Folder AVG Forums » Other topics » Virus Removal, Tools for Removing » Continuing Reinfection By Rustock.G
Page 1 of 2 12››
January 6, 2010 19:58 Continuing Reinfection By Rustock.G #55151
Reply with Quote | Quick Reply | Top
HGguy

Avatar

Novice
Join Date: 6.1.2010
Posts: 10
Every time I run AVG scan (auto-scan) it finds the same 2 entries:
"C:\WINDOWS\System32\SERVICES.EXE (912):\memory_009e0000";"Virus identified Win32/Rustock.G";"Reboot is required to finish the action"
AND
"C:\WINDOWS\System32\SERVICES.EXE (912)";"Virus identified Win32/Rustock.G";"Reboot is required to finish the action"

Reboot is done and only the first entry says "Moved to Virus vault". 2nd entry still says "Reboot required..."

Why is this happening? I am running Win XP pro, firewall on, AVG 9.0.725, DB 270.14.127/2603
January 7, 2010 09:16 Re: Continuing Reinfection By Rustock.G #55361
Reply with Quote | Quick Reply | Top
ondraploteny

Avatar

Administrator
Join Date: 27.3.2009
Posts: 6996
Hi,

could you please provide us with output of Gmer full scan - http://forums.avg.com/cz-en/avg-free-forum?sec=thread&act=show&id=9455#post_9455

Thanks
***************AVG Team
January 7, 2010 18:03 Re: Continuing Reinfection By Rustock.G #55487
Reply with Quote | Quick Reply | Top
HGguy

Avatar

Novice
Join Date: 6.1.2010
Posts: 10
ondraploteny wrote
Hi,

could you please provide us with output of Gmer full scan - http://forums.avg.com/cz-en/avg-free-forum?sec=thread&act=show&id=9455#post_9455

Thanks
***************AVG Team


No I can't. Gmer runs and finds a possible service in Win32 that it thinks is a RootKit activity. But if I try to copy the scan to anything, even if stopping Gmer, the Processor activity goes to 100% and nothing else will run. I have to power off the computer to get a reboot. If I try to run a full scan Gmer itself bogs down and the Task Manager shows 100% processor use. If I try to use the procedure referenced above and try to delete the file found in red it says that the "Path is not found".
Can we try another tool please?
January 7, 2010 18:57 Re: Continuing Reinfection By Rustock.G #55501
Reply with Quote | Quick Reply | Top
HGguy

Avatar

Novice
Join Date: 6.1.2010
Posts: 10
I just ran RootkitRevealer from www.sysinternals.com and it shows 8 "Discrepencys". Here it is:

HKU\s-1-5-21-842925246-1770027372-682003330-500\Software\Skype\Toolbars\Firefox\ExtensionVersion 6/8/2009 3:20 PM 9 bytes Data mismatch between Windows API and raw hive data.

HKLM\SECURITY\Policy\Secrets\SAC* 1/8/2006 10:32 AM 0 bytes Key name contains embedded nulls (*)

HKLM\SECURITY\Policy\Secrets\SAI* 1/8/2006 10:32 AM 0 bytes Key name contains embedded nulls (*)

HKLM\SYSTEM\ControlSet001\Services\a019a00d 6/9/2009 10:47 AM 0 bytes Hidden from Windows API.

HKLM\SYSTEM\ControlSet001\Services\c340f9d6 6/9/2009 10:47 AM 0 bytes Hidden from Windows API.

HKLM\SYSTEM\ControlSet002\Services\a019a00d 6/9/2009 10:47 AM 0 bytes Hidden from Windows API.

HKLM\SYSTEM\ControlSet002\Services\c340f9d6 6/9/2009 10:47 AM 0 bytes Hidden from Windows API.

E: 0 bytes Error mounting volume
January 8, 2010 07:05 Re: Continuing Reinfection By Rustock.G #55707
Reply with Quote | Quick Reply | Top
ondraploteny

Avatar

Administrator
Join Date: 27.3.2009
Posts: 6996
Hi,

is possible to share which file exactly is detected in red by Gmer? Is possible to run Gmer without the full scan (without "Scan" button usage) and use its features by ">>>" tab?

Else try please RootRepeal application.

Thanks
***************AVG Team
January 8, 2010 18:04 Re: Continuing Reinfection By Rustock.G #55887
Reply with Quote | Quick Reply | Top
HGguy

Avatar

Novice
Join Date: 6.1.2010
Posts: 10
ondraploteny wrote
Hi,

is possible to share which file exactly is detected in red by Gmer? Is possible to run Gmer without the full scan (without "Scan" button usage) and use its features by ">>>" tab?

Else try please RootRepeal application.

Thanks
***************AVG Team


The file in red is C:\Windows\system32\drivers\a019a00d.sys
If I try to delete this file it tells me the file "Does not exist".
This is one of the parts of the Rustock virus according to this very interesting and highly detailed
article: http://www.rootkit.com/newsread.php?newsid=879
It looks pretty hopeless that AVG can fix this virus. According to the article, which is a few years old,
there is no way to fix this at all.
January 8, 2010 22:39 Re: Continuing Reinfection By Rustock.G #55945
Reply with Quote | Quick Reply | Top
HGguy

Avatar

Novice
Join Date: 6.1.2010
Posts: 10
Tried the RootRepeal program. It showed no problems in the Drivers or the 129 running processes I had. Then I tried to scan the files and it completely hung up so badly that I had to power off the computer to get a reboot. I'd say this Beta version is not ready for "prime time". It never showed any problems.
January 9, 2010 01:47 Re: Continuing Reinfection By Rustock.G #55973
Reply with Quote | Quick Reply | Top
HGguy

Avatar

Novice
Join Date: 6.1.2010
Posts: 10
Oh, I forgot to mention that this virus has disabled my old virus program (Computer Associates). That is why I am trying AVG. But it also has disabled REGEDIT. Can you tell me how it has done this so that I can fix it and run REGEDIT again?
January 11, 2010 09:42 Re: Continuing Reinfection By Rustock.G #56435
Reply with Quote | Quick Reply | Top
ondraploteny

Avatar

Administrator
Join Date: 27.3.2009
Posts: 6996
Hi,

is possible to connect affected hard drive to another clean computer and check it against viruses? If some system file is found infected, please try to restore it from backup to proper OS functionality.

Pointed article showed possible injection in system files:
C:\WINDOWS\SYSTEM32\DRIVERS\IMAPI.SYS
C:\WINDOWS\SYSTEM32\DRIVERS\NTFS.SYS
C:\WINDOWS\SYSTEM32\DRIVERS\FASTFAT.SYS

Please try to recover them through Windows Recovery Console. Detailed description of Windows Recovery Console may be found here:
http://support.microsoft.com/kb/314058

EDIT: According to discussion with AVG team, this detection could be related with Vundo infection, which removal procedure is described at this thread - http://forums.avg.com/cz-en/avg-free-forum?sec=thread&act=show&id=51637#post_51637

Thanks
***************AVG Team
January 12, 2010 22:41 Re: Continuing Reinfection By Rustock.G #57113
Reply with Quote | Quick Reply | Top
HGguy

Avatar

Novice
Join Date: 6.1.2010
Posts: 10
Hi Ondraploteny,
Thanks for those links. I will give both methods a try and report in a day or two.
Dean
Page 1 of 2 12››