Problems after removing Gen-Rx and Rustock

eric21 · Aug 18, 2009

Two day's ago i started having some weird problems after bootup, McAfee did not detect anything. I regularly run SAS.
Followed your instructions (see attachement log's) and SAS removed Gen-Rustock and Gen-Rx. Most of the problems are gone (slow internet etc) buth i get an intermittant Bufferoverflow (services.exe) from McAfee. Removed old Java and installed latest versions, also cleaned the restore area, but the problems remain. Would appreciate help to remove the remaining traces or undetected bugs.

eric21 · Aug 18, 2009

Re: Problems after rempving Gen-Rx and Rustock

and the remaining logfile.......................

eric21 · Aug 18, 2009

and the BUFFEROVERFLOW logfile!

TimW · Aug 21, 2009

You buffer overflow issue may not be a malware issue...so you may need to post in the software forum for that.

The only issues I see are an outdated Java version:
J2SE Runtime Environment 5.0 Update 10
(use add/remove programs to uninstall it)

And a possible issue with your ntfs.sys file. Possibly a result of malware, So do this:
1. Insert the Windows XP CD into the computer and restart the computer.
2. As the computer is starting make sure to press a key to boot from the CD.
3. In the Windows XP setup screen press the 'R' key to run the Windows Recovery Console.
4. If prompted enter the number of Windows installation you're repairing.
5. At the command prompt type the below command.

copy x:\i386\ntfs.sys c:\windows\system32\drivers

* In the above example you would replace x: with the letter of your CD-ROM drive. Many computers have the CD-ROM drive configured as the D: drive.

6. If ntfs.sys is still on the computer you'll be prompted if you wish to overwrite the file. If prompted, press the Y key for Yes to overwrite the file.
7. Once the file has been successfully copied remove the CD and reboot your computer.

Now download and install:
Java Runtime 6

Then run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:
* C:\MGlogs.zip

eric21 · Aug 23, 2009

Thank's Tim,
Did that and also restored a couple of other system files, no luck.
Here's the funny thing: i installed the drive with the malware as slave (did a boot from an image i make at regular intervals) and scanned from this uninfected drive with all of the programs available, figuring the rootkit would not be able to "hide" itself anymore. Again: no results, clean scans. Booting from the infected drive immediatly gives a flood of Bufferoverflows, the MacAfee bufferoverlow log does not give additional info.
Since i lost no data and had to install only a couple of new programs on the image, i dicided to go from there. I appreciate the time you put into this, but i'm up and running again. In a couple of weeks i'll rescan the infected drive, to see if updates in Sas or Mbam will detect anything. If so, i'll let you know!
Here's a thought: you can't live without a decent virusscanner, but a 1T byte harddisk sells for 70 euro's (same price as McAfee) and gives a lot of additional security.

TimW · Aug 26, 2009

Good to know. Hope all goes well.

Log in or Sign up

Problems after removing Gen-Rx and Rustock

eric21 Private E-2

Attached Files:

ComboFix.txt

mbam-log-2009-08-18 (00-42-50).txt

SASlog.txt

MGlogs.zip

eric21 Private E-2

Attached Files:

RRlog.txt

eric21 Private E-2

Attached Files:

bufferoverflowlog.jpg

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

eric21 Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member