Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need help with Backdoor:WinNT/Rustock.AN


  • This topic is locked This topic is locked
2 replies to this topic

#1 pborg

pborg

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:47 AM

Posted 03 September 2009 - 02:47 PM

I downloaded "windows-kb890830-v2.13.exe" from Microsoft support site and it found the Rustock.AN backdoor.

Afterwards I downloaded newest definition files from both AVG and Malwarebytes' Anti-Malware. I disconnected the network and I entered safe-mode, deactivated system recovery on all drives and ran both scanning programs. AVG found some minor things and Malwarebytes found 2 hijack.windowsupdates. Malware was successfully removed (shows in the history logs).

Now I restarted Windows and entered normal mode. I entered the properties of Internet Explore without running IE here I disabled some mysterious additional programs and applied the changes. I enabled system recovery on all drives and reconnected the network cable. Once again I tried Windows Update with the same bad result Error: 0x80070002 - and I was back to step one again.

I hope my description can be of some kind of help to you.

Best regards,

P.Borg

NB: I have uploaded the Attach.zip file in stead of the Attach.txt file. I hope it is OK.

Below you have my log fil:

-------

DDS (Ver_09-07-30.01) - NTFSx86
Run by Preben at 21:27:51,92 on 03-09-2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.2.1252.45.1030.18.1023.405 [GMT 2:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Programmer\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Programmer\Home Cinema\PowerCinema\Kernel\TV\CLCapSvc.exe
C:\Programmer\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\Programmer\CA\eTrust Antivirus\InoRpc.exe
C:\Programmer\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
C:\Programmer\CA\eTrust Antivirus\InoRT.exe
C:\Programmer\CA\eTrust Antivirus\InoTask.exe
C:\Programmer\Java\jre6\bin\jqs.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Programmer\Fælles filer\Microsoft Shared\VS7Debug\mdm.exe
C:\Programmer\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Programmer\Home Cinema\PowerCinema\Kernel\TV\CLSched.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\Programmer\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\Dit.exe
C:\PROGRA~1\Medion Tools\KeyStat\KeyStat.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Programmer\Home Cinema\PowerCinema\PCMService.exe
C:\WINDOWS\system32\SKDAEMON.EXE
C:\Programmer\Synaptics\SynTP\SynTPLpr.exe
C:\Programmer\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
C:\Programmer\Mouse\Amoumain.exe
C:\Programmer\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Programmer\Tracker Software\PDF-XChange 3\pdfSaver\pdfSaver3.exe
C:\Programmer\TechSmith\SnagIt 8\SnagIt32.exe
C:\Programmer\TechSmith\SnagIt 8\TSCHelp.exe
C:\Programmer\TechSmith\SnagIt 8\SnagPriv.exe
C:\Programmer\Internet Explorer\iexplore.exe
C:\Documents and Settings\Preben\Skrivebord\fra_bleepingcomputer\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.aldi.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = dynhost.inetcam.com;register.inetcam.com;
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: SnagIt Toolbar Loader: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\programmer\techsmith\snagit 8\SnagItBHO.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\programmer\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\programmer\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\programmer\avg\avg8\avgssie.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\programmer\google\google toolbar\GoogleToolbar_32.dll
BHO: CmjBrowserHelperObject Object: {ac41d38f-b56d-40ad-94e0-b493d130c959} - c:\pro\mindjet\mindmanager 6\Mm6InternetExplorer.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\programmer\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\programmer\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\programmer\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\programmer\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\programmer\yahoo!\companion\installs\cpn\yt.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\programmer\canon\easy-webprint\Toolband.dll
TB: SnagIt: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\programmer\techsmith\snagit 8\SnagItIEAddin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\programmer\google\google toolbar\GoogleToolbar_32.dll
TB: {70DE7956-479D-4EB7-8641-2B45774C350E} - No File
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "c:\programmer\windows live\messenger\MsnMsgr.Exe" /background
uRun: [swg] "c:\programmer\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [pdfSaver3] "c:\programmer\tracker software\pdf-xchange 3\pdfsaver\pdfSaver3.exe"
uRun: [scheduler_monitor] c:\pro\reaconverter 5.5 pro\init_scheduler.exe
mRun: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
mRun: [ATIPTA] "c:\programmer\ati technologies\ati control panel\atiptaxx.exe"
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [Dit] Dit.exe
mRun: [Keyboard Status] c:\progra~1\medion tools\keystat\KeyStat.exe
mRun: [Realtime Monitor] c:\progra~1\ca\etrust~1\realmon.exe -s
mRun: [PCMService] "c:\programmer\home cinema\powercinema\PCMService.exe"
mRun: [Hot Key Kbd Daemon] SKDAEMON.EXE
mRun: [SynTPLpr] c:\programmer\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\programmer\synaptics\syntp\SynTPEnh.exe
mRun: [Easy-PrintToolBox] c:\programmer\canon\easy-printtoolbox\BJPSMAIN.EXE /logon
mRun: [QuickTime Task] "c:\programmer\quicktime\qttask.exe" -atboottime
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [NBKeyScan] "c:\programmer\nero\nero8\nero backitup\NBKeyScan.exe"
mRun: [WheelMouse] c:\programmer\mouse\Amoumain.exe
mRun: [SunJavaUpdateSched] "c:\programmer\java\jre6\bin\jusched.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\preben\menuen~1\progra~1\start\genvej~1.lnk - i:\documents and settings\preben\dokumenter\drev_fra_gl_maskine\e_drev\empty_ny.cmd
StartupFolder: c:\docume~1\preben\menuen~1\progra~1\start\snagit~1.lnk - c:\programmer\techsmith\snagit 8\SnagIt32.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&ksporter til Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\programmer\canon\easy-webprint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\programmer\canon\easy-webprint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\programmer\canon\easy-webprint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\programmer\canon\easy-webprint\Resource.dll/RC_Print.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\programmer\messenger\msmsgs.exe
IE: {531B9DC0-D8EE-4c76-A6EE-6C1E50569655} - {AC41D38F-B56D-40AD-94E0-B493D130C959} - c:\pro\mindjet\mindmanager 6\Mm6InternetExplorer.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - {552781AF-37E4-4FEE-920A-CED9E648EADD} - c:\programmer\fælles filer\microsoft shared\encarta search bar\ENCSBAR.DLL
Trusted Zone: skat.dk\www.tastselv
Trusted Zone: vintertrafik.dk\www
Trusted Zone: wmdata.com\timingdk
Trusted Zone: wmdata.com\webaccess
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {029FDBA6-3547-11D7-AA4C-0050BF051A00} - hxxp://downol.dr.dk/download/netradio/Rawflow.cab
DPF: {07D09E9E-C667-45DD-B035-217BC2A61A3B} - hxxps://www.djs-netbank.dk/package/sdc/external/activex/ActiveXSikkerhedssoftware-prod-1.30.cab
DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} - hxxp://support.f-secure.com/ols/fscax.cab
DPF: {11818680-FCF6-11D0-9808-0800092A4865} - hxxp://www.kps.dk/Codebase/FormCtl.cab
DPF: {1469FF24-47F6-11D2-8805-006008C537E3} - hxxp://www.kps.dk/codebase/ffmail.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {18D9C485-7EEC-4395-95DA-DC3875B10E81} - hxxp://www.skylinesoft.com/interactive/TerraExplorer/Install/TEInstallPlugIn.cab
DPF: {233c1507-6a77-46a4-9443-f871f945d258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc.cab
DPF: {5ae58fcf-6f6a-49b2-b064-02492c66e3f4} - hxxp://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1251753109171
DPF: {62789780-B744-11D0-986B-00609731A21D} - hxxp://gis.hedensted.dk/viewer/mgaxctrl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1131804954765
DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} - hxxp://transfers.one.microsoft.com/FTM/TransferSource/grTransferCtrl.cab
DPF: {8ad9c840-044e-11d1-b3e9-00805f499d93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {cafeefac-0016-0000-0015-abcdeffedcba} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {cafeefac-ffff-ffff-ffff-abcdeffedcba} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CDDCFBB3-4D93-11D2-B1A9-00A0C9B742BE} - hxxp://www.kps.dk/codebase/scriptobject.cab
DPF: {e2883e8f-472f-4fb0-9522-ac9bf37916a7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {EF2FB80F-0975-408E-A871-B00CC863478A} - hxxp://www.kps.dk/codebase/fontinstaller.cab
DPF: {F5D98C43-DB16-11CF-8ECA-0000C0FD59C7} - hxxp://kort.plf.dk/ikast/acgm/acgm.cab
TCP: {84F97E81-C7C8-436A-9F2D-BA17E0230918} = 208.67.222.222,208.67.220.220
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\programmer\avg\avg8\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL

============= SERVICES / DRIVERS ===============

R1 avgldx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-9-1 335240]
R1 avgmfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-9-1 27784]
R1 avgtdix;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-9-1 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-9-1 297752]
R3 3xHybrid;3xHybrid service;c:\windows\system32\drivers\3xHybrid.sys [2004-10-13 945152]
R3 cmudax;C-Media High Definition Audio Interface;c:\windows\system32\drivers\cmudax.sys [2005-1-20 1287296]
R3 wbscr;Winbond Smartcard Reader for I/O;c:\windows\system32\drivers\wbscr.sys [2005-1-31 19928]
S3 CardReaderFilter;Card Reader Filter;c:\windows\system32\drivers\USBCRFT.SYS [2005-1-31 17408]
S3 rcp_service;ReaConverter scheduler service;c:\pro\reaconverter 5.5 pro\rcp_scheduler.exe [2007-11-30 558592]

=============== Created Last 30 ================

2009-09-01 21:09 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-09-01 20:57 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-09-01 20:57 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-09-01 20:57 335,240 a------- c:\windows\system32\drivers\avgldx86.sys
2009-09-01 20:56 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-09-01 20:56 <DIR> --d----- c:\programmer\AVG
2009-09-01 20:56 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-09-01 20:50 <DIR> --d----- c:\docume~1\preben\applic~1\AVG8
2009-08-13 21:45 57,968 a---h--- c:\windows\system32\mlfcache.dat
2009-08-13 21:15 270,288 a------- c:\windows\system32\drivers\SynTP.sys
2009-08-13 21:14 <DIR> --d----- C:\IBMTOOLS

==================== Find3M ====================

2009-09-03 21:27 92,800 a------- c:\windows\system32\drivers\4638426a.sys
2009-09-03 19:38 17,408 a------- c:\windows\system32\drivers\USBCRFT.SYS
2009-08-03 13:36 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 13:36 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-25 05:23 411,368 a------- c:\windows\system32\deploytk.dll
2008-05-08 23:09 42,158 a------- c:\docume~1\preben\applic~1\wklnhst.dat
2005-05-28 17:27 64,144 a------- c:\docume~1\preben\applic~1\GDIPFONTCACHEV1.DAT
2005-01-31 12:31 8 a--shr-- c:\windows\system32\F83C39F980.sys

============= FINISH: 21:29:10,34 ===============

BC AdBot (Login to Remove)

 


#2 pborg

pborg
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:47 AM

Posted 15 September 2009 - 05:15 AM

I have worked it out my self. So please close this insident.

Br.

P. Borg

#3 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:47 AM

Posted 20 September 2009 - 03:28 PM

Thanks for letting us know. :(

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users