How to Remove Rustock.b, pe386, lzx32, msguard infections

Welcome Guest ( Log In | Join )

Discover the best free computer help!
Learn more about Geeks to Go by taking the tour. Spyware, virus, trojan, fake security or privacy alerts? Read the malware cleaning guide. Want to reply to a topic, start a new one, or remove the advertising? Join today (always free).

> Geeks to Go! » Security » Malware Removal Guides and Tutorials

How to Remove Rustock.b, pe386, lzx32, msguard infections, (removal instructions)

Options

admin View Member Profile	Dec 2 2006, 05:33 PM Post #1
Site Administrator Posts: 17,476 From: 127.0.0.1 OS: Windows Vista Ultimate	How to Remove Rustock.b, pe386, lzx32, msguard infections Credit: ejvindh and Swandog46 The main symptom of the trojan Rustock.b rootkit infection (sometimes identifed as pe386, lzx32 or msguard), is heavy network-activity without any obvious reason. When analysing the computer, the traditional malware tools do not typically find anything. However, tools like Gmer, Combofix, Smitfraudfix and SDfix are able to detect the infection: GMER: QUOTE ---- Services - GMER 1.0.11 ---- Service C:\WINDOWS\System32\lzx32.sys (* hidden * ) [SYSTEM] pe386 <-- ROOTKIT !!! ---- Registry - GMER 1.0.11 ---- Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386 Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@Type 1 Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@Start 1 ........ Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386 Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Type 1 Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Start 1 ......... ---- Files - GMER 1.0.11 ---- ADS ... File C:\WINDOWS\system32\lzx32.sys <-- ROOTKIT !!! COMBOFIX: QUOTE Rootkit driver pe386 is present. A rootkit scan is required or Rootkit driver lzx32 is present. A rootkit scan is required or Rootkit driver msguard is present. A rootkit scan is required SMITFRAUDFIX (search-log): QUOTE 换换换换换换换换换换换换 pe386-msguard pe386 detected, use a Rootkit scanner or msguard detected, use a Rootkit scanner or lzx32 detected, use a Rootkit scanner SDFIX: QUOTE Services: --------- Rootkit pe386 Present. Rootkit scan required! or Rootkit lzx32 Present. Rootkit scan required! or Rootkit msguard Present. Rootkit scan required! Rustock.b (pe386, lzx32, msguard) Removal Instructions: Download - rustbfix.exe ...and save it to your desktop. Double click on rustbfix.exe to run the tool. If a Rustock.b-infection is found, you will shortly hereafter be asked to reboot the computer. The reboot will probably take quite a while, and perhaps 2 reboots will be needed. But this will happen automatically. After the reboot 2 logfiles will open (%root%\avenger.txt & %root%\rustbfix\pelog.txt). If needed (still infected), post the content of these logfiles along with a new HijackThis log. Note: If the infection is found, the tool will produce 2 logs: The specific rusbfix-log could look like this: QUOTE *********************** Rustock.b-fix -- By ejvindh ********************* 19-10-2006 21:59:37,90 *************** Pre-run Status of system *************** Rootkit driver PE386 is found. Starting the unload-procedure.... Examine the Avenger-logfile in order to assess the success of the unload-procedure Rustock.b-ADS attached to the System32-folder: :lzx32.sys 66432 Total size: 66432 bytes. Attempting to remove ADS... system32: deleted 66432 bytes in 1 streams. *************** Post-run Status of system *************** Rustock.b-driver on the system: NONE! Rustock.b-ADS attached to the System32-folder: No streams found. *************************** End of Logfile **************************** If no rustock.b-infection is found, the logfile will look like this: QUOTE ********************* Rustock.b-fix -- By ejvindh ********************* 06-10-19 22:37:34.93 No Rustock.b-rootkits found *************************** End of Logfile ******************************

admin View Member Profile	Jul 12 2007, 04:19 PM Post #2
Site Administrator Posts: 17,476 From: 127.0.0.1 OS: Windows Vista Ultimate	This topic has been left open to allow specific questions and comments related ONLY to this guide. It's NOT for posting HJT logs, links to your logs, or any other general malware help. Replies not following these rules will be deleted. Thanks for your cooperation.

« Next Oldest · Malware Removal Guides and Tutorials · Next Newest »

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)

0 Members:

Similar Topics

Topic Title	Replies / Views	Topic Information
Malware Removal Guides and Tutorials How-to remove Winfixer, Virtumonde, Msevents, Trojan.vundo, ATLDistrib 123» 5	72 / 270,286	29th November 2008 - 08:38 AM admin started - last by sari
Malware Removal Guides and Tutorials How to remove IE Defender 1234	49 / 43,900	24th November 2008 - 02:57 PM miekiemoes started - last by njay
Malware Removal Guides and Tutorials How to Remove Trojan.Win32.Obfuscated.gx 1234	59 / 51,357	24th November 2008 - 03:02 PM admin started - last by Rorschach112
Malware Removal Guides and Tutorials How to remove Antivirus XP 2008	5 / 2,517	28th November 2008 - 08:11 PM Mike started - last by lara123

Display Mode: Standard · Switch to: Linear+ · Switch to: Outline

Track this topic · Email this topic · Print this topic · Subscribe to this forum

Time is now: 3rd December 2008 - 01:09 AM

Advertisements do not imply our endorsement of that product or service. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk.