repeated crashes and failure to update ... is this Win32/Rustock.g
Richard Henderson
Running XP, have had a frustrating few weeks with repeated random crashes,
BSOD etc. Twice I couldn't boot at all and repaired (not quite a reinstall)
using the CD supplied. After some of the crashes got the error report from
MS that I was infected with Win32/Rustock.gen!C, and directing me to an
online scan that always crashed before completing, although several complete
and up to date McAfee scans have found nothing.
Possibly related to this I have had major problems with updates downloading
but not installing. For a week or so I kept getting the message that Update
installer 3.1 (I think ... from memory) could not be installed. I Googled re
this and found a workaround via regedit and did install the update installer,
after which a number of other updates could be installed, but now no longer.
It keeps hanging when trying to install IE7 (I currently have IE6), and I
need to ctrl/alt/delete out of it. Even when I try a custom install without
IE7 it still doesn't complete installation, and is currently frozen - I am
posting this on another computer provided by work.
I am normally a patient man, but am sorely tempted to throw a brick at the
computer. Some unkind colleagues have suggested I install Linux, but I feel
I am only moderately computer literate and not really sufficient of a nerd to
do this.
Any relatively simple solutions? Or would the simplest and easiest solution
be to reinstall Windows and start again? - I have backed up all essential
files so this wouldn't be a total disaster.
HELP!
TaurArian [MS-MVP]
"Richard Henderson" <RichardH...@discussions.microsoft.com> wrote in message
news:23E8EE0D-6ACA-4D89...@microsoft.com...
What concerns me is "Win32/Rustock.gen!C"
xposted to security.virus for convenience.
Security - Viruses
OE client -
news://msnews.microsoft.com/microsoft.public.security.virus
or
--
====================================
TaurArian [MS-MVP] 2005-2008 - Australia
====================================
How to make a good post: http://www.dts-l.org/goodpost.htm
Defending your machine: http://defendingyourmachine2.blogspot.com/
http://taurarian.mvps.org/index.htm
Emails will not be acknowledged - please post to the newsgroup so all may benefit.
Peter Foldes
If a Rustock.b-infection is found, you will be asked to reboot the computer.
After when you reboot it will take some time for the Desktop to come up. You might need to reboot 2 times , depending.
When the desktop will come up you will have 1-2 logfiles that will show up for you. The infection should be gone. If not post those log files here.
--
Peter
Please Reply to Newsgroup for the benefit of others
Requests for assistance by email can not and will not be acknowledged.
"TaurArian [MS-MVP]" <taurarian...@gmail.com> wrote in message news:eliUBM$3HHA...@TK2MSFTNGP03.phx.gbl...
Peter Foldes
Sorry I forgot the link for the rustbfix.exe
http://www.uploads.ejvindh.net/rustbfix.exe
--
Peter
Please Reply to Newsgroup for the benefit of others
Requests for assistance by email can not and will not be acknowledged.
"Peter Foldes" <ok...@hotmail.com> wrote in message news:%23ER9WaA...@TK2MSFTNGP03.phx.gbl...
Richard Henderson
Have run rustbfix (see logs in posting above) but still can't update. Hangs
while trying to install IE7 and generates Drwatson postmortem debugger error
notice as before. What's up? Is this something other than the virus?
"Richard Henderson" wrote:
> Peter
> Thanks. Will try when I get home ... but does what I describe sound like a
> Win32/Rustock.gen!C infection, and does McAfee not pick this up?
Richard Henderson
Thanks. Will try when I get home ... but does what I describe sound like a
Win32/Rustock.gen!C infection, and does McAfee not pick this up?
Richard Henderson
Thanks have now downloaded and run rustbfix.exe. It did indeed reboot twice
and generated two logs pasted below. Perhaps you can decipher for me? I'm
not sure if it indicates there was an infection or not.
Richard
*********************** Rustock.b-fix v. 1.01 -- By ejvindh
*************************
16/08/2007 21:57:55.34
******************* Pre-run Status of system *******************
Rootkit driver PE386 is found. Starting the unload-procedure....
Rustock.b-ADS attached to the System32-folder:
:lzx32.sys 53934
Total size: 53934 bytes.
Attempting to remove ADS...
system32: deleted 53934 bytes in 1 streams.
Looking for Rustock.b-files in the System32-folder:
No Rustock.b-files found in system32
******************* Post-run Status of system *******************
Rustock.b-driver on the system: NONE!
Rustock.b-ADS attached to the System32-folder:
No System32-ADS found.
Looking for Rustock.b-files in the System32-folder:
No Rustock.b-files found in system32
******************************* End of Logfile
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\ycywykmr
*******************
Script file located at: \??\C:\WINDOWS\system32\oqtpyoft.txt
Script file opened successfully.
