win32/rustock.gen!c

monty.henderson · 04-17-2007, 06:19 PM

Microsoft error report told me that I have win32/rustock.gen!c. I searched the forum and found instructions telling me to run ComboFix, which I did. I am attaching the log files ComboFix.txt and ComboFix-quarantined.txt. I will run the DSS tool and post those results as well.

"mine" - 07-04-17 18:20:50 Service Pack 2
ComboFix 07-04-18.V - Running from: C:\Documents and Settings\mine\Desktop\

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\1312531.exe
C:\Program Files\Common Files\{606A9~1\system.dll
C:\Program Files\Common Files\{606A9~2\system.dll
C:\Program Files\Common Files\{306A9~1
C:\Program Files\Common Files\{606A9~1
C:\Program Files\Common Files\{606A9~2
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\qoobox\purity\C\Program Files\Common Files\RACLE~1

((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\Client IP-IPX
-------\new_drv
-------\LEGACY_CLIENT_IP-IPX
-------\LEGACY_NEW_DRV

((((((((((((((((((((((((((((((( Files Created from 2007-03-17 to 2007-04-17 ))))))))))))))))))))))))))))))))))

2007-04-17 15:16 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2007-04-14 19:08 <DIR> dr-h----- C:\DOCUME~1\mine\APPLIC~1\yahoo!
2007-04-10 08:23 <DIR> dr-h----- C:\DOCUME~1\cyndi\APPLIC~1\yahoo!
2007-04-09 23:18 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\yahoo!
2007-04-01 14:25 <DIR> d-------- C:\DOCUME~1\mine\APPLIC~1\Viewpoint
2007-03-31 16:02 <DIR> dr-hs---- C:\Program Files\rnamfler
2007-03-29 18:55 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
2007-03-29 18:53 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-03-27 17:46 <DIR> d-------- C:\MyMod
2007-03-25 19:24 170 --a------ C:\run_studiomdl.bat
2007-03-25 19:24 165 --a------ C:\run_hlmv.bat
2007-03-25 19:24 163 --a------ C:\run_mod.bat
2007-03-25 19:24 100 --a------ C:\run_hammer.bat
2007-03-25 19:24 <DIR> d-------- C:\src
2007-03-25 19:24 <DIR> d-------- C:\modelsrc
2007-03-25 19:24 <DIR> d-------- C:\materialsrc
2007-03-25 19:24 <DIR> d-------- C:\mapsrc
2007-03-24 18:39 <DIR> d-------- C:\HammerAutosave

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

Rootkit driver pe386 is present. ... attempting disinfection
pe386 ...... driver unloaded successfully.
ADS removed - system32: deleted 73148 bytes in 1 streams.

2007-04-17 18:29 -------- d-------- C:\Program Files\steam
2007-04-17 12:57 -------- d-------- C:\Program Files\yahoo!
2007-03-05 17:53 -------- d-------- C:\Program Files\sierra on-line
2007-03-03 22:33 69 --a-s---- C:\WINDOWS\url1.bat
2007-03-03 18:17 -------- d-------- C:\Program Files\total 3d home deluxe

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"AGRSMMSG"="AGRSMMSG.exe"
"TPSMain"="TPSMain.exe"
"RTHDCPL"="RTHDCPL.EXE"
"Alcmtr"="ALCMTR.EXE"
"HP Software Update"="\"C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe\""
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Zinio DLM"="C:\\Program Files\\Zinio\\ZinioDeliveryManager.exe /autostart"
"updateMgr"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe\" AcRdB7_0_8 -reboot 1"
"The Rush Limbaugh Show"="C:\\Program Files\\Rush 24-7 Media Center\\Rush 24-7 Media Center.exe /noopen"
"Steam"="\"C:\\Program Files\\Steam\\Steam.exe\" -silent"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoCDBurning"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\desgnt
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xmm13g

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\mmx19g.sys
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\xmm13g.sys

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0

********************************************************************

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-04-17 18:32:51 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 07-04-17 18:32

monty.henderson · 04-17-2007, 06:54 PM

I ran the DSS tool and am attaching the files it created.

Deckard's System Scanner v20070411.38
Run by mine on 2007-04-17 at 19:21:28
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.

-- Last 5 Restore Point(s) --
38: 2007-04-18 00:21:44 UTC - RP144 - Deckard's System Scanner Restore Point
37: 2007-04-17 20

48 UTC - RP143 - System Checkpoint
36: 2007-04-16 19:10:43 UTC - RP142 - Installed Windows Media Player 10
35: 2007-04-15 22:47:24 UTC - RP141 - System Checkpoint
34: 2007-04-14 13:38:44 UTC - RP140 - System Checkpoint

-- First Restore Point --
1: 2007-01-18 15:32:58 UTC - RP107 - System Checkpoint

Backed up registry hives.

Performed disk cleanup.

-- HijackThis (run as mine.exe) ------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 7:41:00 PM, on 4/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Documents and Settings\mine\Desktop\dss.exe
C:\PROGRA~1\HIJACK~1\mine.exe
C:\WINDOWS\system32\rundll32.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.toshibadirect.com/dpdstart
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5D62AA9A-2636-4D53-886C-D4D3F0DDA81B} - (no file)
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Zinio DLM] C:\Program Files\Zinio\ZinioDeliveryManager.exe /autostart
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [The Rush Limbaugh Show] C:\Program Files\Rush 24-7 Media Center\Rush 24-7 Media Center.exe /noopen
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - Global Startup: Adobe Reader Speed Launch.lnk = ?
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://www.mathxl.com/wizmodules/tes...enXInstall.cab
O16 - DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} (NSHelp Class) - http://sbs03/connectcomputer/nshelp.dll
O16 - DPF: {4FE89055-5300-469E-AFAD-DEB3181EDE76} (PearsonAsstX Control) - http://www.mathxl.com/applets/PearsonInstallAsst.cab
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://216.229.173.248/Remote/msrdp.cab
O16 - DPF: {C4DD6732-1E82-4AE7-BD94-180331B84082} (DeltaCVX Control) - http://www.mathxl.com/applets/DeltaCVX.cab
O20 - AppInit_DLLs:
O20 - Winlogon Notify: desgnt - desgnt.dll (file missing)
O20 - Winlogon Notify: xmm13g - xmm13g.dll (file missing)
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe (file missing)
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - Unknown owner - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe (file missing)
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe

-- File Associations -----------------------------------------------------------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 AVG Anti-Rootkit - c:\windows\system32\drivers\avgarkt.sys
R0 DRVMCDB - c:\windows\system32\drivers\drvmcdb.sys
R0 KR10N - c:\windows\system32\drivers\kr10n.sys
R1 AvgArCln (Avg Anti-Rootkit Clean Driver) - c:\windows\system32\drivers\avgarcln.sys
R1 DLACDBHM - c:\windows\system32\drivers\dlacdbhm.sys
R1 DLARTL_N - c:\windows\system32\drivers\dlartl_n.sys
R1 meiudf - c:\windows\system32\drivers\meiudf.sys
R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.2.0.3) - c:\windows\system32\drivers\aegisp.sys
R2 DLABOIOM - c:\windows\system32\dla\dlaboiom.sys
R2 DLADResN - c:\windows\system32\dla\dladresn.sys
R2 DLAIFS_M - c:\windows\system32\dla\dlaifs_m.sys
R2 DLAOPIOM - c:\windows\system32\dla\dlaopiom.sys
R2 DLAPoolM - c:\windows\system32\dla\dlapoolm.sys
R2 DLAUDF_M - c:\windows\system32\dla\dlaudf_m.sys
R2 DLAUDFAM - c:\windows\system32\dla\dlaudfam.sys
R2 DRVNDDM - c:\windows\system32\drivers\drvnddm.sys
R2 Netdevio (TOSHIBA Network Device Usermode I/O Protocol) - c:\windows\system32\drivers\netdevio.sys
R3 AgereSoftModem (TOSHIBA V92 Software Modem) - c:\windows\system32\drivers\agrsm.sys
R3 AR5211 (Atheros Wireless Network Adapter Service) - c:\windows\system32\drivers\ar5211.sys
R3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys
R3 tbiosdrv (Toshiba Logical Tbios Device) - c:\windows\system32\drivers\tbiosdrv.sys
R3 TVALD (Toshiba Mobile PC Service) - c:\windows\system32\drivers\nbsmi.sys
R3 Tvs (TOSHIBA Virtual Sound with SRS technologies) - c:\windows\system32\drivers\tvs.sys

