How to Remove Rustock.b, pe386, lzx32, msguard infections

How to Remove Rustock.b, pe386, lzx32, msguard infections

Credit: ejvindh and Swandog46

The main symptom of the trojan Rustock.b rootkit infection (sometimes identifed as pe386, lzx32 or msguard), is heavy network-activity without any obvious reason. When analysing the computer, the traditional malware tools do not typically find anything. However, tools like Gmer, Combofix, Smitfraudfix and SDfix are able to detect the infection:

GMER:

---- Services - GMER 1.0.11 ----

Service C:\WINDOWS\System32\lzx32.sys (*** hidden *** ) [SYSTEM] pe386 <-- ROOTKIT !!!

---- Registry - GMER 1.0.11 ----

Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@Type 1
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@Start 1
........
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Type 1
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Start 1
.........

---- Files - GMER 1.0.11 ----

ADS ...
File C:\WINDOWS\system32\lzx32.sys <-- ROOTKIT !!!

COMBOFIX:

Rootkit driver pe386 is present. A rootkit scan is required
or
Rootkit driver lzx32 is present. A rootkit scan is required
or
Rootkit driver msguard is present. A rootkit scan is required

SMITFRAUDFIX (search-log):

»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard
pe386 detected, use a Rootkit scanner
or
msguard detected, use a Rootkit scanner
or
lzx32 detected, use a Rootkit scanner

SDFIX:

Services:
---------

Rootkit pe386 Present. Rootkit scan required!
or
Rootkit lzx32 Present. Rootkit scan required!
or
Rootkit msguard Present. Rootkit scan required!

Rustock.b (pe386, lzx32, msguard) Removal Instructions:

• Download - rustbfix.exe ...and save it to your desktop.
  
• Double click on rustbfix.exe to run the tool.
• If a Rustock.b-infection is found, you will shortly hereafter be asked to reboot the computer. The reboot will probably take quite a while, and perhaps 2 reboots will be needed. But this will happen automatically.
• After the reboot 2 logfiles will open (%root%\avenger.txt & %root%\rustbfix\pelog.txt). If needed (still infected), post the content of these logfiles along with a new HijackThis log.

Note: If the infection is found, the tool will produce 2 logs: The specific rusbfix-log could look like this:

************************* Rustock.b-fix -- By ejvindh *************************
19-10-2006 21:59:37,90


******************* Pre-run Status of system *******************

Rootkit driver PE386 is found. Starting the unload-procedure....
Examine the Avenger-logfile in order to assess the success of the unload-procedure

Rustock.b-ADS attached to the System32-folder:
:lzx32.sys 66432
Total size: 66432 bytes.
Attempting to remove ADS...
system32: deleted 66432 bytes in 1 streams.


******************* Post-run Status of system *******************

Rustock.b-driver on the system: NONE!

Rustock.b-ADS attached to the System32-folder:
No streams found.


******************************* End of Logfile ********************************

If no rustock.b-infection is found, the logfile will look like this:

************************* Rustock.b-fix -- By ejvindh *************************
06-10-19 22:37:34.93


No Rustock.b-rootkits found


******************************* End of Logfile ********************************

This topic has been left open to allow specific questions and comments related ONLY to this guide. It's NOT for posting HJT logs, links to your logs, or any other general malware help. Replies not following these rules will be deleted. Thanks for your cooperation.

Hi

I would just love to thank both of the developers of this app which helped remove the trojan, the only reason I signed up for this forum is to thank you two! Thank you so much, your work does not go unappreciated!

Hi, i seem to have a rootkit that i can't get rid of.

GMER log file below

i have even received an email from the ACMA's Australian Internet Security Initiative (AISI) via my ISP advising as follows
[2010-05-07 11:50:35] [xxx.xx.xxx.xxx] Trojan: Rustock

can anyone please help me follow this to ground and get rid of it, i am not happy to be spamming the world.
FYI, i am somewhat capable on the computer but i may require some more detailed instructions on registry changes or in depth investigations.

Edited by Rorschach112, 12 May 2010 - 05:37 AM.
removed log

Please go to the malware forum and follow the instructions at the top....Especially the CLICK HERE.

That will give you several steps that will help you clean up 70 percent of all problems by yourself. If at the end of the process you are still having difficulty--and you may not be-- then post an OTListIt log in THAT forum.

ok, just read the teachers post, i'll redact the comment and try following the directions first.

Edited by roeeo, 12 May 2010 - 06:25 AM.