Script file read successfully
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
Driver PE386 unloaded successfully.
Program C:\Rustbfix\2run.bat successfully set up to run once on reboot.
Completed script processing.
*******************
Finished! Terminate.
Richard Henderson
Peter Foldes
Win32/Rustock is now not on your system according to the log files the fix generated. Now as far as the Windows Updates go I cannot help you there. Possibly someone else will come in here and give you some advice on that.
Good Luck Richard
--
Peter
Please Reply to Newsgroup for the benefit of others
Requests for assistance by email can not and will not be acknowledged.
"Richard Henderson" <RichardH...@discussions.microsoft.com> wrote in message news:D5AF9FC2-B4F4-4CA1...@microsoft.com...
Peter Foldes
--
Peter
Please Reply to Newsgroup for the benefit of others
Requests for assistance by email can not and will not be acknowledged.
"Richard Henderson" <RichardH...@discussions.microsoft.com> wrote in message news:912AB017-3E92-4F65...@microsoft.com...
Richard Henderson
Thanks a lot. I will try this link and see if it solves the problem (maybe
when I get back from holiday!).
Richard Henderson
Have visited the website you suggested and run ccleaner and dialafix as
detailed there. Has certainly cleaned out a lot of rubbish ... but sadly
still can't run updates. Failed to download security update KB917953 and
failed to install MS.net Framework1.1 service pack 1 - and it hangs when
trying to install IE7 as before.
Any further suggestions?
Barkimmy
has really become a common problem that I am sure they are working on. The
fix is fairly easy and has been successful for me on several computers with
the same problem, always different downloads continue to fail and the error
codes differ. But, the problem is the same. Sometimes a Windows Update (or
several) fail to install.
First, go to the Windows Update site. On the left is an option to view your
update history. There you will find any and all updates that have failed.
Write down the KB number of the update. If you click the red button with the
x near the word fail, you will get the error code. You may want to write this
down just in case it could lead you to a future problem.
Then take your KB numbers to:
http://support.microsoft.com/?kbid=323166
Just follow the step by step directions. It is not as hard as it sounds and
it worked great for me several times.
I hope this helps.
Barkimmy
> > > | Possibly related to this I have had major problems with updates downloading
> > > | but not installing. For a week or so I kept getting the message that Update
> > > | installer 3.1 (I think ... from memory) could not be installed. I Googled re
> > > | this and found a workaround via regedit and did install the update installer,
> > > | after which a number of other updates could be installed, but now no longer.
> > > | It keeps hanging when trying to install IE7 (I currently have IE6), and I
> > > | need to ctrl/alt/delete out of it. Even when I try a custom install without
> > > | IE7 it still doesn't complete installation, and is currently frozen - I am
> > > | posting this on another computer provided by work.
> > > | I am normally a patient man, but am sorely tempted to throw a brick at the
> > > | computer. Some unkind colleagues have suggested I install Linux, but I feel
> > > | I am only moderately computer literate and not really sufficient of a nerd to
> > > | do this.
> > > | Any relatively simple solutions? Or would the simplest and easiest solution
> > > | be to reinstall Windows and start again? - I have backed up all essential
> > > | files so this wouldn't be a total disaster.
> > > | HELP!
![PA Bear [MS MVP]'s profile photo](http://lh3.googleusercontent.com/a-/ALV-UjXsf05hH-R8XChS3fXPPzfoO8FYYxAKhT86KfPnIELr3QJ9tQ=s40-c)
PA Bear [MS MVP]
Barkimmy
looking for my problem who's to say someone else couldn't as well. Would this
one be pulled out of the data base and never get found by query, (search).
Perhaps you were trying to make a different point and I misunderstood you.
After all, you found your way here after all this time,too. I apologize if I
did something inappropriate on this site. I just figured a thread still
readable, and not fully answered, was a thread still open. Let me know if I
was wrong. I am still new to this site.
Barkimmy
--
When you have 15 grandchildren you don''t let a persnickity obnoxious
computer get you down. There are times I wish I could just reboot the kids,
though.
Malke
> I know. But this is still an ongoing problem. If I ran across this thread
> looking for my problem who's to say someone else couldn't as well. Would
> this one be pulled out of the data base and never get found by query,
> (search). Perhaps you were trying to make a different point and I
> misunderstood you. After all, you found your way here after all this
> time,too. I apologize if I did something inappropriate on this site. I
> just figured a thread still readable, and not fully answered, was a thread
> still open. Let me know if I was wrong. I am still new to this site.
You're wrong only because you didn't realize this isn't a "site" but the web
interface to a newsgroup and therefore the thread may never be downloaded,
depending on how people have set their newsreaders up.
