I need help Rustock BOT removal

tagtech · Aug 20, 2008

Hello all:

I have one machine on the network that became infected with Antivirus2007
I removed it or so I thought then the machine became infected with Smitfraud
I removed it or so I thought now I am being told by mail radar that I have Rustock Bot

Running WireShark Network analyzer on the network indeed it is acting as a SPAM bot - sending out tons of emails a minute.

I have blocked port 25 on this machine to prevent the trojan from sending out any more spam until I can fix this problem.

I have also isolated this machine on the network to as to not allow it to infect any other machines.

I am running Spy Bot Search and Destroy right now and it has all ready found to entries for Antivirus 2008, the program is still running.

Everytime I get this machine clean or so I think something else pops up.

Can some please tell me what log programs they wish me to run such as HJT or what ever so that I might finally find out exactally what is infecting this machine?

I usally have to clean one or two machines a year at my office but this one has me stumped - I really need some help. This machine has been an on again off again problem for almost a month now.

I am awaiting any constructive instructions anyone might wish to present me with.

Thank you

TagTech

chaslang · Aug 22, 2008

Welcome to Major Geeks!

Please follow the instructions in the below link and attach the requested logs when you finish these instructions.

READ & RUN ME FIRST. Malware Removal Guide

If something does not run, write down the info to explain to us later but keep on going.

Do not assume that because one step does not work that they all will not.

Notes:

If you run into problems trying to run theREAD & RUN ME or any of the scans in normal boot mode. You can running steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:

Starting your computer in Safe mode

If you have problems downloading on the problem PC, download the tools on another PC and burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections can spread to them.

tagtech · Aug 22, 2008

Indeed -

I thought I had read everything. Prior to receiving this reply I went back and found out that I had not read everything. Last night I read the entire READ & RUN ME FIRST information.

I followed on through with my OS and performed all the indicated proceedures in the order they were outlined.

Now I have the questionable machine all scanned.

I appologize for jumping the gun.

I have a mid sized network and am behind a NAT router I had to inject Wireshark just behind the WAN to isolate the machine that was the problem. Once located I started in on the offending machine. This machine has been a problem for me, I think I get things cleaned up then a few days later I find that the problem has not been fixed and we start all over again.

I guess it was my ignorance with Rootkits that I should have really been studying.

At this time it appears that I have cleaned up the offending machine, if the problem reappears I will be back.

I appreciate your forum and your help.

Thank you

TagTech

chaslang · Aug 22, 2008

You're welcome. Surf safely!

Log in or Sign up

I need help Rustock BOT removal

tagtech Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

tagtech Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member