Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Rustok-N virus


  • Please log in to reply
11 replies to this topic

#1 elegantscorpio

elegantscorpio

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:45 AM

Posted 08 August 2009 - 12:55 AM

I am infected with the Trojan Rustok-N virus. I followed the instructions mentioned in this thread. I am attaching the results of the Sophos Sophos Anti-Rootkit here: Please advise me on which item to remove.


Sophos Anti-Rootkit Version 1.5.0 2009 Sophos Plc
Started logging on 8/7/2009 at 16:27:11 PM
User "Owner" on computer "CHAYADEEPAK"
Windows version 5.1 SP 3.0 Service Pack 3 build 2600 SM=0x300 PT=0x1 Win32
Info: Starting process scan.
Info: Starting registry scan.
Hidden: registry item \HKEY_LOCAL_MACHINE\SOFTWARE\gxvxc
Hidden: registry item \HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\gxvxcserv.sys
Hidden: registry item \HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\gxvxcserv.sys
Info: Starting disk scan of C: (NTFS).
Hidden: file C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\C5AF4PAF\%26hl%3Den%26lr%3D%26rls%3DGWYA%2CGWYA%3A2005-36%2CGWYA%3Aen%26start%3D10%26sa%3DN&cc=100&u_h=1024&u_w=1280&u_ah=994&u_aw=1280&u_cd=32&u_tz=-420&u_java=true
Hidden: file C:\WINDOWS\system32\drivers\gxvxcltimpulrmtkddvpasqxeuyevycmsxwbp.sys
Hidden: file C:\WINDOWS\system32\gxvxchqmxrgrsfglvnsruvoasqqmykxxewipx.dll
Hidden: file C:\WINDOWS\system32\gxvxcetjkxtcdodqhcsswwojpnslbblbhtwvt.dll
Hidden: file C:\WINDOWS\system32\gxvxccount
Hidden: file C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\1IL2CX5O\0;a4=0;a5=0;a6=0;a7=0;a9=0;a11=0;a13=0;a15=0;a18=0;spon=target_bts09;sens=0;m=0;mage=0;area=groups;gcat=;gid=91632;2omk=;tier=home;sz=160x112;tile=4;ord=336531351[1]
Info: Starting disk scan of D: (FAT).
Stopped logging on 8/7/2009 at 17:14:30 PM

Thanks

Split from http://www.bleepingcomputer.com/forums/t/245448/trojanrustok-n/ - AA

Edited by Amazing Andrew, 08 August 2009 - 03:10 AM.
Mod Edit:Split Into Own Topic - AA


BC AdBot (Login to Remove)

 


#2 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:45 AM

Posted 08 August 2009 - 11:23 AM

Hello and welcome to Bleeping Computer.

Please subscribe to your topic so that you will be notified as soon as I post a reply, instead of you having to check the topic all of the time. This will allow you to get an email notification when I reply.

To subscribe, go to your topic, and at the top right hand corner by your first post, click the Options button and then click Track this topic. The bullet the immediate notification bubble. Then press submit.



Please rerun Sophos and have it remove this file:

Hidden: file C:\WINDOWS\system32\drivers\gxvxcltimpulrmtkddvpasqxeuyevycmsxwbp.sys


And then reboot right after you remove it, and run a Quick Scan with malwarebytes. then post back the log.
Computer Pro

#3 elegantscorpio

elegantscorpio
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:45 AM

Posted 08 August 2009 - 07:10 PM

Hi Computer Pro,

Thanks for the advice. I got rid of the virus. Now my google searches are not being redirected. I hope this is the end of it. Also, I read in another thread the following comment:

"Unfortunatly One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS."

Do you think I should reformat since I use my PC for storing personal information and financial trasactions.

The log of the Quick Scan with malwarebytesis as follows:


Malwarebytes' Anti-Malware 1.37
Database version: 2182
Windows 5.1.2600 Service Pack 3

8/8/2009 5:05:09 PM
mbam-log-2009-08-08 (17-05-09).txt

Scan type: Quick Scan
Objects scanned: 90603
Time elapsed: 6 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Thanks once again

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:45 AM

Posted 08 August 2009 - 07:15 PM

Mbam is outdated...
Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.


Next run ATF and SAS:
Note.. SAS doesn't open the registry hives for other user accounts on the system, so scans should be done from each user account.

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.


Please ask any needed questions,post logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 elegantscorpio

elegantscorpio
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:45 AM

Posted 09 August 2009 - 12:07 AM

I updated MBAM & did a quick scan. The following is the log:

Malwarebytes' Anti-Malware 1.40
Database version: 2583
Windows 5.1.2600 Service Pack 3

8/8/2009 7:19:03 PM
mbam-log-2009-08-08 (19-19-03).txt

Scan type: Quick Scan
Objects scanned: 99430
Time elapsed: 7 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\gxvxc (Rootkit.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Then I ran ATF & SAS in safe mode. The following is the log from SAS:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 08/08/2009 at 08:18 PM

Application Version : 4.27.1002

Core Rules Database Version : 4040
Trace Rules Database Version: 1980

Scan type : Quick Scan
Total Scan Time : 00:29:14

Memory items scanned : 261
Memory threats detected : 0
Registry items scanned : 549
Registry threats detected : 0
File items scanned : 9342
File threats detected : 0


The PC is running well now. Thanks for all your advice. Is there anything else that needs to be done in order to prevent future infections of Rustok-N?

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:45 AM

Posted 09 August 2009 - 08:55 AM

Hello ,let's be sure that gxvx rootkit is not active.

We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive.
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 elegantscorpio

elegantscorpio
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:45 AM

Posted 09 August 2009 - 01:27 PM

I scanned my PC using rootrepeal & here is the log: There's is still a gxvx service in the hidden services section. What should I do?

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/09 11:15
Program Version: Version 1.3.3.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB7BBD000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBA60E000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xAE0A7000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: c:\windows\temp\mcafee_kxkuvp7rnjlb4ga
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\mcmsc_jauzvkv3ib0uxbk
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_6d1666evyo6ym1h
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_6vspgn5mmcuaag0
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_be5dlpufi8tz6zo
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_bttyftmk90abxr3
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_mogqy6l1typ5zn5
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_nleng62x1dmln5t
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_yyyw2bzcvnam4pb
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_rvdfwllz8c9r6na
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\documents and settings\owner\local settings\application

data\mozilla\firefox\profiles\rehwnww0.default\cache\_cache_map_
Status: Allocation size mismatch (API: 280, Raw: 0)

SSDT
-------------------
#: 017 Function Name: NtAllocateVirtualMemory
Status: Hooked by "C:\WINDOWS\system32\drivers\wpsdrvnt.sys" at address 0xb9cf4b30

#: 053 Function Name: NtCreateThread
Status: Hooked by "C:\WINDOWS\system32\drivers\wpsdrvnt.sys" at address 0xb9cf46f0

#: 108 Function Name: NtMapViewOfSection
Status: Hooked by "C:\WINDOWS\system32\drivers\wpsdrvnt.sys" at address 0xb9cf4470

#: 137 Function Name: NtProtectVirtualMemory
Status: Hooked by "C:\WINDOWS\system32\drivers\wpsdrvnt.sys" at address 0xb9cf4c50

#: 249 Function Name: NtShutdownSystem
Status: Hooked by "C:\WINDOWS\system32\drivers\wpsdrvnt.sys" at address 0xb9cf4990

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys" at address 0xb7d1e0b0

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "C:\WINDOWS\system32\drivers\wpsdrvnt.sys" at address 0xb9cf4d60

Hidden Services
-------------------
Service Name: gxvxcserv.sys
Image Path: C:\WINDOWS\system32\drivers\gxvxcltimpulrmtkddvpasqxeuyevycmsxwbp.sys

==EOF==

#8 elegantscorpio

elegantscorpio
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:45 AM

Posted 10 August 2009 - 12:11 PM

Can anyone please look at the log in my previous reply and let me know if the infection is gone or not?

Thanks

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:45 AM

Posted 10 August 2009 - 12:33 PM

Hi, soory ,I got swamped her.. Not it is not gone and we need to run a different tool to open it for removal.

Please download Sophos Anti-rootkit & save it to your desktop.
alternate download link
Note: If using the vendor's download site you will be asked to register with MySophos so an email containing an activation link can be sent to your email address.

Be sure to print out and read the Sophos Anti-Rookit User Manual and Release Notes.
  • Double-click sar_15_sfx.exe to begin the installation, read the license agreement and click Accept.
  • Allow the default location of C:\Program Files\Sophos\Sophos Anti-Rootkit and click Install.
  • A message will appear "Sophos Anti-Rootkit was successfully installed. Click 'yes' to start it now".
  • Click Yes and allow the driver and its randomly named .tmp file (i.e. F.tmp) to load if asked.
  • If the scan did not start automatically, make sure the following are checked:
    • Running processes
    • Windows Registry
    • Local Hard Drives
  • Click Start scan.
  • Sophos Anti-Rootkit will scan the selected areas and display any suspicious files in the upper panel.
  • When the scan is complete, a pop-up screen will appear with "Rootkit Scan Results". Click OK to continue.
  • Click on the suspicious file to display more information about it in the lower panel which also includes whether the item is recommended for removal.
    • Files tagged as Removable: No are not marked for removal and cannot be removed.
    • Files tagged as Removable: Yes (clean up recommended) are marked for removal by default.
    • Files tagged as Removable: Yes (but clean up not recommended) are not marked for removal because Sophos did not recognize them. These files will require further investigation.
  • Select only items recommended for removal, then click "Clean up checked items". You will be asked to confirm, click Yes.
  • A pop up window will appear advising the cleanup will finish when you restart your computer. Click Restart Now.
  • After reboot, a dialog box displays the files you selected for removal and the action taken.
  • Click Empty list and then click Continue to re-scan your computer a second time to ensure everything was cleaned.
  • When done, go to Start > Run and type or copy/paste: %temp%\sarscan.log
  • This should open the log from the rootkit scan. Please post this log in your next reply. If you have a problem, you can find sarscan.log in C:\Documents and Settings\\Local Settings\Temp\.
Before performing an ARK scan it is recommended to do the following to ensure more accurate results and avoid common issues that may cause false detections.
  • Disconnect from the Internet or physically unplug you Internet cable connection.
  • Clean out your temporary files.
  • Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
  • Temporarily disable your anti-virus and real-time anti-spyware protection.
  • After starting the scan, do not use the computer until the scan has completed.
  • When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 elegantscorpio

elegantscorpio
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:45 AM

Posted 10 August 2009 - 02:22 PM

Hi Boopme,

I ran the sophos anti-rootkit and the scan results show that no hidden items are found. The following is the log:


Sophos Anti-Rootkit Version 1.5.0 © 2009 Sophos Plc
Started logging on 8/10/2009 at 11:32:45 AM
User "Owner" on computer "CHAYADEEPAK"
Windows version 5.1 SP 3.0 Service Pack 3 build 2600 SM=0x300 PT=0x1 Win32
Info: Starting process scan.
Info: Starting registry scan.
Info: Starting disk scan of C: (NTFS).
Info: Starting disk scan of D: (FAT).
Stopped logging on 8/10/2009 at 12:17:32 PM

Please let me know of the next step.

Thanks

#11 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:10:45 AM

Posted 10 August 2009 - 03:02 PM

EDIT2: Also, a quick note - I'm getting a lot of questions about exactly what a "Hidden Service" entry means. It only means that the registry entry is either present and hidden, or present and locked. Seeing a hidden service entry does not mean that the associated file is present. The "Delete Registry Key" tool in RootRepeal can be used to remove keys with corrupt permissions (such as the TDSS rootkit creates). Keys with corrupted/removed permissions will still show up as a "Hidden Service" as they are no longer accessible to most users.


from the author of rootrepeal

Ignore the hidden service from Chewy
Chewy

No. Try not. Do... or do not. There is no try.

#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:45 AM

Posted 11 August 2009 - 09:06 AM

Now let's do it this way.
Remove Combofix .Click on your Start Menu, then Run....
Now type combofix /u in the runbox and click OK. Notice the space between the "x" and "/".

When shown the disclaimer, Select "2"
This will remove files/folders assoicated with combofix and uninstall it.

Clear system restore.
The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" tab, then click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista Users can refer to these links: Create a New Restore Point and Disk Cleanup.


Re Run Rootrepeal>..
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users