Troj/Rustok-N help with removing please

i went to a website and than just happen today,it say:

Your computer (IP: 24.99.122.24) generates an attacking DOS requests at our servers caused by the spyware/virus named 'Troj/Rustok-N'

We cannot provide you with an access to our content for browsing purposes as it will lead to the inevitable crush of our website.

We strongly recommend you to run your antivirus edition and, if necessary, check it for the latest updates available.

You may also download recommended software, which has been approved by a number of our surfers who encountered the same problem and used this software to overcome it.

We apologize for the inconvenience, and hope we'll see you again

Find more comments on the software at: aumhaphpbb.com

thanks if you can help.

Please read here and post a Hijack This log.

http://www.geekpolice.net/malware-removal-hijackthis-logs-f11/read-this-before-posting-t3821.htm

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:20:01 PM, on 1/2/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Sophos\Sophos Client Firewall\SCFManager.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Documents and Settings\user\Desktop\hijackgpthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R3 - URLSearchHook: (no name) - {982CB676-38F0-4D9A-BB72-D9371ABE876E} - (no file)
O2 - BHO: Thunder AtOnce - {01443AEC-0FD1-40fd-9C87-E93D1494C233} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {33BBE430-0E42-4f12-B075-8D21ACB10DCB} - (no file)
O2 - BHO: (no name) - {38928D50-8A48-44C2-945F-D2F23F771410} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: (no name) - {62EED7C6-9F02-42f9-B634-98E2899E147B} - (no file)
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {850B69E4-90DB-4F45-8621-891BF35A5B53} - (no file)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: (no name) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: (no name) - {F166BC04-3C84-44cc-A6E9-2315EC4844B9} - (no file)
O2 - BHO: (no name) - {FE3ECAE7-0A37-4506-8A7D-3CC9A04D2CA8} - (no file)
O4 - HKLM\..\Run: [C:\WINDOWS\system32\cfrog.exe] C:\WINDOWS\system32\cfrog.exe
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SCFTrayStartUp] C:\Program Files\Sophos\Sophos Client Firewall\SCFTray.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
O9 - Extra button: (no name) - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - (no file)
O9 - Extra button: ????? - {13b0c05c-ef05-4bf6-b0ea-f6111af25544} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: ???? - {DE607143-AC19-423e-865A-5D70ABDF119A} - http://click2.ad4all.net/url2/urlmanage/url.asp?id=5 (file missing)
O9 - Extra 'Tools' menuitem: ???? - {DE607143-AC19-423e-865A-5D70ABDF119A} - http://click2.ad4all.net/url2/urlmanage/url.asp?id=5 (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O15 - Trusted Zone: https://www.youtube.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Filter hijack: text/html - {F2BEF1B0-6B22-4697-B101-9E571EC73871} - (no file)
O20 - AppInit_DLLs: C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
O23 - Service: Sophos Client Firewall - Sophos Plc - C:\Program Files\Sophos\Sophos Client Firewall\SCFService.exe
O23 - Service: Sophos Client Firewall Manager - Sophos Plc - C:\Program Files\Sophos\Sophos Client Firewall\SCFManager.exe

--
End of file - 5359 bytes

Hello.

• Open HijackThis
  
• Choose "Do a system scan only"
  
• Check the boxes in front of these lines:
  
