Help with Win32:RustNT [Rtk] and Win32:Cutwail [Trj]

Discussion in 'Malware Help (A Specialist Will Reply)' started by magdalena, Jun 17, 2009.

  1. magdalena

    magdalena Private E-2

    Hi there!!

    My computer got severely infected with:
    - Win32:Cutwail [Trj]
    - Win32:RustNT [Rtk]

    I have avast and it detected it mainly in C:\windows\system32\drivers and temporary files.

    I went through your guidance from READ & RUN ME FIRST. Still, I encountered problems with SuperAntiSpyware – in the moment when I clicked on Quarantine and Removal, it shut down and the following window appeared:

    Microsoft Visual C++ Runtime Library
    R6025
    - pure virtual function call

    I am not sure if I got rid of this malware. My intuition tells me that not really. I attach logs from the scans, maybe some professional could have look at it.

    The log from SAS I pace here as it doesn't fit in the attachements anymore:

    UPERAntiSpyware Scan Log
    http://www.superantispyware.com

    Generated 06/17/2009 at 02:47 PM

    Application Version : 4.26.1004

    Core Rules Database Version : 3943
    Trace Rules Database Version: 1885

    Scan type : Complete Scan
    Total Scan Time : 00:38:33

    Memory items scanned : 519
    Memory threats detected : 0
    Registry items scanned : 4938
    Registry threats detected : 0
    File items scanned : 19689
    File threats detected : 2

    Trojan.Agent/Gen-WPV
    C:\WINDOWS\TEMP\WPV641243627542.EXE

    Trojan.Agent/Gen-NameThief
    C:\QOOBOX\QUARANTINE\C\DOCUMENTS AND SETTINGS\MANDRE\MANDRE.EXE.VIR


    I also would like to ask if I can remove Quarantine files from avast in case when some of the them are located in C:\windows\system32\ ?

    Thank you very much in advance. I really appreciate MajorGeeks.
    Please note that I am an absolute amateur :) just started to learn…
     

    Attached Files:

    magdalena, Jun 17, 2009
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Your logs look pretty good, though I will want you to run the MGTools again as some are rather truncated.

    First use windows explorer to find and delete:
    C:\Documents and Settings\MANDRE\oashdihasidhasuidhiasdhiashdiuasdhasd

    Your Combo log is indicating the you once had both of these installed:
    avast! antivirus
    ZoneAlarm Security Suite Antivirus

    but are now running Avira AntiVir. Did you uninstall the above? Have you run CCLeaner ( both the cleaner and the registry - making sure to do the backup when prompted)?

    Please run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    * C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
    TimW, Jun 19, 2009
    #2
  3. magdalena

    magdalena Private E-2

    Thanks for looking at it!

    READ and RUN ME FIRST helped me a lot and I, most probably, removed them successfully.

    Following your advice I deleted:
    C:\Documents and Settings\MANDRE\oashdihasidhasuidhiasdhiashdiuasdhasd
    What was it actually?

    I used to have Zone Alarm and Avast!. I removed it but I still find pieces of it. Sometimes I feel I loose control over my machine :confused

    I also runned CCleaner.

    At the end I runned MGtool scan once more. I attached the logs.

    So far, I must say this forum is great :)
     

    Attached Files:

    magdalena, Jun 19, 2009
    #3
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    I am not seeing any malware in your logs. I assume you ran CCleaner registry fix and made the backup when prompted. That should have taken care of any leftovers from the two programs.

    If you are not having any other malware problems, it is time to do our final steps:

    1. We recommed you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no real time protection. They are useful as backup scanners. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /u
        • Notes: The space between the combofix" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.

      • Delete the C:\combofix folder from combofix (if it exists)

    3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    4. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    5. Go to add/remove programs and uninstall HijackThis.
    6. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
    7. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.

    8. After doing the above, you should work thru the below link:

     
    TimW, Jun 21, 2009
    #4

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds