need hlp with Win32/Rustock.gen!C VIRUS

Welcome to Major Geeks!

Your HJT log shows C:\WINDOWS\EXPLORER.EXE which means Explorer is running.

How do you know you had a Rustock infection? What scanner told you that?

Why do you have both McAfee and AVG7 antivirus installed? This is a no no!

Did you add the below?
F2 - REG:system.ini: Shell=cmd.exe

 

Is the below something you installed?
O2 - BHO: Domain Helper - {B8A5DE1C-BC13-4DD2-BF00-7BE3C603F9F2} - C:\WINDOWS\system32\DomainHelper.dll


Your HJT log shows you have a lot more problems than Rustock which would not show in an HJT log. You really need to do the below which will include some steps to fix the obvious in HJT, but you also need to run our complete removal procedure at the end since you could have more issues.

• Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
• On the page that opens, scroll down to COM+ Messages
• then right click the entry, select Properties and press Stop Service.
• When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
• Now repeat the above to Stop and Disable the below two Services (if you do not find them or get any errors, just continue):
  • Microsoft authenticate service
• Click OK until you get back to Windows.

• Next, run HJT, but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
• At the lower right, click on the Config button
• Then click the Misc tools button
• Select Delete an NT Service
• Copy/paste COM+ Messages into the box that opens, and press OK
• If you receive any error messages just ignore them and continue.
• Now repeat the above to delete the below two Services (if you do not find them or get any errors, just continue):
  • MsaSvc
• Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - (no file)
O2 - BHO: (no name) - {00D13CE9-1879-41bd-B8A3-EA3CB1BD01BC} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: (no name) - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - (no file)
O4 - HKLM\..\Run: [lrehqskc] C:\revjkflt.bat
O20 - Winlogon Notify: mszsrn32 - C:\WINDOWS\system32\mszsrn32.dll (file missing)

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\revjkflt.bat
C:\WINDOWS\system32\svchosts.exe <--- be careful of the name. This is svchosts.exe not svchost.exe
C:\WINDOWS\system32\msasvc.exe
C:\WINDOWS\system32\mszsrn32.dll

Now we need to Reset Web Settings:

1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Note for IE 7 users: You need to select Internet Options then the Advanced tab and then Reset Internet Explorer Settings!


Now reboot into normal mode

 

Just type services.msc at the command prompt then.

 

Message # 3 gives you the instructions!

 

And I also said to ignore error messages and continue! The procedure has a line that says:

 

Now attach the below new logs

1. GetRunKey
2. ShowNew
3. HJT

Also tell me if you are having any malware problems.

 

I forgot that you never ran the required Sticky thread READ & RUN ME FIRST Before Asking for Support So at this point I have to say, if you are still having anykind of malware issues, you must complete the READ & RUN ME and attach all 6 requested logs.

If you are not having any problems and are not getting any malware detections, then you should work thru the below:

How to Protect yourself from malware!

 

What I gave you in message # 3 is as far as I can go without the other logs that would be obtained from running the READ ME. An HJT log is not good enought to know what your problems are and thus I cannot explain why your Desktop does not load. Especially since Explorer.exe does show in your HJT log as running. If Explorer.exe were not running then, we could look in the registry at a few spots to find out if the keys that load the shell at startup were deleted. What is the file size and date of c:\windows\explorer.exe?

Did you complete all of message # 3? Attach a new HJT log.

From Task Manager type Control.exe into the New Tasks (Run..) box. Does this bring up Control Panel? If so, goto Add/Remove programs and select any McAfee stuff that appears and uninstall it. Note: You could also just run appwiz.cpl to go directly to Add/Remove programs too.


Let's get an installed programs list from HijackThis too!

• Run HijackThis, click Open the Misc Tools section
• Click Open Uninstall Manager
• Click Save List (generates uninstall_list.txt)
• Click Save, to save it to a file where you can find it.
• Attach the uninstall_list.txt file to your next message.

 

They may be gone or it is possible that you cannot see them since you cannot do step 2 of the READ & RUN ME.

Run Add/Remove programs again using appwiz.cpl like in my previous message, and uninstall the below:
J2SE Runtime Environment 5.0 Update 6
Java 2 Runtime Environment, SE v1.4.2_03
Java 2 Runtime Environment, SE v1.4.2_09
Viewpoint Manager (Remove Only)

Back in message # 3 I asked if the below was something you installed and you never answered my question:
O2 - BHO: Domain Helper - {B8A5DE1C-BC13-4DD2-BF00-7BE3C603F9F2} - C:\WINDOWS\system32\DomainHelper.dll

Now let's remove the remaining McAfee stuff!

• Now run services.msc from Task Manager.
• On the page that opens, scroll down to McAfee Real-time Scanner
• then right click the entry, select Properties and press Stop Service.
• When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
• Now repeat the above to Stop and Disable the below two Services (if you do not find them or get any errors, just continue):
  • McAfee SystemGuards
• Click OK until you get back to Windows.

• Next, run HJT, but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
• At the lower right, click on the Config button
• Then click the Misc tools button
• Select Delete an NT Service
• Copy/paste McShield into the box that opens, and press OK
• If you receive any error messages just ignore them and continue.
• Now repeat the above to delete the below two Services (if you do not find them or get any errors, just continue):
  • McSysmon
• Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKLM\..\Run: [Cleanup] C:\DOCUME~1\RUSSELL\LOCALS~1\Temp\2007524102914_mcappins.exe /v=3 /cleanup
O4 - HKLM\..\Run: [msci] C:\DOCUME~1\RUSSELL\LOCALS~1\Temp\200752410299_mcinfo.exe /insfin

After clicking Fix, exit HJT

Now reboot in normal mode


Now attach a new HJT log.

This is as much as we can really do without getting more information. You need to try and do as much of the READ & RUN ME as possible. And attach the requested logs.

You do realize that with the below line loading that explorer.exe cannot load as your shell?
F2 - REG:system.ini: Shell=cmd.exe

 

In message # 2 I asked you the below question!

In message # 5 you said the below which I thought was your response to the above.

If you did not add this line to your system.ini file, then fix the F2 line in your HJT log.


You need to be more responsive to all questions and answer them completely! We could have had your problem fixed right after message # 2 if you had said you did not add this line rather than saying you have to use the command prompt again which is something you had already told us.

 

What happens what you try to Stop and Disable this service? What does it say the current Startup Type is.

What happens when you try to Delete it with HijackThis?

 

What fixed what?

And what did you get this log from? Did you run this: Rustock.b - msguard, pe386, & lzx32 RootKit Removal


Did you use HJT to fix the F2 line?

Does Explorer now run?

 

So are you having any other malware issues?

If you are not having any other malware problems, it is time to do our final steps:

1. If you are running Windows XP or Windows ME, do the below:
   • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
2. After doing the above, you should work thru the below link:
   • How to Protect yourself from malware!

 

That stuff is required when you are not having any more problems! It is not done when you are still having problems!

You're welcome.