  
  R3 - URLSearchHook: (no name) - {982CB676-38F0-4D9A-BB72-D9371ABE876E} - (no file)
  O2 - BHO: Thunder AtOnce - {01443AEC-0FD1-40fd-9C87-E93D1494C233} - (no file)
  O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
  O2 - BHO: (no name) - {33BBE430-0E42-4f12-B075-8D21ACB10DCB} - (no file)
  O2 - BHO: (no name) - {38928D50-8A48-44C2-945F-D2F23F771410} - (no file)
  O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
  O2 - BHO: (no name) - {62EED7C6-9F02-42f9-B634-98E2899E147B} - (no file)
  O2 - BHO: (no name) - {850B69E4-90DB-4F45-8621-891BF35A5B53} - (no file)
  O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
  O2 - BHO: (no name) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - (no file)
  O2 - BHO: (no name) - {F166BC04-3C84-44cc-A6E9-2315EC4844B9} - (no file)
  O2 - BHO: (no name) - {FE3ECAE7-0A37-4506-8A7D-3CC9A04D2CA8} - (no file)
  O4 - HKLM\..\Run: [C:\WINDOWS\system32\cfrog.exe] C:\WINDOWS\system32\cfrog.exe
  O9 - Extra button: (no name) - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - (no file)
  O9 - Extra button: ???? - {DE607143-AC19-423e-865A-5D70ABDF119A} - http://click2.ad4all.net/url2/urlmanage/url.asp?id=5 (file missing)
  O9 - Extra 'Tools' menuitem: ???? - {DE607143-AC19-423e-865A-5D70ABDF119A} - http://click2.ad4all.net/url2/urlmanage/url.asp?id=5 (file missing)
  O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
  O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
  O15 - Trusted Zone: https://www.youtube.com
  O18 - Filter hijack: text/html - {F2BEF1B0-6B22-4697-B101-9E571EC73871} - (no file)
  
  
  
• Press "Fix Checked"
  
• Close Hijack This.
  

Delete this file in bold:
C:\WINDOWS\system32\cfrog.exe

Please download and run this tool.

Download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  

Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

Post the contents of the MBAM Log.

can i do something else while Malwarebytes' Anti-Malware is scaning??

Yeah.
You can surf the net, but be careful what you surf, don't make this infection worse.

like what surf can make it worse??

and i already downloaded Malwarebytes' Anti-Malware... do i open it and do quick scan??

Yes, quick scan please.
Just don't surf porn/torrents or anything dangerous.

what if like i went to this site to watch movie call www.movie6.net and for the link of the movie,like near it show picture of porn.....will that be anything dangerous??

Yes, that's okay, they only link to sites like megavideo.

but some are like zshare.....oh well

Yes, don't download from zshare, you can do that once this is clean.
Standing by for MBAM scan.

also for the file cfrog.exe i think i was deleted by hijack this

ok im done scaning. here is the log

Malwarebytes' Anti-Malware 1.31
Database version: 1456
Windows 5.1.2600 Service Pack 2

1/2/2009 2:32:49 PM
mbam-log-2009-01-02 (14-32-49).txt

Scan type: Quick Scan
Objects scanned: 44664
Time elapsed: 43 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


what i do next??

Hello.
MBAM came back clean, lets see if there's any malware left on this machine.

• Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
  Link 1
  Link 2
  Link 3
  
• Double click DDS.scr to run
  
• When complete, DDS.txt will open.
  
• Click No for Optional Scan.
  
• Save the report to your Desktop.
  
• Copy and paste the report back here.
  

i got a question.i'm using firefox and when i do something,like go to website or open up stuff on firefox....there alway like this advertisement always pops up

Okay.
Please run DDS.

DDS txt

\Malwarebytes
2008-12-29 23:06 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-12-29 23:06 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-29 23:06 --d----- c:\program files\Malwarebytes' Anti-Malware
2008-12-29 23:06 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2008-12-29 22:52 17,163 a------- c:\windows\system32\threat927y.d01
2008-12-29 22:52 14,055 a------- c:\windows\system32\cookies888.rar
2008-12-29 22:52 12,560 a------- c:\windows\system32\resource897.rar
2008-12-29 22:52 12,004 a------- c:\windows\system32\soap905.rar
2008-12-29 22:52 10,510 a------- c:\windows\system32\392.ace
2008-12-29 22:52 9,953 a------- c:\windows\system32\922base.ace
2008-12-29 22:52 8,459 a------- c:\windows\system32\cookies931.ace
2008-12-29 22:52 5,350 a------- c:\windows\system32\data037D.pk1
2008-12-29 22:52 3,856 a------- c:\windows\system32\resource901.pk1
2008-12-29 22:52 3,299 a------- c:\windows\system32\38e.d01
2008-12-29 22:52 2,743 a------- c:\windows\system32\user918.d01
2008-12-29 19:18 18,288 a------- c:\windows\system32\wtl_dt545.zip
2008-12-20 21:16 221,184 a------- c:\windows\system32\wmpns.dll
2008-12-20 19:54 --d----- c:\windows\.file_store_32
2008-12-20 12:35 --d----- c:\documents and settings\user\dwhelper
2008-12-20 11:14 --d----- c:\program files\SwiftKit
2008-12-20 11:02 --d----- c:\docume~1\alluse~1\applic~1\SwiftSwitch
2008-12-18 18:56 --d----- c:\windows\system32\msmq
2008-12-12 11:52 --d----- c:\docume~1\alluse~1\applic~1\Avg8
2008-12-09 22:07 24,288 a---h--- c:\windows\system32\mlfcache.dat
2008-12-09 17:12 --d----- c:\windows\SxsCaPendDel
2008-12-06 19:36 94,208 a------- c:\windows\ScUnin.exe
2008-12-06 19:36 35,382 a------- c:\windows\scunin.dat
2008-12-06 19:36 967 a------- c:\windows\ScUnin.pif

==================== Find3M ====================

2009-01-02 10:52 31 a------- c:\documents and settings\user\jagex_runescape_preferences.dat
2008-12-29 22:51 22,016 a------- c:\windows\system32\rasha.exe
2008-12-29 19:18 3,486 a------- c:\windows\system32\uninstall30f.zip
2008-11-18 17:05 3,715 a------- c:\windows\system32\cid_store.dat
2008-11-10 05:43 410,984 a------- c:\windows\system32\deploytk.dll
2008-11-05 22:11 917,032 a------- c:\windows\system32\WgaTray.back.exe
2008-11-05 20:23 319,488 a------- c:\windows\HideWin.exe
2008-10-23 08:01 283,648 a------- c:\windows\system32\gdi32.dll

============= FINISH: 14:50:11.14 ===============

and attach txt

\msscript.ocx. This file was restored to the original version to maintain system stability. The file version of the bad file is 1.0.0.18000, the version of the system file is 1.0.0.8820.
12/28/2008 8:57:54 PM, information: Windows File Protection [64001] - File replacement was attempted on the protected system file c:\windows\system32\wshom.ocx. This file was restored to the original version to maintain system stability. The file version of the bad file is 5.7.0.18068, the version of the system file is 5.6.0.8820.
12/28/2008 12:54:30 AM, information: Windows File Protection [64001] - File replacement was attempted on the protected system file msscript.ocx. This file was restored to the original version to maintain system stability. The file version of the bad file is 1.0.0.18000, the version of the system file is 1.0.0.8820.
12/28/2008 12:54:30 AM, information: Windows File Protection [64001] - File replacement was attempted on the protected system file wshom.ocx. This file was restored to the original version to maintain system stability. The file version of the bad file is 5.7.0.18068, the version of the system file is 5.6.0.8820.
12/31/2008 9:53:02 AM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file dmadmin.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 2600.2180.503.0.
12/31/2008 9:53:02 AM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file dmremote.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 2600.2180.503.0.
12/31/2008 9:53:21 AM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\windows\system32\dmadmin.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 2600.2180.503.0.

==== End Of File ===========================

Okay, lets check for a rootkit.

Please run a GMER Rootkit scan:

Download GMER's application from here:
http://www.gmer.net/gmer.zip

Unzip it and start the GMER.exe
Click the Rootkit tab and click the Scan button.

Once done, click the Copy button.
This will copy the results to your clipboard.
Paste the results in your next reply.

Warning ! Please, do not select the "Show all" checkbox during the scan.

If you're having problems with running GMER.exe, try it in safe mode.
This tools works in safe mode. Other rootkitrevealers don't.

i got a problem when i click scan for GMer.exe. when it was scaning something pop up saying this:

WARNING!!!!
GMEr has found system modification,which might have been caused by ROOTKIT activity. Dou you want to fully scan your system ?

Yes, we need to find the rootkit and remove it.

okay.doing full scan

If the log turns out to be huge, upload it here:
sendspace.com

when i click copy it say it was copied to a clip board.

Copy all of it to a notepad file and save it somewhere, like your desktop.
Then if it's small, post it here. If not, upload it at sendspace.com

for the sendspace thing.it needs the recipient e-mail.....

No it doesn't, it says (optional)
Leave the optionals blank.

nope.....it's to big

oh okay,sorry didn't see it

so all i do it upload it and how you gonna get it??

When you upload it, it gives you a URL to use.

address not found.can't find the server. can't upload cause of this

Okay, look through the log yourself, probably down the bottom of the log somewhere, there might be a line that says this:

"<--- ROOTKIT !!!!"

If there is, please let me know.

ok i fix out the problem.it was my firewall.

im uploading the text of the scan now

http://www.sendspace.com/file/k10k2w this is the download link

and by the way is the ROOTKIT in red in the GMer scan??

Hello.
Yes, there is infact TWO rootkits we need to kill.

1. Please download The Avenger by Swandog46 to your Desktop
Link: HERE or HERE. <== the first link maybe blocked, so use the second link

• Click on Avenger.zip to open the file
  
• Extract avenger.exe to your desktop
  

2. Now, start The Avenger program by clicking on its icon on your desktop.

• Leave the script box blank.
  
• Leave the ticked box "Scan for rootkit" ticked.
  
• Then tick "Disable any rootkits found"
  
• Now click on the Execute to begin execution of the script.
  
• Answer "Yes" twice when prompted.
  
  The Avenger will automatically do the following:
  
  
• It will Restart your computer.
  
• On reboot, it will briefly open a black command window on your desktop, this is normal.
  
• After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
  

3. Please copy/paste the content of c:\avenger.txt into your reply.

isn't 6 rootkit we need to kill??

I just had a brief look at the log and noticed two rootkits, if there's more, the avenger will take them down also.

and so i check the box for "scan for rootkits" and check the box "disable any rootkits found" ??

Scan for rootkits should already be ticked.
Then tick the "Disable any rootkits found"

Then press the execute button.

it say:
first step completed --- The Avenger has been successfully set up to run on next boot . reboot now?

yes no

Yes.

okay it's done....this what it says:

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

Hidden driver "msqpdxserv.sys" found!
ImagePath: \systemroot\system32\drivers\msqpdxntidbwuc.sys
Driver disabled successfully.

Rootkit scan completed.


Completed script processing.

*******************

Finished! Terminate.

Hello.
We need to delete the rootkit now.

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Drivers to delete:
msqpdxserv.sys

Files to delete:
C:\WINDOWS\system32\drivers\msqpdxntidbwuc.sys

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.

• Under "Input script here:", paste in the script from the quote box above.
  
• Leave the ticked box "Scan for rootkit" ticked.
  
• Then tick "Disable any rootkits found"
  
• Now click on the Execute to begin execution of the script.
  
• Answer "Yes" twice when prompted.
  
  The Avenger will automatically do the following:
  
  
• It will Restart your computer.
  
• On reboot, it will briefly open a black command window on your desktop, this is normal.
  
• After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
  

5. Please copy/paste the content of c:\avenger.txt into your reply.

what text contained in the code box?? and what clip board??

Clipboard is that copy/paste is called in tech terms.
The code box above with the Drivers to delete/files to delete.

so do i also copy and paste the driver to delete and file to delete thing to the avenger box??

another question is do i just copy and paste the files name and drivers name above to delete in the avenger box??