Troj/Rustok-N need help removing it please [Closed]

Need a geek? Geeks to Go offers free, quality tech support -- in terms anyone can understand. Volunteers are waiting to help, friendly, technology experts who have knowledge to share, and enjoy helping others. Feel free to browse the site as a guest. However, you must log in to reply to existing topics, or to start a new topic of your own. Other benefits of joining include richer forum features, and removal of all advertising. Learn more in our Welcome Guide Infected? Malware and Spyware Cleaning Guide. What are you waiting for? Click here to join for free today!

> Geeks to Go! » Security » Virus, Spyware and Trojan Removal

2 Pages

1 2 >

Troj/Rustok-N need help removing it please [Closed]

Options

awakenedsleeping... awakenedsleepingbeauty View Member Profile	Apr 27 2009, 10:01 PM Post #1
New Member Posts: 8 OS: Vista	I have been gettting redirected to www.xalab.com on yahoo and other various sites. I was told this virus is what I have! please help. I am on vista. I also wanna say Malwarebytes' Anti-Malware... i cannot get to the site.. it is blocked. This post has been edited by awakenedsleepingbeauty: Apr 27 2009, 10:43 PM

Rorschach112 View Member Profile	Apr 28 2009, 06:43 AM Post #2
GeekU Teacher Posts: 35,115 From: Dublin OS: XP	hello Please download ComboFix from Here or Here to your Desktop. Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop If you are using Firefox, make sure that your download settings are as follows: Tools->Options->Main tab Set to "Always ask me where to Save the files". During the download, rename Combofix to Combo-Fix as follows: It is important you rename Combofix during the download, but not after. Please do not rename Combofix to other names, but only to the one indicated. Close any open browsers. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. ----------------------------------------------------------- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Click on this link* to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.* ----------------------------------------------------------- Close any open browsers. WARNING: Combofix will disconnect your machine from the Internet as soon as it starts Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished. If there is no internet connection after running Combofix, then restart your computer to restore back your connection. ----------------------------------------------------------- Double click on combo-Fix.exe & follow the prompts. When finished, it will produce a report for you. Please post the "C:\Combo-Fix.txt" along with a new HijackThis log for further review. Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall

awakenedsleeping... awakenedsleepingbeauty View Member Profile	Apr 28 2009, 10:02 AM Post #3
New Member Posts: 8 OS: Vista	won't let me use comb-fix because I have vista and its for 2000 and xp only

Rorschach112 View Member Profile	Apr 28 2009, 12:25 PM Post #4
GeekU Teacher Posts: 35,115 From: Dublin OS: XP	hello Download RootRepeal.zip and unzip it to your Desktop. Double click RootRepeal.exe to start the program Click on the Report tab at the bottom of the program window Click the Scan button In the Select Scan dialog, check: Drivers Files Processes SSDT Stealth Objects Hidden Services Click the OK button In the next dialog, select all drives showing Click OK to start the scan Note: The scan can take some time. DO NOT* run any other programs while the scan is running* When the scan is complete, the Save Report button will become available Click this and save the report to your Desktop as RootRepeal.txt If the report is not too long, post the contents of RootRepeal.txt in your next reply. If the report is very long, it will not be complete if you post it, so please attach it to your reply instead. To attach a file, do the following: Click Add Reply Under the reply panel is the Attachments Panel Browse for the attachment file you want to upload, then click the green Upload button Once it has uploaded, click the Manage Current Attachments drop down box Click on to insert the attachment into your post

awakenedsleeping... awakenedsleepingbeauty View Member Profile	Apr 28 2009, 04:10 PM Post #5
New Member Posts: 8 OS: Vista	It says there is a mismatch between the windows kernel and the hardware scan.. then i get a driver error.

Rorschach112 View Member Profile	Apr 28 2009, 05:37 PM Post #6
GeekU Teacher Posts: 35,115 From: Dublin OS: XP	give this a whirl Download the GMER Rootkit Scanner. Unzip it to your Desktop. Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan. Double-click gmer.exe. The program will begin to run. Caution These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised by a trained Security Analyst If possible rootkit activity is found, you will be asked if you would like to perform a full scan. Click NO In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is Unchecked. Now click the Scan button. Once the scan is complete, you may receive another notice about rootkit activity. Click OK. GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt" Save it where you can easily find it, such as your desktop. Post the contents of GMER.txt in your next reply.

awakenedsleeping... awakenedsleepingbeauty View Member Profile	Apr 28 2009, 07:12 PM Post #7
New Member Posts: 8 OS: Vista	GMER.txt ( 459bytes ) Number of downloads: 16 here is my log!

Rorschach112 View Member Profile	Apr 29 2009, 07:05 AM Post #8
GeekU Teacher Posts: 35,115 From: Dublin OS: XP	can you try combofix again ? Also if you have a router you need to reset it

awakenedsleeping... awakenedsleepingbeauty View Member Profile	Apr 29 2009, 07:07 AM Post #9
New Member Posts: 8 OS: Vista	That actually took it off... i scanned again... and nothing... no annoying redirects. I am in a college apartment buidling... I use wireless.. so I cannot restart the router. Update- actually tried Combofix again... still same problem... Windows 2000 and Xp only. This post has been edited by awakenedsleepingbeauty: Apr 29 2009, 07:09 AM

Rorschach112 View Member Profile	Apr 29 2009, 07:10 AM Post #10
GeekU Teacher Posts: 35,115 From: Dublin OS: XP	ok well can you try combofix anyway

awakenedsleeping... awakenedsleepingbeauty View Member Profile	Apr 29 2009, 07:11 AM Post #11
New Member Posts: 8 OS: Vista	I did and got the same... Incompadiable... works with windows 2000 and xp only

Rorschach112 View Member Profile	Apr 29 2009, 07:16 AM Post #12
GeekU Teacher Posts: 35,115 From: Dublin OS: XP	hello Download OTListIt2 to your desktop. Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted. When the window appears, underneath Output at the top change it to Minimal Output. Check the boxes beside LOP Check and Purity Check. Under Custom Scan paste this in netsvcs msconfig safebootminimal safebootnetwork activex drivers32 %systemroot%\System32\antiwpa.dll %systemroot%\SYSTEM32\wpa.dll %systemroot%\setup\scripts\biestart.exe %systemroot%\system32\drivers\royal.sys %SYSTEMDRIVE%\. %PROGRAMFILES%\. HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long. When the scan completes, it will open two notepad windows. OTListIt.Txt and Extras.Txt. These are saved in the same location as OTListIt2. Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in.

awakenedsleeping... awakenedsleepingbeauty View Member Profile	Apr 29 2009, 07:33 AM Post #13
New Member Posts: 8 OS: Vista	edit : removed log

Rorschach112 View Member Profile	Apr 29 2009, 12:38 PM Post #14
GeekU Teacher Posts: 35,115 From: Dublin OS: XP	ok good Please download ATF Cleaner by Atribune. Double-click ATF-Cleaner.exe to run the program. Under Main choose: Select All Click the Empty Selected button. If you use Firefox browser Click Firefox at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. If you use Opera browser Click Opera at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. Click Exit on the Main menu to close the program. Please download Malwarebytes' Anti-Malware from Here Double Click mbam-setup.exe to install the application. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish. If an update is found, it will download and install the latest version. Once the program has loaded, select "Perform Quick Scan", then click Scan. The scan may take some time to finish,so please be patient. When the scan is complete, click OK, then Show Results to view the results. Make sure that everything is checked, and click Remove Selected. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note) The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM. Copy&Paste the entire report in your next reply. Extra Note: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly. Go to Kaspersky website and perform an online antivirus scan. Read through the requirements and privacy statement and click on Accept button. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run. When the downloads have finished, click on Settings. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button: Spyware, Adware, Dialers, and other potentially dangerous programs Archives Mail databases Click on My Computer under Scan. Once the scan is complete, it will display the results. Click on View Scan Report. You will see a list of infected items there. Click on Save Report As.... Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

awakenedsleeping... awakenedsleepingbeauty View Member Profile	Apr 29 2009, 06:27 PM Post #15
New Member Posts: 8 OS: Vista	it wouldn't let me download the second program... and the third one told me i had to be online to use it... and i am. So only one that worked was the first one This post has been edited by awakenedsleepingbeauty: Apr 29 2009, 10:01 PM

« Next Oldest · Virus, Spyware and Trojan Removal · Next Newest »

2 Pages

1 2 >

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)

0 Members:

Topic Title	Replies / Views	Topic Information
Virus, Spyware and Trojan Removal TheSearchMall.Com IE Bar-Need Help Removing it [CLOSED]	2 / 348	12th February 2006 - 11:43 AM lizzie_16 started - last by Trevuren
Virus, Spyware and Trojan Removal Vundo reg file...need help removing it [CLOSED]	4 / 636	1st December 2007 - 03:25 PM onelostchicken started - last by greyknight17
Virus, Spyware and Trojan Removal Have virus, need help removing it [Closed]	9 / 792	26th December 2008 - 07:30 PM krankenstein started - last by greyknight17
Virus, Spyware and Trojan Removal VirtuMonde.Trojan : Need help removing it! [Closed]	2 / 229	7th June 2009 - 12:33 PM Aloysius_Jr started - last by skate_punk_21