S1 Avg7Core (AVG7 Kernel) - c:\windows\system32\drivers\avg7core.sys (file missing)
S1 Avg7RsW (AVG7 Wrap Driver) - c:\windows\system32\drivers\avg7rsw.sys (file missing)
S1 Avg7RsXP (AVG7 Resident Driver XP) - c:\windows\system32\drivers\avg7rsxp.sys (file missing)
S1 AvgClean (AVG7 Clean Driver) - c:\windows\system32\drivers\avgclean.sys (file missing)
S1 mmx19g (MMX virtualization service) - c:\windows\system32\mmx19g.sys (file missing)
S2 xmm13g (MMX2 virtualization service) - c:\windows\system32\mmx19g.sys (file missing)
S3 rtl8139 (Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver) - c:\windows\system32\drivers\rtl8139.sys (file missing)
S3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 ACS (Atheros Configuration Service) - c:\windows\system32\acs.exe
R2 CFSvcs (ConfigFree Service) - c:\program files\toshiba\configfree\cfsvcs.exe
R2 DVD-RAM_Service - c:\windows\system32\dvdramsv.exe
R2 Swupdtmr - c:\toshiba\ivp\swupdate\swupdtmr.exe
R2 TAPPSRV (TOSHIBA Application Service) - "c:\program files\toshiba\toshiba applet\tappsrv.exe"

S2 Avg7Alrt (AVG7 Alert Manager Server) - c:\progra~1\grisoft\avg7\avgamsvr.exe (file missing)
S2 Avg7UpdSvc (AVG7 Update Service) - c:\progra~1\grisoft\avg7\avgupsvc.exe (file missing)

-- Files created between 2007-03-17 and 2007-04-17 -----------------------------

2007-04-17 15:16:21 0 d-------- C:\Program Files\Windows Live Safety Center<WINDOW~4>
2007-04-14 19:08:54 0 dr-h----- C:\Documents and Settings\mine\Application Data\yahoo!
2007-04-10 08:23:18 0 dr-h----- C:\Documents and Settings\cyndi\Application Data\yahoo!
2007-04-09 23:18:24 0 d-------- C:\Documents and Settings\All Users\Application Data\yahoo!
2007-04-01 14:25:53 0 d-------- C:\Documents and Settings\mine\Application Data\Viewpoint<VIEWPO~1>
2007-03-31 16:02:04 0 dr-hs---- C:\Program Files\rnamfler
2007-03-29 18:55:21 3968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
2007-03-29 18:53:51 3968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-03-27 17:46:35 0 d-------- C:\MyMod
2007-03-25 19:24:27 170 --a------ C:\run_studiomdl.bat<RUN_ST~1.BAT>
2007-03-25 19:24:27 163 --a------ C:\run_mod.bat
2007-03-25 19:24:27 165 --a------ C:\run_hlmv.bat
2007-03-25 19:24:27 100 --a------ C:\run_hammer.bat<RUN_HA~1.BAT>
2007-03-25 19:24:26 0 d-------- C:\src
2007-03-25 19:24:26 0 d-------- C:\modelsrc
2007-03-25 19:24:26 0 d-------- C:\materialsrc<MATERI~1>
2007-03-25 19:24:26 0 d-------- C:\mapsrc
2007-03-24 18:39:24 0 d-------- C:\HammerAutosave<HAMMER~1>

-- Find3M Report ---------------------------------------------------------------

2007-04-17 18:29:37 0 d-------- C:\Program Files\Steam
2007-04-17 15:28:55 0 d-------- C:\Documents and Settings\mine\Application Data\AVG7
2007-04-17 12:57:02 0 d-------- C:\Program Files\Yahoo!
2007-04-08 08:03:03 0 d-------- C:\Documents and Settings\mine\Application Data\ContentGuard<CONTEN~1>
2007-03-08 19:55:02 151552 --a------ C:\t128
2007-03-07 13:56:05 0 d-------- C:\Documents and Settings\mine\Application Data\Help
2007-03-05 17:53:17 0 d-------- C:\Program Files\Sierra On-Line<SIERRA~1>
2007-03-03 22:33:51 69 --a-s---- C:\WINDOWS\url1.bat
2007-03-03 18:17:49 0 d-------- C:\Program Files\Total 3D Home Deluxe<TOTAL3~1>

