How to Remove Rustock.b, pe386, lzx32, msguard infections

Welcome Guest ( Log In | Register )

Discover the best free computer help!
Learn more about Geeks to Go by taking the tour. Spyware, virus, trojan, fake security or privacy alerts? Read the malware cleaning guide.

> Geeks to Go! » Security » Malware Removal Guides and Tutorials

How to Remove Rustock.b, pe386, lzx32, msguard infections, (removal instructions)

Options

admin View Member Profile	Dec 2 2006, 05:33 PM Post #1
Site Administrator Posts: 17,081 From: 127.0.0.1 OS: Windows Vista Ultimate	How to Remove Rustock.b, pe386, lzx32, msguard infections Credit: ejvindh and Swandog46 The main symptom of the trojan Rustock.b rootkit infection (sometimes identifed as pe386, lzx32 or msguard), is heavy network-activity without any obvious reason. When analysing the computer, the traditional malware tools do not typically find anything. However, tools like Gmer, Combofix, Smitfraudfix and SDfix are able to detect the infection: GMER: QUOTE ---- Services - GMER 1.0.11 ---- Service C:\WINDOWS\System32\lzx32.sys (* hidden * ) [SYSTEM] pe386 <-- ROOTKIT !!! ---- Registry - GMER 1.0.11 ---- Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386 Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@Type 1 Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@Start 1 ........ Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386 Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Type 1 Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Start 1 ......... ---- Files - GMER 1.0.11 ---- ADS ... File C:\WINDOWS\system32\lzx32.sys <-- ROOTKIT !!! COMBOFIX: QUOTE Rootkit driver pe386 is present. A rootkit scan is required or Rootkit driver lzx32 is present. A rootkit scan is required or Rootkit driver msguard is present. A rootkit scan is required SMITFRAUDFIX (search-log): QUOTE �� pe386-msguard pe386 detected, use a Rootkit scanner or msguard detected, use a Rootkit scanner or lzx32 detected, use a Rootkit scanner SDFIX: QUOTE Services: --------- Rootkit pe386 Present. Rootkit scan required! or Rootkit lzx32 Present. Rootkit scan required! or Rootkit msguard Present. Rootkit scan required! Rustock.b (pe386, lzx32, msguard) Removal Instructions: Download - rustbfix.exe ...and save it to your desktop. Double click on rustbfix.exe to run the tool. If a Rustock.b-infection is found, you will shortly hereafter be asked to reboot the computer. The reboot will probably take quite a while, and perhaps 2 reboots will be needed. But this will happen automatically. After the reboot 2 logfiles will open (%root%\avenger.txt & %root%\rustbfix\pelog.txt). If needed (still infected), post the content of these logfiles along with a new HijackThis log. Note: If the infection is found, the tool will produce 2 logs: The specific rusbfix-log could look like this: QUOTE *********************** Rustock.b-fix -- By ejvindh ********************* 19-10-2006 21:59:37,90 *************** Pre-run Status of system *************** Rootkit driver PE386 is found. Starting the unload-procedure.... Examine the Avenger-logfile in order to assess the success of the unload-procedure Rustock.b-ADS attached to the System32-folder: :lzx32.sys 66432 Total size: 66432 bytes. Attempting to remove ADS... system32: deleted 66432 bytes in 1 streams. *************** Post-run Status of system *************** Rustock.b-driver on the system: NONE! Rustock.b-ADS attached to the System32-folder: No streams found. *************************** End of Logfile **************************** If no rustock.b-infection is found, the logfile will look like this: QUOTE ********************* Rustock.b-fix -- By ejvindh ********************* 06-10-19 22:37:34.93 No Rustock.b-rootkits found *************************** End of Logfile ******************************

admin View Member Profile	Jul 12 2007, 04:19 PM Post #2
Site Administrator Posts: 17,081 From: 127.0.0.1 OS: Windows Vista Ultimate	This topic has been left open to allow specific questions and comments related ONLY to this guide. It's NOT for posting HJT logs, links to your logs, or any other general malware help. Replies not following these rules will be deleted. Thanks for your cooperation.

« Next Oldest · Malware Removal Guides and Tutorials · Next Newest »

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)

0 Members:

Similar Topics

Topic Title	Replies / Views	Topic Information
How-to remove Winfixer, Virtumonde, Msevents, Trojan.vundo, ATLDistrib 1234	53 / 252,713	23rd September 2008 - 05:07 AM admin started - last by piano9playa5
How to Remove Zlob.trojan.Media-Codec Goldcodec, Braincodec 12	29 / 51,625	25th September 2008 - 03:37 PM admin started - last by james j
Pls. help! How to remove my drwatson postmortem debugger problem?	1 / 196	1st September 2008 - 09:36 AM hotshotaha started - last by Rorschach112
how to remove Trojan Downloader.Delf.12.AN.	0 / 199	2nd September 2008 - 11:18 AM Sys Rq started - last by Sys Rq
How to remove Antivirus XP 2008	0 / 394	28th September 2008 - 06:30 PM Mike started - last by Mike

Display Mode: Standard · Switch to: Linear+ · Switch to: Outline

Track this topic · Email this topic · Print this topic · Subscribe to this forum

Time is now: 6th October 2008 - 10:34 PM

Advertisements do not imply our endorsement of that product or service. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk.