How to Remove Rustock.b, pe386, lzx32, msguard infections
Credit: ejvindh and Swandog46
The main symptom of the trojan Rustock.b rootkit infection (sometimes identifed as pe386, lzx32 or msguard), is heavy network-activity without any obvious reason. When analysing the computer, the traditional malware tools do not typically find anything. However, tools like Gmer, Combofix, Smitfraudfix and SDfix are able to detect the infection:
GMER:
---- Services - GMER 1.0.11 ----
Service C:\WINDOWS\System32\lzx32.sys (*** hidden *** ) [SYSTEM] pe386 <-- ROOTKIT !!!
---- Registry - GMER 1.0.11 ----
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@Type 1
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@Start 1
........
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Type 1
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Start 1
.........
---- Files - GMER 1.0.11 ----
ADS ...
File C:\WINDOWS\system32\lzx32.sys <-- ROOTKIT !!!
COMBOFIX:
Rootkit driver pe386 is present. A rootkit scan is required
or
Rootkit driver lzx32 is present. A rootkit scan is required
or
Rootkit driver msguard is present. A rootkit scan is required
SMITFRAUDFIX (search-log):
»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard
pe386 detected, use a Rootkit scanner
or
msguard detected, use a Rootkit scanner
or
lzx32 detected, use a Rootkit scanner
SDFIX:
Services:
---------
Rootkit pe386 Present. Rootkit scan required!
or
Rootkit lzx32 Present. Rootkit scan required!
or
Rootkit msguard Present. Rootkit scan required!
Rustock.b (pe386, lzx32, msguard) Removal Instructions:
- Download - rustbfix.exe ...and save it to your desktop.
- Double click on rustbfix.exe to run the tool.
- If a Rustock.b-infection is found, you will shortly hereafter be asked to reboot the computer. The reboot will probably take quite a while, and perhaps 2 reboots will be needed. But this will happen automatically.
- After the reboot 2 logfiles will open (%root%\avenger.txt & %root%\rustbfix\pelog.txt). If needed (still infected), post the content of these logfiles along with a new HijackThis log.
************************* Rustock.b-fix -- By ejvindh *************************
19-10-2006 21:59:37,90
******************* Pre-run Status of system *******************
Rootkit driver PE386 is found. Starting the unload-procedure....
Examine the Avenger-logfile in order to assess the success of the unload-procedure
Rustock.b-ADS attached to the System32-folder:
:lzx32.sys 66432
Total size: 66432 bytes.
Attempting to remove ADS...
system32: deleted 66432 bytes in 1 streams.
******************* Post-run Status of system *******************
Rustock.b-driver on the system: NONE!
Rustock.b-ADS attached to the System32-folder:
No streams found.
******************************* End of Logfile ********************************
If no rustock.b-infection is found, the logfile will look like this:
************************* Rustock.b-fix -- By ejvindh *************************
06-10-19 22:37:34.93
No Rustock.b-rootkits found
******************************* End of Logfile ********************************