-- Registry Dump ---------------------------------------------------------------

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Zinio DLM"="C:\\Program Files\\Zinio\\ZinioDeliveryManager.exe /autostart"
"updateMgr"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe\" AcRdB7_0_8 -reboot 1"
"The Rush Limbaugh Show"="C:\\Program Files\\Rush 24-7 Media Center\\Rush 24-7 Media Center.exe /noopen"
"Steam"="\"C:\\Program Files\\Steam\\Steam.exe\" -silent"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"AGRSMMSG"="AGRSMMSG.exe"
"TPSMain"="TPSMain.exe"
"RTHDCPL"="RTHDCPL.EXE"
"Alcmtr"="ALCMTR.EXE"
"HP Software Update"="\"C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe\""
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system\Shell]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoCDBurning"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\desgnt
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xmm13g

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\mmx19g.sys
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\xmm13g.sys

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0

-- End of Deckard's System Scanner: finished at 2007-04-17 at 19:41:38 ---------

Sempurna · 04-18-2007, 08:33 PM

Hi Monty,

Welcome to Tech Support Forum!

I apologize for the delay getting to your log. The helpers here are all volunteers and we have been very busy here lately. If you are still having malware problems, I will be glad to help.

OK, there’s no indication in the logs that you have been infected with the Rustock rootkit. But, let’s make sure with some other scans, OK?

But, let’s do this first.

Please run HijackThis and click "Scan". Place a check (tick) next to the following entries (if present):

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.toshibadirect.com/dpdstart
O2 - BHO: (no name) - {5D62AA9A-2636-4D53-886C-D4D3F0DDA81B} - (no file)
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O20 - AppInit_DLLs:
O20 - Winlogon Notify: desgnt - desgnt.dll (file missing)
O20 - Winlogon Notify: xmm13g - xmm13g.dll (file missing)

Close ALL programs and browsers (including this one), leaving ONLY HijackThis open, then click "Fix checked".

Then please exit HijackThis.

NEXT:

Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval, but doesn't spy or do anything "bad". This will change from what we know in 2006, read this article: http://www.clickz.com/news/article.php/3561546

Additional info: http://vil.nai.com/vil/content/v_137262.htm

I suggest you remove the program now. Go to Start -> Control Panel -> Add/Remove Programs and remove the following programs (if present):

Viewpoint
Viewpoint Manager
Viewpoint Media Player
Viewpoint Toolbar

If you have problems with Viewpoint regenerating after uninstallation, then please follow these instructions:

Quote:

Open AOL and go to Help on the toolbar. Select About AOL. Next is the SECRET STEP. You must then press Ctrl + D to access a "secret" panel to disable all of the desktop and IM fancy features that are associated with viewpoint. This is the only way to prevent AOL from re-installing Viewpoint at AOL startup.

NEXT:

Please enable viewing of hidden files as follows:

Go to My Computer, and click on the "Tools" menu.
Click "Folder options".
Select the "View" tab.
Make sure "Show hidden files and folders" is selected.
Make sure "Hide extensions for known file types" is unchecked.
Make sure "Hide protected operating system files (recommended)" is unchecked.

CAUTION: You will see many folders and files which you may not recognize. Most of these folders and files are LEGITIMATE. Please do NOT delete anything you deem suspicious unless you are specifically instructed to do so. To do otherwise may irreparably damage your system.

NEXT:

Using Windows Explorer (right-click your Start button and select Explore), please navigate to and delete the following FILES (if they exist):

C:\Documents and Settings\mine\Application Data\Viewpoint

NEXT:

Please go to: VirusTotal

At the top of the page you'll find a "Browse" button. Click the "Browse" button and browse to next file:

C:\run_studiomdl.bat
Click "Open".
Then click the "Send" button at the top of the VirusTotal page.
This will scan the file. Please be patient.
Once scanned, copy and paste the results in your next reply together with a new HijackThis log.

Then please do the same as above for the following files:

C:\run_hlmv.bat
C:\run_mod.bat
C:\run_hammer.bat
C:\WINDOWS\url1.bat

NEXT:

Let’s run a few deep diagnostic scans to make sure nothing else is lurking in your system.

Please download and save F-Secure BlackLight to your desktop.

Click the I Accept button at the bottom of the page.
Download the Blacklight Beta graphical user interface version.
Double-click the fsbl.exe program that you downloaded to run BlackLight.
Click Scan -> Next.
After the scan you'll see a list of all items found. Please click Next and then Exit. Do NOT choose rename for any items yet! I need to see the log first, because legitimate items can also be present there...
A log will be created on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx are numbers)
Please post the contents of the log in your next reply.

NEXT:

Please download GMER and save it to your desktop:

Unzip (extract) it to your desktop.
Disconnect from Internet and close all running programs.
There is a small chance this application may crash your computer so save any work you have open.
Double-click gmer.exe to run it.
Let the gmer.sys driver to load if asked.
If it gives you a warning at program start about rootkit activity and asks if you want to run a scan... click NO.
Click the Rootkit tab.
Make sure all the boxes on the right of the screen are checked, EXCEPT for "Show All".
Then click the Scan button. Wait for the scan to finish.
Once done, click the Copy button.
This will copy the results to the clipboard. Open Notepad and press CTRL + V to paste the log, and save it to your desktop. Paste the results in your next reply.

If you're having problems with running gmer.exe, try it in Safe Mode.
This tool works in Safe Mode… other rootkit revealers don't.

NEXT:

Please download System Repair Engineer by Smallfrogs and save it to your desktop:

Right-click sreng2.zip, select Extract All, and extract it to its own folder.
Double-click SREng.exe to run it.
Select Smart Scan and check (tick) Verify the digital signatures of process modules.
Click on the Scan button.
When the scan is complete, click on the Save Reports button and save the log to your desktop.
Please attach the log in your next reply. Don’t post it.

Note: You would have to rename SREngLog.log to SREngLog.txt before attaching it. If you cannot attach the log, then please copy and paste its contents into your next reply.

NEXT:

I notice that your system doesn’t have an anti-virus program running. This can be suicidal in today’s digital age. :)

So, let’s set you up with a FREE and excellent anti-virus program called Active Virus Shield (Powered by Kaspersky). This is a highly ranked and highly regarded anti-virus program by our experts. It’s ranked #2 in the latest anti-virus test here:
http://www.virus.gr/english/fullxml/default.asp?id=82

Please download Active Virus Shield (Powered by Kaspersky) and save it to your desktop.

Please remember to register for your Activation Code using a legitimate email address.
Double-click avs.msi to run the installer, but please uncheck "Install Security Toolbar" during the installation process:
Then please update the program and run a scan on My Computer. Allow it to neutralize all that it finds.
When done, launch Active Virus Shield's main window.
Click the Scan button on the left, and then click Detected.
In the ensuing window, click the Save As button to save a copy of the log.
Copy and paste that log in your next reply.

Note: You must use only 1 (one) AV at a time because if you have 2 or more AVs running at the same time, they will conflict with each other and make your security less reliable.

NEXT:

Please REBOOT your computer normally into Windows and post these logs in your next reply:

The reports from VirusTotal.
The log from the BlackLight scan.
The log from the GMER scan.
The log from the SREng scan.
The log from the Active Virus Shield scan.
A new ComboFix log.
A new HijackThis log.

(You might have to paste the logs in multiple posts in the event they are too long and breach the post length of the forum software).

Also, please let me know how things are running now and if you encountered any problems while you were following the directions I posted.

monty.henderson · 04-19-2007, 07:48 AM

I normally have AVG running on that machine, when I got the blue screen, shut down, and let the system send a report to MS they came back with the virus name and suggested I try their system maintenance product. I uninstalled AVG and attempted to install the MS product.....crashing the system on several attempts. I tried to reinstall the AVG which appeared to install normallu but was not there when I looked for the folder. I will try the product you recomend and run the scans you suggest this evening.

Sempurna · 04-19-2007, 08:30 AM

Hi Monty,

No worries, Monty. AVS is a much, much better product than either AVG or the MS anti-virus.

Stay in touch,
~ Sempurna

monty.henderson · 04-20-2007, 07:21 PM

Here is the HijackThis log and the others are attached.....I cannot locate the AVS log.....

