Raising the Bar: Rustock.A and Advances in Rootkits

[Nath²]

Good afternoon.
For Take : Taking informations on the sites and so on, I'm surprised too, no folder, no register entry, but avast and spyseeper still find informations form the trojan. But, since the hard work made by avast between sunday and yesterday, the PC seems to be in best health, less harddrive access, internet connection seems more efficent. I'll go in the afternoon on all the sites you gave me. Bitdefender, in line as on the hardrive, don't find any problem.
For Closseau : with spysweepper, I put off the information for winmix, normally, it muste have been deleted since months, when i stopped to speak on their chat room, don't undersatnd why it was still there, but was there before the problems began. For the other reference, i've to understand how HJK works, not to do mistakes.
Many thanks, I continue trying, and I let you the informations i find with the scans.

[Nath²]

Good evening, sorry for the delay, got some hardware problems with the computer yesterday. I've done as much scans that I could, i've joined 2 of the reports, one will be in an other post. Not made the scans with the turkich site, not found where to click. Trendmicro was impossible : wanted to desinstall avast AND Spysweeper, spysweeper being the software finind the trojan, i didn't want to desinstall and so it stoped installation. No virus found by bitdefener, none at reinstall of Avast, spysweeper finds every night "traces" of the troyan :-(.
I've used computer on saturday, tried t make it work hard, no real problem as there were before (slow, no stable). Do you think the trojan has been killed ? Thanks so much for answers made and to make.

[Nath²]

and the last one, kapersky. When installing, escan told me some files was not good, but i hadn't any report of that (entreies in register no more valid...), i choose to delete all was proposed to delaete at this time. Have a good evening if you are on Paris Meridien, thanks for all this helps, hoping you'll write to me that the problem is not in my computer anymore.

[galooma]

System restore has a bad file (indicated on KAV scan) which can be removed by turning off system restore ,rebooting and then turning it back on . This will clear any old files from there.
 
If you go back to the removal instructions on Polonus`s post you will see reference to some files in system 32 folder that need to be removed.
Im guessing that the one that shows in F Secure scan (c:\WINDOWS\system32:lzx32.sys ) is one of those.

Can you check your folder options to ensure you have them set to see all hidden files and folders then explore for that file and try to kill it, maybe in safe mode.
If it wont budge try Killbox http://www.softpedia.com/get/Security/Secure-cleaning/Pocket-Killbox.shtml

good luck

[mauserme]

I believe c:\WINDOWS\system32:lzx32.sys indicates rustock.B rather than rustock.A

Maybe this removal tool would be better (scroll about half way down the page)

http://www.geekstogo.com/forum/How_to_Remove_Rustock_b_pe386_lzx32_msguard_infections-t140682.html

[Nath²]

Good evening :
For Cloussau, I've made, for System restore, thanks.
I think too it is lzx32.sys, this is the one pointed by spysweeper.
For my folder options, they are well turned in "all show".
For Mauserme : Thnaks, i found (alone) this topic yesterday very late in the evening and downloaded it. I've made it this evening, Spysweeper is working, for me to verify if it still sees the file.
Many thanks, all, I come back to tell you if it works, for you to help the others (my english and my compure competences are too bad for i do the same).

[DavidR]

I would suggest you might also consider proactive protection, in order to place files in the system folders and create registry entries you need permission. Prevention is much better and theoretically easier than cure.

Whilst browsing or collecting email, etc. if you get infected then the malware by default inherits the same permissions that you have for your user account. So if the user account has administrator rights, the malware has administrator rights and can reap havoc. With limited rights the malware can't put files in the system folders, create registry entries, etc. This greatly reduces the potential harm that can be done by an undetected or first day virus, etc.

Check out the link to DropMyRights (in my signature below) - Browsing the Web and Reading E-mail Safely as an Administrator. This obviously applies to those NT based OSes that have administrator settings, winNT, win2k, winXP.

[Nath²]

Good evening. All is ok on the computer, thanks to the removal porgramm and to the combination of spysweeper and avast which kept the system in a usable state suring all the time i used to sweep. Thnaks for all your help.
OK, DaviR, i'll look at your suggessions and apply it.
To my charge, i clicked on a file i didn't have to and i took the trojan like that, normally, i'm careful, one second of inattentinn and more than a week of sorrows :-(
Have a good night, and ... thanks