WiredWX Hobby Weather ToolsLog in

 


descriptionSolvedTroj/Rustok-N

more_horiz
HiJackThis log - running MalwareBytes found 2 so far


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:39:16 PM, on 18/01/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\smax4.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:8118;https=127.0.0.1:8118
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\smax4.exe" /tray
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: &Download All with Rapidshare Downloader - C:\DOCUME~1\Tay\LOCALS~1\Temp\RarSFX1\jc_all.htm
O8 - Extra context menu item: &Download with Rapidshare Downloader - C:\DOCUME~1\Tay\LOCALS~1\Temp\RarSFX1\jc_link.htm
O9 - Extra button: (no name) - {85e1f530-48f4-11d9-9629-08ff2ffc9f67} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\vmware\vmware workstation\vsocklib.dll
O10 - Unknown file in Winsock LSP: c:\program files\vmware\vmware workstation\vsocklib.dll
O16 - DPF: {3D3BF1F8-9696-4A5E-B4F1-49101C997B70} (VaxSIPUserAgentCAB Control) - http://www.earthcaller.com/VaxSIPUserAgentCAB.cab
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.2.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-IE/a-UNO1/GAME_UNO1.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} - http://update.nprotect.net/keycrypt/neowiz/npkcx_inca.cab
O20 - AppInit_DLLs: C:\ProgramFiles\RelevantKnowledge\rlai.dllC:\ProgramFiles\RelevantKnowledge\rlai.dllC:\ProgramFiles\RelevantKnowledge\rlai.dllC:\ProgramFiles\RelevantKnowledge\rlai.dllC:\ProgramFiles\RelevantKnowledge\rlai.dll
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O24 - Desktop Component 0: RuneScape - the massive online adventure game by Jagex Ltd - http://www.runescape.com/
O24 - Desktop Component 2: Play Games, Free Online Games at AddictingGames - http://www.addictinggames.com/

descriptionSolvedRe: Troj/Rustok-N

more_horiz

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O9 - Extra button: (no name) - {85e1f530-48f4-11d9-9629-08ff2ffc9f67} - (no file)
    O20 - AppInit_DLLs: C:\ProgramFiles\RelevantKnowledge\rlai.dllC:\ProgramFiles\RelevantKnowledge\rlai.dllC:\ProgramFiles\RelevantKnowledge\rlai.dllC:\ProgramFiles\RelevantKnowledge\rlai.dllC:\ProgramFiles\RelevantKnowledge\rlai.dll


  • Press "Fix Checked"
  • Close Hijack This.


Delete this folder in bold:
C:\Program Files\Relevant Knowledge

Lets scan with MBAM again.


  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.

descriptionSolvedRe: Troj/Rustok-N

more_horiz
Malwarebytes' Anti-Malware 1.33
Database version: 1665
Windows 5.1.2600 Service Pack 3

18/01/2009 2:51:15 PM
mbam-log-2009-01-18 (14-51-15).txt

Scan type: Quick Scan
Objects scanned: 56841
Time elapsed: 3 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\Program Files\Mozilla Firefox\components\iamfamous.dll (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Somefox (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\homeview (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\rhc9lej0ej2n (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\resycled (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\msqpdxwowqghvk.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\resycled\boot.com (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\msqpdxddkmemdh.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Mozilla Firefox\components\iamfamous.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\Temp\tempo-907.tmp (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\tempo-CD5.tmp (Trojan.DNSChanger) -> Quarantined and deleted successfully.

descriptionSolvedRe: Troj/Rustok-N

more_horiz
Lets see what's left.


  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    Link 1
    Link 2
    Link 3
  • Double click DDS.scr to run
  • When complete, DDS.txt will open.
  • Click No for Optional Scan.
  • Save the report to your Desktop.
  • Copy and paste DDS.txt back here, I don't need to see attach.txt.

descriptionSolvedRe: Troj/Rustok-N

more_horiz
DDS (Ver_09-01-07.01) - NTFSx86
Run by Tay at 14:54:46.31 on 18/01/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.638 [GMT -6:00]

FW: COMODO Firewall Pro *disabled*

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\smax4.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Tay\Desktop\dds.com

============== Pseudo HJT Report ===============

uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = http=127.0.0.1:8118;https=127.0.0.1:8118
uInternet Settings,ProxyOverride = *.local
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {724D43A0-0D85-11D4-9908-00400523E39A} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
mRun: [SoundMAX] "c:\program files\analog devices\soundmax\smax4.exe" /tray
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [RunNarrator] Narrator.exe
uPolicies-explorer: MemCheckBoxInRunDlg = 0 (0x0)
uPolicies-explorer: NoStrCmpLogical = 0 (0x0)
mPolicies-explorer: NoChangeAnimation = 0 (0x0)
mPolicies-explorer: NoStrCmpLogical = 0 (0x0)
mPolicies-system: RunStartupscriptSync = 1 (0x1)
IE: &Download All with Rapidshare Downloader - c:\docume~1\tay\locals~1\temp\rarsfx1\jc_all.htm
IE: &Download with Rapidshare Downloader - c:\docume~1\tay\locals~1\temp\rarsfx1\jc_link.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: c:\program files\vmware\vmware workstation\vsocklib.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\tay\applic~1\mozilla\firefox\profiles\5ovgsh31.default\
FF - component: c:\program files\mozilla firefox\components\iamfamous.dll
FF - plugin: c:\documents and settings\all users\application data\nexonus\ngm\npNxGameUS.dll
FF - plugin: c:\documents and settings\tay\application data\mozilla\firefox\profiles\5ovgsh31.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp07083161.dll
FF - plugin: c:\documents and settings\tay\local settings\application data\google\update\1.2.133.33\npGoogleOneClick7.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll

============= SERVICES / DRIVERS ===============

R3 tenCapture;tenCapture;c:\windows\system32\drivers\tenCapture.sys [2007-4-21 9344]
R4 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [2008-10-28 54960]
S1 ShldDrv;Panda File Shield Driver;c:\windows\system32\drivers\shldrv51.sys --> c:\windows\system32\drivers\ShlDrv51.sys [?]
S3 HIDKbFlt;Dritek USB Keyboard HID Filter;c:\windows\system32\drivers\HIDKbFlt.sys [2004-12-13 21120]
S3 tap0901;TAP-Win32 Adapter V9;c:\windows\system32\drivers\tap0901.sys [2008-5-17 25088]
S3 XDva193;XDva193;\??\c:\windows\system32\xdva193.sys --> c:\windows\system32\XDva193.sys [?]
S4 HamachiService;Hamachi Service;c:\program files\hamachi\hamachi.exe [2008-11-29 625952]
S4 PavProc;Panda Process Protection Driver;\??\c:\windows\system32\drivers\pavproc.sys --> c:\windows\system32\drivers\PavProc.sys [?]
S4 PavPrSrv;Panda Process Protection Service;"c:\program files\common files\panda software\pavshld\pavprsrv.exe" --> c:\program files\common files\panda software\pavshld\pavprsrv.exe [?]

============== File Associations ===============

regfile=regedit.exe "%1" %*
scrfile="%1" %*

=============== Created Last 30 ================

2009-01-18 14:38 --d----- c:\program files\Trend Micro
2009-01-14 22:20 664 a------- c:\windows\system32\d3d9caps.dat
2009-01-14 18:38 --d----- c:\documents and settings\tay\.housecall6.6
2009-01-11 22:42 117 a------- c:\windows\vdj.eq
2009-01-11 22:38 2,314,332 a------- c:\windows\system32\LIBMMD.DLL
2009-01-11 22:38 --d----- c:\program files\VDJ5
2009-01-11 01:05 55,856 a----r-- c:\windows\system32\vnetinst.dll
2009-01-11 01:05 16,560 a----r-- c:\windows\system32\drivers\vmnetadapter.sys
2009-01-11 01:04 326,192 a------- c:\windows\system32\vmnetdhcp.exe
2009-01-11 01:04 399,920 a------- c:\windows\system32\vmnat.exe
2009-01-11 01:04 26,288 a------- c:\windows\system32\drivers\vmnetuserif.sys
2009-01-11 01:04 50,736 a----r-- c:\windows\system32\vmnetbridge.dll
2009-01-11 01:04 31,280 a----r-- c:\windows\system32\drivers\vmnetbridge.sys
2009-01-11 01:04 18,736 a----r-- c:\windows\system32\drivers\vmnet.sys
2009-01-11 01:04 723,504 a------- c:\windows\system32\vnetlib.dll
2009-01-11 01:04 23,216 a------- c:\windows\system32\drivers\VMkbd.sys
2009-01-11 01:01 --d----- c:\program files\VMware
2009-01-04 20:15 54,156 a---h--- c:\windows\QTFont.qfn
2009-01-04 20:15 1,409 a------- c:\windows\QTFont.for
2009-01-04 01:01 8,627 a------- c:\windows\system32\PAV_FOG.OPC
2009-01-04 00:52 --d----- c:\docume~1\alluse~1\applic~1\Backup
2009-01-03 23:19 --d----- c:\docume~1\alluse~1\applic~1\sentinel
2009-01-03 23:19 --d----- c:\program files\Panda Security
2009-01-03 22:50 1,236 a------- c:\windows\system32\ealregsnapshot1.reg
2009-01-02 15:22 225,280 a------- c:\windows\system32\rewire.dll
2009-01-02 15:22 --d----- c:\program files\VstPlugins
2009-01-02 15:22 1,294,336 a------- c:\windows\system32\vorbis.acm
2009-01-02 15:21 --d----- c:\program files\Outsim
2009-01-02 15:20 --d----- c:\program files\Image-Line
2009-01-02 02:24 --d----- C:\Downloads
2009-01-02 02:24 --d----- c:\program files\Orbitdownloader
2008-12-31 15:07 --d----- c:\program files\DsNET Corp
2008-12-28 22:30 2,174,976 a------- c:\windows\system32\ffdshow.ax
2008-12-28 22:30 200,704 a------- c:\windows\system32\TomsMoComp_ff.dll
2008-12-28 22:30 34,820 a------- c:\windows\system32\ffdshow.reg
2008-12-28 22:30 3,049,984 a------- c:\windows\system32\libavcodec.dll
2008-12-28 22:30 404,480 a------- c:\windows\system32\libmplayer.dll
2008-12-28 22:30 114,688 a------- c:\windows\system32\libmpeg2_ff.dll
2008-12-28 22:30 516,096 a------- c:\windows\system32\CLVSDS.ax
2008-12-28 22:30 348,160 a------- c:\windows\system32\cdga.dll
2008-12-28 22:30 364,544 a------- c:\windows\system32\cdg.dll
2008-12-26 16:34 517,286,102 a------- C:\M4V11114.mp4
2008-12-26 16:29 --d----- C:\ProgramData
2008-12-26 01:03 2,855 a------- c:\windows\system32\Standby.PIF
2008-12-26 00:31 --d----- c:\docume~1\tay\applic~1\Xilisoft Corporation
2008-12-26 00:17 3,314,630 a------- C:\Magic School Bus.mp4
2008-12-26 00:16 --d----- c:\program files\AviSynth 2.5
2008-12-26 00:16 --d----- c:\program files\Red Kawa
2008-12-26 00:15 --d----- C:\OpenCandy

==================== Find3M ====================

2009-01-17 23:35 34 a------- c:\documents and settings\tay\jagex_runescape_preferences.dat
2009-01-14 16:11 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-14 16:11 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-12-05 20:59 410,984 a------- c:\windows\system32\deploytk.dll
2008-11-29 21:06 25,280 a------- c:\windows\system32\drivers\hamachi.sys
2008-11-22 22:48 716,272 a------- c:\windows\system32\drivers\sptd.sys
2008-11-02 22:46 13,660 a---h--- c:\windows\system32\mlfcache.dat
2008-10-28 18:45 248,368 a------- c:\windows\system32\vmnc.dll
2008-10-23 06:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-06-27 20:45 87,608 a------- c:\docume~1\tay\applic~1\inst.exe
2008-06-27 20:45 47,360 a------- c:\docume~1\tay\applic~1\pcouffin.sys
2008-04-28 20:46 32 a------- c:\docume~1\alluse~1\applic~1\ezsid.dat
2008-04-16 14:17 1,015,808 a------- c:\documents and settings\tay\WOWMimic.exe
2008-04-16 14:16 462,848 a------- c:\documents and settings\tay\Melete.dll
2008-04-09 10:44 81,920 a------- c:\documents and settings\tay\Launcher.exe
2008-04-09 10:44 77,824 a------- c:\documents and settings\tay\AutoUpdate.exe
2008-06-19 16:19 80 ---shr-- c:\windows\system32\2171035541.dll
2008-05-30 22:16 56 ---shr-- c:\windows\system32\2171035541.sys
2008-05-30 22:18 1,682 a--sh--- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 14:55:16.70 ===============

descriptionSolvedRe: Troj/Rustok-N

more_horiz
Looks okay, what problems remain?

descriptionSolvedRe: Troj/Rustok-N

more_horiz
nothing not getting the message anymore and i can access google and malwarebytes.org now thanks Big Grin

descriptionSolvedRe: Troj/Rustok-N

more_horiz
We need to make a new restore point.

To turn off System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.
4. Click Yes when you receive the prompt to the turn off System Restore.

Now we need to make a new restore point.
To turn on System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (To turn on System Restore), and then click OK.

Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we are to help you, for your sake we would rather not have repeat customers. Goofy

1) Please navigate to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

Ad-Aware SE
A tutorial on using Ad-Aware to remove spyware from your computer may be found here.

Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here.

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
http://www.mozilla.org/products/firefox/
I also recommand the following add-ons for Firefox, they will help keep you safe from malicious scripts or activeX exploits.
https://addons.mozilla.org/en-US/firefox/addon/722
https://addons.mozilla.org/en-US/firefox/addon/1865
https://addons.mozilla.org/en-US/firefox/addon/433

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

To help you keep your software updated, please considering using this free software program that will check for program updates.
Update Checker

5) Finally, consider maintaining a firewall. Some good free firewalls are Kerio, or
Outpost
A tutorial on understanding and using firewalls may be found here.

Please also read Tony Klein's excellent article: How I got Infected in the First Place

Hopefully this should take care of your problems! Good luck. Big Grin

descriptionSolvedRe: Troj/Rustok-N

more_horiz
Since this issue has been addressed, a "solved" tag will be added and this topic will be closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

Everyone else, please open a new topic for your questions.

descriptionSolvedRe: Troj/Rustok-N

more_horiz
Since this issue has been addressed, a "solved" tag will be added and this topic will be closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

Everyone else, please open a new topic for your questions.

descriptionSolvedRe: Troj/Rustok-N

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum