How to Remove Rustock.b, pe386, lzx32, msguard infections

Need a geek? You've come to the right place! Geeks to Go offers free, quality technical support, in a non-technical way. Volunteers are waiting to help. Friendly, technology experts who have knowledge to share, and find reward in helping others. Feel free to browse the site as a guest. However, to reply to a topic, or start a new one, you'll need to register (also removes advertising). New here? Visit our Welcome Guide. Infected with a Virus, Spyware, or Trojan? Read our Malware and Spyware Cleaning Guide.

> Geeks to Go! » Security » Malware Removal Guides and Tutorials

How to Remove Rustock.b, pe386, lzx32, msguard infections, (removal instructions)

Options

admin View Member Profile	Dec 2 2006, 05:33 PM Post #1
Site Administrator Posts: 18,265 From: 127.0.0.1 OS: Windows 7 Build 7100	How to Remove Rustock.b, pe386, lzx32, msguard infections Credit: ejvindh and Swandog46 The main symptom of the trojan Rustock.b rootkit infection (sometimes identifed as pe386, lzx32 or msguard), is heavy network-activity without any obvious reason. When analysing the computer, the traditional malware tools do not typically find anything. However, tools like Gmer, Combofix, Smitfraudfix and SDfix are able to detect the infection: GMER: QUOTE ---- Services - GMER 1.0.11 ---- Service C:\WINDOWS\System32\lzx32.sys (* hidden * ) [SYSTEM] pe386 <-- ROOTKIT !!! ---- Registry - GMER 1.0.11 ---- Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386 Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@Type 1 Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@Start 1 ........ Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386 Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Type 1 Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Start 1 ......... ---- Files - GMER 1.0.11 ---- ADS ... File C:\WINDOWS\system32\lzx32.sys <-- ROOTKIT !!! COMBOFIX: QUOTE Rootkit driver pe386 is present. A rootkit scan is required or Rootkit driver lzx32 is present. A rootkit scan is required or Rootkit driver msguard is present. A rootkit scan is required SMITFRAUDFIX (search-log): QUOTE 换换换换换换换换换换换换 pe386-msguard pe386 detected, use a Rootkit scanner or msguard detected, use a Rootkit scanner or lzx32 detected, use a Rootkit scanner SDFIX: QUOTE Services: --------- Rootkit pe386 Present. Rootkit scan required! or Rootkit lzx32 Present. Rootkit scan required! or Rootkit msguard Present. Rootkit scan required! Rustock.b (pe386, lzx32, msguard) Removal Instructions: Download - rustbfix.exe ...and save it to your desktop. Double click on rustbfix.exe to run the tool. If a Rustock.b-infection is found, you will shortly hereafter be asked to reboot the computer. The reboot will probably take quite a while, and perhaps 2 reboots will be needed. But this will happen automatically. After the reboot 2 logfiles will open (%root%\avenger.txt & %root%\rustbfix\pelog.txt). If needed (still infected), post the content of these logfiles along with a new HijackThis log. Note: If the infection is found, the tool will produce 2 logs: The specific rusbfix-log could look like this: QUOTE *********************** Rustock.b-fix -- By ejvindh ********************* 19-10-2006 21:59:37,90 *************** Pre-run Status of system *************** Rootkit driver PE386 is found. Starting the unload-procedure.... Examine the Avenger-logfile in order to assess the success of the unload-procedure Rustock.b-ADS attached to the System32-folder: :lzx32.sys 66432 Total size: 66432 bytes. Attempting to remove ADS... system32: deleted 66432 bytes in 1 streams. *************** Post-run Status of system *************** Rustock.b-driver on the system: NONE! Rustock.b-ADS attached to the System32-folder: No streams found. *************************** End of Logfile **************************** If no rustock.b-infection is found, the logfile will look like this: QUOTE ********************* Rustock.b-fix -- By ejvindh ********************* 06-10-19 22:37:34.93 No Rustock.b-rootkits found *************************** End of Logfile ******************************

admin View Member Profile	Jul 12 2007, 04:19 PM Post #2
Site Administrator Posts: 18,265 From: 127.0.0.1 OS: Windows 7 Build 7100	This topic has been left open to allow specific questions and comments related ONLY to this guide. It's NOT for posting HJT logs, links to your logs, or any other general malware help. Replies not following these rules will be deleted. Thanks for your cooperation.

« Next Oldest · Malware Removal Guides and Tutorials · Next Newest »

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)

0 Members:

Similar Topics

Topic Title	Replies / Views	Topic Information
Malware Removal Guides and Tutorials How to remove Spyware Protect 2009 12	17 / 8,139	23rd June 2009 - 08:31 AM admin started - last by Roman Pope
Malware Removal Guides and Tutorials How to remove a Google redirect virus	0 / 4,100	23rd June 2009 - 12:44 PM admin started - last by admin
Windows XP�, 2000, 2003, NT How To REMOVE a Trojan?	1 / 75	30th June 2009 - 06:02 AM frankygeek1 started - last by 123Runner
Virus, Spyware and Trojan Removal How to remove heurs and tanatos	0 / 17	Yesterday, 11:49 PM zidaneisbak started - last by zidaneisbak

Display Mode: Standard · Switch to: Linear+ · Switch to: Outline

Track this topic · Email this topic · Print this topic · Subscribe to this forum

Translate this pageMicrosoft� Translator

Time is now: 5th July 2009 - 01:45 PM

Advertisements do not imply our endorsement of that product or service. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks mentioned on this page are the property of their respective owners.