;TigerGame SuperJoy Box Pro Filter Service;c:\windows\system32\drivers\Maypro.sys [2006-8-30 11904]
S3 pae_1394;pae_1394;c:\windows\system32\drivers\pae_1394.sys [2006-8-4 111616]
S3 pae_avs;pae_avs;c:\windows\system32\drivers\pae_avs.sys [2006-8-4 27136]
S3 ps_1394;ps_1394;c:\windows\system32\drivers\ps_1394.sys [2006-8-1 97152]
S3 ps_avs;ps_avs;c:\windows\system32\drivers\ps_avs.sys [2006-8-1 24576]
S3 UPnPService;UPnPService;c:\program files\common files\magix shared\upnpservice\UPnPService.exe [2009-3-11 544768]

=============== Created Last 30 ================

2009-07-24 14:31 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-24 14:31 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-24 14:31 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-07-24 14:31 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-07-24 13:26 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\~0
2009-07-24 13:21 <DIR> --d----- c:\docume~1\user\applic~1\GetRightToGo
2009-07-17 13:36 <DIR> --d----- c:\program files\CCleaner
2009-07-16 13:34 <DIR> --d----- c:\program files\iTunes
2009-07-09 22:19 7,680 -------- c:\windows\system32\ff_vfw.dll
2009-07-09 22:19 547 -------- c:\windows\system32\ff_vfw.dll.manifest
2009-07-09 22:19 <DIR> --d----- c:\program files\ffdshow
2009-07-09 22:19 60,273 -------- c:\windows\system32\pthreadGC2.dll
2009-07-09 22:18 <DIR> --d----- c:\program files\TVersity Codec Pack
2009-07-09 22:16 <DIR> --d----- c:\program files\TVersity
2009-07-02 18:13 <DIR> -cd-h--- c:\windows\ie8
2009-06-28 15:14 <DIR> --d-h--- c:\program files\Zero G Registry
2009-06-28 15:12 <DIR> --d-h--- c:\documents and settings\user\InstallAnywhere
2009-06-24 15:05 <DIR> --d----- c:\program files\Garmin GPS Plugin
2009-06-24 14:53 <DIR> --d----- C:\WebUpdater
2009-06-24 14:53 <DIR> --d----- c:\program files\Garmin

==================== Find3M ====================

2009-07-24 03:28 124,464 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-07-24 03:28 60,808 a------- c:\windows\system32\S32EVNT1.DLL
2009-07-24 03:28 7,386 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-07-24 03:28 805 a------- c:\windows\system32\drivers\SYMEVENT.INF
2009-06-01 13:06 102,032 -------- c:\windows\hpoins04.dat
2009-05-13 01:15 915,456 a------- c:\windows\system32\wininet.dll
2009-05-07 11:44 344,064 a------- c:\windows\system32\localspl.dll
2008-04-21 22:27 1,447,654 -------- c:\documents and settings\user\speck t-shirt.zip
2005-01-20 23:23 45,056 -c---r-- c:\program files\SetAttrib.exe
2004-11-30 05:53 40,960 -c---r-- c:\program files\delete.exe

============= FINISH: 14:40:13.39 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 DocSatan

DocSatan

    Bleepin' Wanna-Be


  • Members
  • 2,156 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston, Ma.
  • Local time:12:26 PM

Posted 24 July 2009 - 05:24 PM

Hello burning_tires and Welcome to BleepingComputer.

I'm DocSatan and I will be helping you with your "Malware" related computer problems.

Please give me some time to research your Log and I will get back to ASAP. :thumbup2:

Do Not Make Any Changes to the "Infected" Computer.
Once you have posted a NEW DDS Log, Do Not make any changes to the computer. I will be researching the DDS Log that you post and any changes made to the system might interfere with the FIX that I prepare for you. Examples of "Changes":
  • Deleting Files/Folders
  • Installing/Uninstalling Programs
  • Running Anti-Virus, Anti-Malware, Anti-Spyware, etc., Programs
Doc.

Edited by DocSatan, 24 July 2009 - 05:25 PM.


#3 burning_tires

burning_tires
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:26 PM

Posted 25 July 2009 - 11:38 AM

Thanks Doc!

I'm not making any changes - I will be waiting for the next steps.

:thumbup2:

p.s. Another thing I now realize is a symptom is that the VIMAX PILLS ad is replacing almost every on-screen ad, no matter what site I'm on. Nice.

Edited by burning_tires, 25 July 2009 - 05:31 PM.


