How to Remove Rustock.b, pe386, lzx32, msguard infections

Need a geek? Geeks to Go offers free, quality tech support -- in terms anyone can understand. Volunteers are waiting to help, friendly, technology experts who have knowledge to share, and enjoy helping others. Feel free to browse the site as a guest. However, you must log in to reply to existing topics, or to start a new topic. Other benefits of joining include richer forum features, and removal of all advertising. Learn more in our Welcome Guide Infected? Malware and Spyware Cleaning Guide. What are you waiting for? Click here to join for free today!

> Geeks to Go! » Security » Malware Removal Guides and Tutorials

How to Remove Rustock.b, pe386, lzx32, msguard infections, (removal instructions)

Options

admin View Member Profile	Dec 2 2006, 05:33 PM Post #1
Site Administrator Posts: 18,685 From: 127.0.0.1 OS: Windows 7 64-bit RTM	How to Remove Rustock.b, pe386, lzx32, msguard infections Credit: ejvindh and Swandog46 The main symptom of the trojan Rustock.b rootkit infection (sometimes identifed as pe386, lzx32 or msguard), is heavy network-activity without any obvious reason. When analysing the computer, the traditional malware tools do not typically find anything. However, tools like Gmer, Combofix, Smitfraudfix and SDfix are able to detect the infection: GMER: QUOTE ---- Services - GMER 1.0.11 ---- Service C:\WINDOWS\System32\lzx32.sys (* hidden * ) [SYSTEM] pe386 <-- ROOTKIT !!! ---- Registry - GMER 1.0.11 ---- Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386 Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@Type 1 Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@Start 1 ........ Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386 Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Type 1 Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Start 1 ......... ---- Files - GMER 1.0.11 ---- ADS ... File C:\WINDOWS\system32\lzx32.sys <-- ROOTKIT !!! COMBOFIX: QUOTE Rootkit driver pe386 is present. A rootkit scan is required or Rootkit driver lzx32 is present. A rootkit scan is required or Rootkit driver msguard is present. A rootkit scan is required SMITFRAUDFIX (search-log): QUOTE 换换换换换换换换换换换换 pe386-msguard pe386 detected, use a Rootkit scanner or msguard detected, use a Rootkit scanner or lzx32 detected, use a Rootkit scanner SDFIX: QUOTE Services: --------- Rootkit pe386 Present. Rootkit scan required! or Rootkit lzx32 Present. Rootkit scan required! or Rootkit msguard Present. Rootkit scan required! Rustock.b (pe386, lzx32, msguard) Removal Instructions: Download - rustbfix.exe ...and save it to your desktop. Double click on rustbfix.exe to run the tool. If a Rustock.b-infection is found, you will shortly hereafter be asked to reboot the computer. The reboot will probably take quite a while, and perhaps 2 reboots will be needed. But this will happen automatically. After the reboot 2 logfiles will open (%root%\avenger.txt & %root%\rustbfix\pelog.txt). If needed (still infected), post the content of these logfiles along with a new HijackThis log. Note: If the infection is found, the tool will produce 2 logs: The specific rusbfix-log could look like this: QUOTE *********************** Rustock.b-fix -- By ejvindh ********************* 19-10-2006 21:59:37,90 *************** Pre-run Status of system *************** Rootkit driver PE386 is found. Starting the unload-procedure.... Examine the Avenger-logfile in order to assess the success of the unload-procedure Rustock.b-ADS attached to the System32-folder: :lzx32.sys 66432 Total size: 66432 bytes. Attempting to remove ADS... system32: deleted 66432 bytes in 1 streams. *************** Post-run Status of system *************** Rustock.b-driver on the system: NONE! Rustock.b-ADS attached to the System32-folder: No streams found. *************************** End of Logfile **************************** If no rustock.b-infection is found, the logfile will look like this: QUOTE ********************* Rustock.b-fix -- By ejvindh ********************* 06-10-19 22:37:34.93 No Rustock.b-rootkits found *************************** End of Logfile ******************************

admin View Member Profile	Jul 12 2007, 04:19 PM Post #2
Site Administrator Posts: 18,685 From: 127.0.0.1 OS: Windows 7 64-bit RTM	This topic has been left open to allow specific questions and comments related ONLY to this guide. It's NOT for posting HJT logs, links to your logs, or any other general malware help. Replies not following these rules will be deleted. Thanks for your cooperation.

« Next Oldest · Malware Removal Guides and Tutorials · Next Newest »

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)

0 Members:

Similar Topics

Topic Title	Replies / Views	Topic Information
Malware Removal Guides and Tutorials How-to remove Winfixer, Virtumonde, Msevents, Trojan.vundo, ATLDistrib 123» 9	125 / 359,488	2nd November 2009 - 05:23 PM admin started - last by Rorschach112
Malware Removal Guides and Tutorials How To Remove clickfraudmanager, adwarefeed, zfsearch Firefox Redirect	13 / 7,681	23rd October 2009 - 02:13 AM jpshortstuff started - last by chamber
Malware Removal Guides and Tutorials How to remove Yoog Search/Blueskyadagency/Contextual ads/Snappyads	13 / 7,983	1st November 2009 - 08:19 PM Rorschach112 started - last by petra.blabla
Virus, Spyware and Trojan Removal how to remove advanced virus remover	0 / 43	30th October 2009 - 09:19 AM computer geek #1 started - last by computer geek #1

Display Mode: Standard · Switch to: Linear+ · Switch to: Outline

Track this topic · Email this topic · Print this topic · Subscribe to this forum

Time is now: 8th November 2009 - 02:36 AM

Advertisements do not imply our endorsement of that product or service. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks mentioned on this page are the property of their respective owners.