Jump to content

Rustan.AN infection


Recommended Posts


I noticed that my pc was getting slow suddenly, so I opened ProcessExplorer to see what's going on, and I notice a couple of strangely named *.exe running.

I freak out, kill them all and let mrt.exe do a quicksearch.

It tells me it found Rustan.AN, so I tell him to remove, it tries, restarts but then finds it again.

I freak out some more, download Avira, install it, let it do a full search and quarantine everything it found.

I delete the executables which were in C:\ and the autorun.inf too.

I also noticed multiple instances of svchost.exe which are unusual, I closed them because in ProcessExplorer I saw that they had keys in a "Temporary Internetfiles\Content.IE5" folder of the user NetworkServices, which is where the virus nested itself.

I'm getting calm, then my PC crashes, bluescreen flickered to fast, couldn't read anything.

Next 3 boot attempts fail because it wouldn't let me click anything on the desktop, then finally it lets me and actually works fine, so I google rustan, find this here.

Meanwhile I check avira's quarantine to see what it actually quarantined and it's a lot of the rustan (in c:\, in autorun and in temp inet files) and hundreds of strange *.sys in c:\System Volume Information, which explorer.exe tells me is 0 byte and I can't open it.

Can I backup "My Documents" safely yet?

Here's the Log

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 00:06:28, on 24.09.2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16876)

Boot mode: Normal

Running processes:










C:\Programme\Avira\AntiVir Desktop\sched.exe

C:\Programme\Gemeinsame Dateien\LogiShrd\LVMVFM\LVPrcSrv.exe



C:\Programme\ASUS\Ai Nap\AiNap.exe

C:\Programme\AMD\AMD Power Monitor\AMD_PwrMon.exe

C:\Programme\Logitech\GamePanel Software\LCD Manager\LCDMon.exe

C:\Programme\Logitech\GamePanel Software\G-series Software\LGDCore.exe





C:\Programme\Logitech\Gaming Software\LWEMon.exe


C:\Programme\Avira\AntiVir Desktop\avgnt.exe



C:\Programme\Gemeinsame Dateien\Logishrd\LQCVFX\COCIManager.exe

C:\Programme\Gemeinsame Dateien\Logishrd\KHAL2\KHALMNPR.EXE



C:\Programme\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programme\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programme\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [Ai Nap] "C:\Programme\ASUS\Ai Nap\AiNap.exe"

O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe

O4 - HKLM\..\Run: [AMD_Display] C:\Programme\AMD\AMD Power Monitor\AMD_PwrMon.exe

O4 - HKLM\..\Run: [Launch LCDMon] "C:\Programme\Logitech\GamePanel Software\LCD Manager\LCDMon.exe"

O4 - HKLM\..\Run: [Launch LGDCore] "C:\Programme\Logitech\GamePanel Software\G-series Software\LGDCore.exe" /SHOWHIDE

O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE

O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Programme\Logitech\QuickCam\Quickcam.exe" /hide

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [amd_dc_opt] C:\Programme\AMD\Dual-Core Optimizer\amd_dc_opt.exe

O4 - HKLM\..\Run: [start WingMan Profiler] C:\Programme\Logitech\Gaming Software\LWEMon.exe /noui

O4 - HKLM\..\Run: [boincmgr] "C:\Programme\BOINC\boincmgr.exe" /a /s

O4 - HKLM\..\Run: [boinctray] "C:\Programme\BOINC\boinctray.exe"

O4 - HKLM\..\Run: [avgnt] "C:\Programme\Avira\AntiVir Desktop\avgnt.exe" /min

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Google Update] "C:\Dokumente und Einstellungen\Ivan\Lokale Einstellungen\Anwendungsdaten\Google\Update\GoogleUpdate.exe" /c

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')

O4 - Startup: FlashCookieKiller.cmd

O4 - Global Startup: Launchy.lnk = C:\Programme\Launchy\Launchy.exe

O4 - Global Startup: Logitech SetPoint.lnk = C:\Programme\Logitech\SetPoint\SetPoint.exe

O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200

O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - AutorunsDisabled - (no file)

O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe

O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su2...15106/CTPID.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{6329B1D1-4B69-4F21-99D8-15CE590F1B3E}: NameServer =,

O17 - HKLM\System\CCS\Services\Tcpip\..\{8C865D42-9C3E-4531-A73C-2E18B1C24D59}: NameServer =,

O17 - HKLM\System\CCS\Services\Tcpip\..\{8CD12EE9-3004-4DB9-BE85-5E243BF24FA0}: NameServer =,

O17 - HKLM\System\CS2\Services\Tcpip\..\{4331C3D3-BA1C-4F78-9643-CDEDAEFE5213}: NameServer =,

O18 - Protocol: AutorunsDisabled - (no CLSID) - (no file)

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL

O20 - Winlogon Notify: AutorunsDisabled - C:\WINDOWS\

O20 - Winlogon Notify: __c00A2178 - C:\WINDOWS\system32\__c00A2178.dat

O23 - Service: Adobe Version Cue CS3 {de_DE} (Adobe Version Cue CS3) - Adobe Systems Incorporated - C:\Programme\Gemeinsame Dateien\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe

O23 - Service: Avira AntiVir Planer (antivirschedulerservice) - Avira GmbH - C:\Programme\Avira\AntiVir Desktop\sched.exe

O23 - Service: Intelligenter Hintergrund

Edited by AdvancedSetup
Removed CODE BOX
Link to post
Share on other sites

  • Root Admin

Update and Scan with Malwarebytes' Anti-Malware

  • Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  • Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
    • Update Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Update

    [*]When the update is complete, select the Scanner tab

    [*]Select Perform quick scan, then click Scan.

    [*]When the scan is complete, click OK, then Show Results to view the results.

    [*]Be sure that everything is checked, and click Remove Selected.

    [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then post back the MBAM log and a new Hijackthis log.

Link to post
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.