Logfile of HijackThis v1.99.1
Scan saved at 4:41:49 PM, on 4/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\AOL\Active Virus Shield\avp.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\AOL\Active Virus Shield\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Zinio\ZinioDeliveryManager.exe
C:\Program Files\Rush 24-7 Media Center\Rush 24-7 Media Center.exe
C:\Program Files\Steam\Steam.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\HijackThis\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [aol] "C:\Program Files\AOL\Active Virus Shield\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Zinio DLM] C:\Program Files\Zinio\ZinioDeliveryManager.exe /autostart
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [The Rush Limbaugh Show] C:\Program Files\Rush 24-7 Media Center\Rush 24-7 Media Center.exe /noopen
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - Global Startup: Adobe Reader Speed Launch.lnk = ?
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://www.mathxl.com/wizmodules/tes...enXInstall.cab
O16 - DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} (NSHelp Class) - http://sbs03/connectcomputer/nshelp.dll
O16 - DPF: {4FE89055-5300-469E-AFAD-DEB3181EDE76} (PearsonAsstX Control) - http://www.mathxl.com/applets/PearsonInstallAsst.cab
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://216.229.173.248/Remote/msrdp.cab
O16 - DPF: {C4DD6732-1E82-4AE7-BD94-180331B84082} (DeltaCVX Control) - http://www.mathxl.com/applets/DeltaCVX.cab
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe (file missing)
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - Unknown owner - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe (file missing)
O23 - Service: Active Virus Shield (AVP) - Unknown owner - C:\Program Files\AOL\Active Virus Shield\avp.exe" -r (file missing)
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe

monty.henderson · 04-20-2007, 07:33 PM

Sorry the last HijackThis log was not the most recent.....here it is.

Sempurna · 04-23-2007, 05:22 AM

Hi Monty,

I'm sorry for my late reply. I haven't had any Internet connection for the last 4 days!

Nothing suspicious in those logs, although the SREng log looks like it didn't run properly. Did you have trouble running SREng?

There doesn't seem to be any indication of the Rustock rootkit in your system. Do you still get any warnings about it? And, if you do, can you give me some detailed information on the warning?

monty.henderson · 04-23-2007, 10:57 AM

The system seems to be running normally now. All of the scans except the SRE appeared to run normally, that is why I attached the file KZTechsAppErr.TXT....the app simply would not run.

It looks to me like the problem has been resolved.....

Thank you for all of the help!

Monty

04-19-2007, 07:48 AM	#4 (permalink)
monty.henderson Registered User Join Date: Apr 2007 Posts: 10 OS: win xp pro	Re: win32/rustock.gen!c I normally have AVG running on that machine, when I got the blue screen, shut down, and let the system send a report to MS they came back with the virus name and suggested I try their system maintenance product. I uninstalled AVG and attempted to install the MS product.....crashing the system on several attempts. I tried to reinstall the AVG which appeared to install normallu but was not there when I looked for the folder. I will try the product you recomend and run the scans you suggest this evening.

04-19-2007, 08:30 AM	#5 (permalink)
Sempurna Analyst, Security Team; Assistant Rangemaster, TSF Academy Join Date: Sep 2006 Posts: 1,302 OS: Windows XP SP2	Re: win32/rustock.gen!c Hi Monty, No worries, Monty. AVS is a much, much better product than either AVG or the MS anti-virus. Stay in touch, ~ Sempurna __________________ Keep this forum alive - if you've been helped at this forum, please do consider a donation. Thank you for your support. Donation link for Tech Support Forum

04-23-2007, 05:22 AM	#8 (permalink)
Sempurna Analyst, Security Team; Assistant Rangemaster, TSF Academy Join Date: Sep 2006 Posts: 1,302 OS: Windows XP SP2	Re: win32/rustock.gen!c Hi Monty, I'm sorry for my late reply. I haven't had any Internet connection for the last 4 days! Nothing suspicious in those logs, although the SREng log looks like it didn't run properly. Did you have trouble running SREng? There doesn't seem to be any indication of the Rustock rootkit in your system. Do you still get any warnings about it? And, if you do, can you give me some detailed information on the warning? __________________ Keep this forum alive - if you've been helped at this forum, please do consider a donation. Thank you for your support. Donation link for Tech Support Forum

04-23-2007, 10:57 AM	#9 (permalink)
monty.henderson Registered User Join Date: Apr 2007 Posts: 10 OS: win xp pro	Re: win32/rustock.gen!c The system seems to be running normally now. All of the scans except the SRE appeared to run normally, that is why I attached the file KZTechsAppErr.TXT....the app simply would not run. It looks to me like the problem has been resolved..... Thank you for all of the help! Monty