There is absolutely nothing for you to apologize for; you made an honest
mistake (which hurts no one) and one that is made by newcomers to the MS
public newsgroups every day. The web interface is the clunkiest, worst way
to access these groups. Instead, you should consider setting up a
newsreader - extremely easy to do. See the information below:
Since you are using the web interface, you may not realize that this is
really a newsgroup. You will get far more out of this resource if you learn
to use a newsreader. There are many good newsreaders for Windows, but you
can use Outlook Express (XP) or Windows Mail (Vista) since you already have
it. Here are some links to information about newsgroups:
About Usenet:
http://en.wikipedia.org/wiki/Usenet
http://www.faqs.org/faqs/ - Usenet FAQs from the Internet FAQ Archives
http://www.usenetmonster.com/infocenter/
http://www.elephantboycomputers.com/page2.html#Usenet - a brief explanation
of newsgroups
Outlook Express/Windows Mail as Newsreader:
http://michaelstevenstech.com/outlookexpressnewreader.htm
http://rickrogers.org/setupoe.htm
http://vistasupport.mvps.org/accessing_newsgrousp_with-windows_mail.htm
How to Post:
http://www.elephantboycomputers.com/page2.html#Usenet
http://support.microsoft.com/default.aspx/kb/555375 - How to Ask a Question
http://users.tpg.com.au/bzyhjr/liszt.htm - How Not to Get Technical Help on
Usenet
http://www.catb.org/~esr/faqs/smart-questions.html
http://aumha.org/nntp.htm - list of MS newsgroups
microsoft.public.test.here - MS group to test if your newsreader is working
properly
http://www3.telus.net/dandemar/munad.htm - how to munge email address
http://en.wikipedia.org/wiki/Crossposting - crossposting
http://www.blakjak.demon.co.uk/mul_crss.htm - multiposting
Other Newsreaders for Windows:
http://www.forteinc.com/main/homepage.php - Forte
http://www.mozilla.org - Thunderbird
http://gravity.tbates.org/
http://www.40tude.com/dialog/
http://xnews.newsguy.com/
Malke
--
MS-MVP
Elephant Boy Computers
www.elephantboycomputers.com
Don't Panic!
PA Bear [MS MVP]
The person who started this thread (Original Poster or OP) and who was
having the problem (possibly due to a Win32/Rustock.gen!C infection; cf.
http://groups.google.com/group/microsoft.public.windowsupdate/msg/15a61b8d82f36160)
hasn't been heard from since mid-August 2007, so there's little chance he'll
see your reply offering assistance.
It's highly unlikely that the OP would not have been able to successfully
install anything downloaded from the Windows Update Catalog (KB323166). And
in any event, he needed to get Windows fixed, not just install a few
updates.
A machine infected by a W32/Rustock-variant would most likely have other
infections (e.g., Zlob; SDBot; Vundo), all of which affect Windows, not just
updating. Expert assistance would be required and many steps would need to
be taken in order to get the machine clean so that updating can take place;
e.g., http://forums.spywareinfo.com/lofiversion/index.php/t97116.html
--
~PA Bear
Barkimmy wrote:
> I know. But this is still an ongoing problem. If I ran across this thread
> looking for my problem who's to say someone else couldn't as well. Would
> this one be pulled out of the data base and never get found by query,
> (search). Perhaps you were trying to make a different point and I
> misunderstood you. After all, you found your way here after all this
> time,too. I apologize if I did something inappropriate on this site. I
> just
> figured a thread still readable, and not fully answered, was a thread
> still
> open. Let me know if I was wrong. I am still new to this site.
>
Richard Henderson
around and did read your posts - thank you.
Largely now overtaken by events.
I did eventually get rid of the rustock virus and repaired my installation
from the original CD - just short of a reinstall.
Updates now OK, and no crashes or BSOD for quite a while, but have opted out
of IE7 updates. My broadband is provided by BTYahoo who have their own
browser (an IE6 variant) which is incomptaible (at present) with IE7.
Richard
"PA Bear [MS MVP]" wrote:
Barkimmy
his/her question in 2 or more parts. As his/her W32/Rustock question had been
answered, and I had not run across that as of yet, I didn't see any reason
for me to answer that part. But I did notice that his/her question about not
being able to install some updates had not been answered yet. I had run
across that one, on several computers, each with different updates being
obstinate and each coming up with a different error code. I was able to
manually download and install the troublesome updates and solved that problem
on each computer that I found it on.
--
When you have 15 grandchildren you don''t let a persnickity obnoxious
computer get you down. There are times I wish I could just reboot the kids,
though.
"PA Bear [MS MVP]" wrote: