TechTalkz.com Technology & Computer Troubleshooting Forums - View Single Post - Re: repeated crashes and failure to update ... is this Win32/Rustock.g

28-08-2007, 01:13 PM

Peter
Thanks have now downloaded and run rustbfix.exe. It did indeed reboot twice
and generated two logs pasted below. Perhaps you can decipher for me? I'm
not sure if it indicates there was an infection or not.
Richard

*********************** Rustock.b-fix v. 1.01 -- By ejvindh
*************************
16/08/2007 21:57:55.34

******************* Pre-run Status of system *******************

Rootkit driver PE386 is found. Starting the unload-procedure....

Rustock.b-ADS attached to the System32-folder:
:lzx32.sys 53934
Total size: 53934 bytes.
Attempting to remove ADS...
system32: deleted 53934 bytes in 1 streams.

Looking for Rustock.b-files in the System32-folder:
No Rustock.b-files found in system32

******************* Post-run Status of system *******************

Rustock.b-driver on the system: NONE!

Rustock.b-ADS attached to the System32-folder:
No System32-ADS found.

Looking for Rustock.b-files in the System32-folder:
No Rustock.b-files found in system32

******************************* End of Logfile

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Service s\ycywykmr

*******************

Script file located at: \??\C:\WINDOWS\system32\oqtpyoft.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Driver PE386 unloaded successfully.
Program C:\Rustbfix\2run.bat successfully set up to run once on reboot.

Completed script processing.

*******************

Finished! Terminate.

"Peter Foldes" wrote:

>
> Sorry I forgot the link for the rustbfix.exe
>
> http://www.uploads.ejvindh.net/rustbfix.exe
>
> --
> Peter
>
> Please Reply to Newsgroup for the benefit of others
> Requests for assistance by email can not and will not be acknowledged.
>
> "Peter Foldes" <okf22@hotmail.com> wrote in message news:%23ER9WaA4HHA.5740@TK2MSFTNGP03.phx.gbl...
> Download - rustbfix.exe and save it to your desktop.
>
> If a Rustock.b-infection is found, you will be asked to reboot the computer.
>
> After when you reboot it will take some time for the Desktop to come up. You might need to reboot 2 times , depending.
>
> When the desktop will come up you will have 1-2 logfiles that will show up for you. The infection should be gone. If not post those log files here.
>
>
> --
> Peter
>
> Please Reply to Newsgroup for the benefit of others
> Requests for assistance by email can not and will not be acknowledged.
>
> "TaurArian [MS-MVP]" <taurarianREMOVECAPS@gmail.com> wrote in message news:eliUBM$3HHA.3400@TK2MSFTNGP03.phx.gbl...
> >
> >
> > "Richard Henderson" <RichardHenderson@discussions.microsoft.com> wrote in message
> > news:23E8EE0D-6ACA-4D89-9598-6EFBD760C99D@microsoft.com...
> > | Apologies if this appears twice - had a crash just as I first posted re this!
> > | Running XP, have had a frustrating few weeks with repeated random crashes,
> > | BSOD etc. Twice I couldn't boot at all and repaired (not quite a reinstall)
> > | using the CD supplied. After some of the crashes got the error report from
> > | MS that I was infected with Win32/Rustock.gen!C, and directing me to an
> > | online scan that always crashed before completing, although several complete
> > | and up to date McAfee scans have found nothing.
> > | Possibly related to this I have had major problems with updates downloading
> > | but not installing. For a week or so I kept getting the message that Update
> > | installer 3.1 (I think ... from memory) could not be installed. I Googled re
> > | this and found a workaround via regedit and did install the update installer,
> > | after which a number of other updates could be installed, but now no longer.
> > | It keeps hanging when trying to install IE7 (I currently have IE6), and I
> > | need to ctrl/alt/delete out of it. Even when I try a custom install without
> > | IE7 it still doesn't complete installation, and is currently frozen - I am
> > | posting this on another computer provided by work.
> > | I am normally a patient man, but am sorely tempted to throw a brick at the
> > | computer. Some unkind colleagues have suggested I install Linux, but I feel
> > | I am only moderately computer literate and not really sufficient of a nerd to
> > | do this.
> > | Any relatively simple solutions? Or would the simplest and easiest solution
> > | be to reinstall Windows and start again? - I have backed up all essential
> > | files so this wouldn't be a total disaster.
> > | HELP!
> >
> >
> >
> > What concerns me is "Win32/Rustock.gen!C"
> >
> > xposted to security.virus for convenience.
> >
> > Security - Viruses
> > OE client -
> > news://msnews.microsoft.com/microsof...security.virus
> > or
> >
> > Web client -
> > http://www.microsoft.com/technet/com...security.virus
> >
> >
> > --
> > ====================================
> > TaurArian [MS-MVP] 2005-2008 - Australia
> > ====================================
> > How to make a good post: http://www.dts-l.org/goodpost.htm
> > Defending your machine: http://defendingyourmachine2.blogspot.com/
> > http://taurarian.mvps.org/index.htm
> >
> > Emails will not be acknowledged - please post to the newsgroup so all may benefit.
> >
> >
>

28-08-2007, 01:13 PM	#6
Richard Henderson Guest Posts: n/a	Re: repeated crashes and failure to update ... is this Win32/Rusto Peter Thanks have now downloaded and run rustbfix.exe. It did indeed reboot twice and generated two logs pasted below. Perhaps you can decipher for me? I'm not sure if it indicates there was an infection or not. Richard ********************* Rustock.b-fix v. 1.01 -- By ejvindh ********************* 16/08/2007 21:57:55.34 *************** Pre-run Status of system *************** Rootkit driver PE386 is found. Starting the unload-procedure.... Rustock.b-ADS attached to the System32-folder: :lzx32.sys 53934 Total size: 53934 bytes. Attempting to remove ADS... system32: deleted 53934 bytes in 1 streams. Looking for Rustock.b-files in the System32-folder: No Rustock.b-files found in system32 *************** Post-run Status of system *************** Rustock.b-driver on the system: NONE! Rustock.b-ADS attached to the System32-folder: No System32-ADS found. Looking for Rustock.b-files in the System32-folder: No Rustock.b-files found in system32 *************************** End of Logfile Logfile of The Avenger version 1, by Swandog46 Running from registry key: \Registry\Machine\System\CurrentControlSet\Service s\ycywykmr *************** Script file located at: \??\C:\WINDOWS\system32\oqtpyoft.txt Script file opened successfully. Script file read successfully Backups directory opened successfully at C:\Avenger *************** Beginning to process script file: Driver PE386 unloaded successfully. Program C:\Rustbfix\2run.bat successfully set up to run once on reboot. Completed script processing. ***************** Finished! Terminate. "Peter Foldes" wrote: > > Sorry I forgot the link for the rustbfix.exe > > http://www.uploads.ejvindh.net/rustbfix.exe > > -- > Peter > > Please Reply to Newsgroup for the benefit of others > Requests for assistance by email can not and will not be acknowledged. > > "Peter Foldes" <okf22@hotmail.com> wrote in message news:%23ER9WaA4HHA.5740@TK2MSFTNGP03.phx.gbl... > Download - rustbfix.exe and save it to your desktop. > > If a Rustock.b-infection is found, you will be asked to reboot the computer. > > After when you reboot it will take some time for the Desktop to come up. You might need to reboot 2 times , depending. > > When the desktop will come up you will have 1-2 logfiles that will show up for you. The infection should be gone. If not post those log files here. > > > -- > Peter > > Please Reply to Newsgroup for the benefit of others > Requests for assistance by email can not and will not be acknowledged. > > "TaurArian [MS-MVP]" <taurarianREMOVECAPS@gmail.com> wrote in message news:eliUBM$3HHA.3400@TK2MSFTNGP03.phx.gbl... > > > > > > "Richard Henderson" <RichardHenderson@discussions.microsoft.com> wrote in message > > news:23E8EE0D-6ACA-4D89-9598-6EFBD760C99D@microsoft.com... > > \| Apologies if this appears twice - had a crash just as I first posted re this! > > \| Running XP, have had a frustrating few weeks with repeated random crashes, > > \| BSOD etc. Twice I couldn't boot at all and repaired (not quite a reinstall) > > \| using the CD supplied. After some of the crashes got the error report from > > \| MS that I was infected with Win32/Rustock.gen!C, and directing me to an > > \| online scan that always crashed before completing, although several complete > > \| and up to date McAfee scans have found nothing. > > \| Possibly related to this I have had major problems with updates downloading > > \| but not installing. For a week or so I kept getting the message that Update > > \| installer 3.1 (I think ... from memory) could not be installed. I Googled re > > \| this and found a workaround via regedit and did install the update installer, > > \| after which a number of other updates could be installed, but now no longer. > > \| It keeps hanging when trying to install IE7 (I currently have IE6), and I > > \| need to ctrl/alt/delete out of it. Even when I try a custom install without > > \| IE7 it still doesn't complete installation, and is currently frozen - I am > > \| posting this on another computer provided by work. > > \| I am normally a patient man, but am sorely tempted to throw a brick at the > > \| computer. Some unkind colleagues have suggested I install Linux, but I feel > > \| I am only moderately computer literate and not really sufficient of a nerd to > > \| do this. > > \| Any relatively simple solutions? Or would the simplest and easiest solution > > \| be to reinstall Windows and start again? - I have backed up all essential > > \| files so this wouldn't be a total disaster. > > \| HELP! > > > > > > > > What concerns me is "Win32/Rustock.gen!C" > > > > xposted to security.virus for convenience. > > > > Security - Viruses > > OE client - > > news://msnews.microsoft.com/microsof...security.virus > > or > > > > Web client - > > http://www.microsoft.com/technet/com...security.virus > > > > > > -- > > ==================================== > > TaurArian [MS-MVP] 2005-2008 - Australia > > ==================================== > > How to make a good post: http://www.dts-l.org/goodpost.htm > > Defending your machine: http://defendingyourmachine2.blogspot.com/ > > http://taurarian.mvps.org/index.htm > > > > Emails will not be acknowledged - please post to the newsgroup so all may benefit. > > > > >