#4 DocSatan

DocSatan

    Bleepin' Wanna-Be


  • Members
  • 2,156 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston, Ma.
  • Local time:12:26 PM

Posted 26 July 2009 - 07:11 AM

Hello burning_tires,

1. Please Download ComboFix
Here is a Tutorial on using ComboFix: A guide and tutorial on using ComboFix
  • Save it to your Desktop
  • Do NOT run ComboFix yet
  • Here is an alternative link to download ComboFix, if the above one is not working for you:Link 1
2. Disable Your AntiVirus and AntiSpyware Programs
  • You should be able to Right-Click on the program's icon in the System Tray and get an option to shut-down/disable each program.
  • These programs may interfere with our fix. We will re-enable them when we are done.
3. Double click on ComboFix.exe that you just saved to your Desktop
  • Follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. The Recovery Console will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • It is strongly recommended to have the Recovery Console installed on your machine before doing any malware removal.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

Posted Image

NOTE: If the Microsoft Windows Recovery Console is already installed, you will not receive a prompt from ComboFix regarding the Recovery Console.

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image

  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log.
4. Re-enable Your AntiVirus and AntiSpyware Programs That You Disabled in Step 2.

5. What I need in Your Next Reply:
  • ComboFix.txt


#5 burning_tires

burning_tires
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:26 PM

Posted 26 July 2009 - 02:35 PM

Okay, ComboFix will not run on my computer. I saved it to the desktop, made sure norton was not in auto-protect mode (norton anti-virus has no system tray icon anymore and won't respond when trying to run the program, so I used "one button checkup" from norton systemworks to see that auto-protect was off)... I double-click the ComboFix icon, click "run" on the security warning, and then, nothing. The hard drive lights up a little bit and then nothing happens. Same thing as when I try to run norton anti-virus or malwarebytes' anti-malware. Very frustrating.

So, what now?

Thanks!

Edited by burning_tires, 26 July 2009 - 02:56 PM.


#6 DocSatan

DocSatan

    Bleepin' Wanna-Be


  • Members
  • 2,156 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston, Ma.
  • Local time:12:26 PM

Posted 27 July 2009 - 12:07 AM

Hello burning_tires,

Please Re-Name Combofix
  • Right-click on the Combofix.exe and choose to Rename.
  • Rename ComboFix to FluffyBunny.exe
Now try to Run FluffyBunny (ComboFix) again

Doc.

#7 burning_tires

burning_tires
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:26 PM

Posted 27 July 2009 - 12:05 PM

Ah - okay, I think that did the trick. FluffyBunny worked - I have norton antivirus back in my system tray, I can see malwarebytes' website now, and the VIMAX PILLS ads have gone away.

Thank you so much Doc!!! I have attached ComboFix.txt for you.

Please let me know if there is anything else I need to do; or certain things to watch out for. I'm not sure how I got infected exactly.

Attached Files



#8 DocSatan

DocSatan

    Bleepin' Wanna-Be


  • Members
  • 2,156 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston, Ma.
  • Local time:12:26 PM

Posted 29 July 2009 - 04:11 AM

Hi burning_tires,

We're almost done, just a few more steps. :thumbup2:

The Major Infections:
  • That 'Troj/Rustok-N warning that you were getting was a False Message from the Wareout infection that you had. So don't worry about that.
  • You were also infected with a Variant of the Trojan: TDSS. This particular variant doesn't have back-door capabilities so it was a "minor" infection.
1. I'd like to caution you about the use of Peer2Peer programs. In your case: utorrent
Although the actual P2P program may not contain malicious programs, the files that you are downloading and sharing within the P2P community may have. It is very easy for someone to attach some BadGuys onto a legitimate file that you may be downloading without your knowledge, thereby infecting your machine. The decision to keep the P2P program or uninstall it is up to you. Here is some information regarding P2P programs:2. The Monitoring for your AntiVirus and Firewall has been disabled.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the quotebox below into it:

    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=dword:00000000
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000000
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000000

  • Save this as CFScript.txt, in the same location as ComboFix.exe

    Posted Image

  • Refering to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
3. Scan with MBAM
  • Update Malwarebytes' Anti-Malware
  • On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.
4. What I need in your next reply:
  • ComboFix.txt
  • MBAM Log
  • Any problems with your computer?
Doc.

#9 burning_tires

burning_tires
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:26 PM

Posted 29 July 2009 - 05:15 PM

Everything is back to normal and running fine since the first time ComboFix ran, thanks!

I appreciate the info about the infection and the caution about using P2P.

I've attached the most recent ComboFix and MBAM logs, per your last post. Let me know if there's anything else I need to do.

Thanks once again!

Attached Files



#10 DocSatan

DocSatan

    Bleepin' Wanna-Be


  • Members
  • 2,156 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston, Ma.
  • Local time:12:26 PM

Posted 30 July 2009 - 05:26 AM

Hi burning_tires,

Looks like we are just about finished, just one more Scan before we say "We're Done". :thumbup2:

1. Please go to Kaspersky website and perform an online antivirus scan.
  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs ArchivesMail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.
Doc.

#11 burning_tires

burning_tires
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:26 PM

Posted 30 July 2009 - 03:59 PM

Kaspersky found one file infected with: Exploit.JS.Pdfka.nl.

I've attached the scan report here.

Thanks!

Attached Files



#12 DocSatan

DocSatan

    Bleepin' Wanna-Be


  • Members
  • 2,156 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston, Ma.
  • Local time:12:26 PM

Posted 31 July 2009 - 02:28 PM

Hi burning_tires

Kaspersky fond One infection.

1. Please run this CFScript
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the quotebox below into it:

    File::
    C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\QL4N0VE3\922[1].pdf

  • Save this as CFScript.txt, in the same location as ComboFix.exe

    Posted Image
  • Refering to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
Doc.

#13 burning_tires

burning_tires
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:26 PM

Posted 31 July 2009 - 08:54 PM

Okay, that's done. The log is attached.

Thanks!

Attached Files



#14 DocSatan

DocSatan

    Bleepin' Wanna-Be


  • Members
  • 2,156 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston, Ma.
  • Local time:12:26 PM

Posted 01 August 2009 - 07:57 AM

Hey burning_tires,

Your Log looks Clean! :thumbup2:

Unless you are having any other issues with this computer, I'd say we are finished. :)

Clean-Up Time

1. Please Delete DDS from your Desktop
  • You can just Right-Click and Delete DDS
2. Please download ATF Cleaner by Atribune. (This program is for XP and Windows 2000 only)
  • Double-click ATF-Cleaner.exe to run the program.
  • In the window that pops-up (ATF Cleaner - Main):
    • Place a check mark next to Select All at the bottom.
    • Now click the Empty Selected button.
  • If you use a Firefox Browser:
    • Click the Firefox tab at the top of the Main window.
    • Place a check mark next to Select All
    • Now click the Empty Selected button.
      NOTE: If you would like to keep your saved passwords, please click No at the prompt.
  • If you use an Opera Browser:
    • Click Opera tab at the top of the Main window.
    • Place a check mark next to Select All
    • Now click the Empty Selected button.
      NOTE: If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
  • For Technical Support, double-click the e-mail address located at the bottom of each menu.
3. Please Uninstall Combofix
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and /U, it needs to be there.Posted Image
4. Tools to Keep On Your Computer:
I would recommend keeping:
  • ATF Cleaner by Atribune.
    • ATF Cleaner is a handy little tool that helps to clean Temporary Folders/Files/Cookies/etc. easily. It's a small tool and doesn't take up much room at all.
    • Atribune Web Site
  • Malwarebytes Anti-Malware (MBAM)
    • MBAM is an awesome Anti-Malware tool that can be used as an On-Demand scanner, meaning that it doesn't start on Start-up (unless you buy the paid version). This also means that it won't be looking for Malware until you actually perform a Scan manually.
    • Malwarebyte's Home Page
Preventative Measures

Install a Firewall with both Inbound and Outbound Protection (You Already Have a 3rd-Party Firewall, so disregard this step)
  • Here is a Tutorial on: Understanding and Using Firewalls
  • The Windows Firewall only monitors inbound activity. It does not monitor outbound activity. Should a BadGuy make it on to your computer, it can send information outbound totally undetected. This is why installing a 3rd-Party Firewall that has both inbound and outbound protection is so important to the security of your computer.
  • I recommend using Zone Alarm Free firewall. This is an excellent firewall with simple user interface.
  • Other Recommended 3rd-Party Firewalls:
    • COMODO Firewall
    • This one comes with Anti-Virus as well. So during the installation, make sure to un-select the Antivirus option if you already have an Antivirus program installed on your computer.
  • Sunbelt Personal Firewall
    • This one comes with with Anti-Virus as well. So during the installation, make sure to un-select the Antivirus option if you already have an Antivirus program installed on your computer.
  • Online Armor Free
UPDATES:
  • Update Your Microsoft Windows
  • Microsoft has released the latest upgrades to the XP OS platform, which can be referenced HERE.
  • It is critical to stay up to date with the latest upgrades to your Operating System, as this can help prevent future problems. Windows XP Service Pack 3 (SP3) includes all previously released updates for the operating system.
  • I recommend that you visit the link above and apply the SP3 patch.
Update Your Java Runtime Environment (JRE)
  • Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 14...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u14-windows-i586-p.exe to install the newest version.
Update Your Internet Explorer
  • Older versions of Internet Explorer have vulnerabilities that "The Bad-Guys" can exploit.
  • Please go HERE to upgrade your Internet Explorer to the latest version.
Update All of Your Applications
  • The BadGuys are constantly writing new programs to exploit vulnerabilities within programs and applications.
  • The GoodGuys are constantly updating their programs and applications to remove these vulnerabilities so the BadGuys cannot exploit them.
  • For this reason it is very important that you not only update your Microsoft Windows, Java, Internet Explorer, etc., but also the other applications you are running on your computer. I suggest that you go to the following site to scan your computer for outdated programs/applications:
  • If you want to stay up to date with the latest fixes, you can visit: The Calendar of Updates.

For more information on how to keep your computer safe and secure, please read the following Tutorial:How did I get infected?
[/list]Doc.

#15 burning_tires

burning_tires
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:26 PM

Posted 01 August 2009 - 12:08 PM

Thanks once again Doc! I don't know what I would've done without the help I received here. :-)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users