Jump to content

Welcome to Geeks to Go
Geeks to Go Welcome
Create Account Login to Account
Photo

How to Remove Rustock.b, pe386, lzx32, msguard infections

- - - - -

  • Please log in to reply
5 replies to this topic

#1
admin

admin

    Founder Geek

  • Community Leader
  • 24,639 posts

How to Remove Rustock.b, pe386, lzx32, msguard infections


Credit: ejvindh and Swandog46

The main symptom of the trojan Rustock.b rootkit infection (sometimes identifed as pe386, lzx32 or msguard), is heavy network-activity without any obvious reason. When analysing the computer, the traditional malware tools do not typically find anything. However, tools like Gmer, Combofix, Smitfraudfix and SDfix are able to detect the infection:

GMER:

---- Services - GMER 1.0.11 ----

Service C:\WINDOWS\System32\lzx32.sys (*** hidden *** ) [SYSTEM] pe386 <-- ROOTKIT !!!

---- Registry - GMER 1.0.11 ----

Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@Type 1
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@Start 1
........
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Type 1
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Start 1
.........

---- Files - GMER 1.0.11 ----

ADS ...
File C:\WINDOWS\system32\lzx32.sys <-- ROOTKIT !!!


COMBOFIX:

Rootkit driver pe386 is present. A rootkit scan is required
or
Rootkit driver lzx32 is present. A rootkit scan is required
or
Rootkit driver msguard is present. A rootkit scan is required


SMITFRAUDFIX (search-log):

»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard
pe386 detected, use a Rootkit scanner
or
msguard detected, use a Rootkit scanner
or
lzx32 detected, use a Rootkit scanner


SDFIX:

Services:
---------

Rootkit pe386 Present. Rootkit scan required!
or
Rootkit lzx32 Present. Rootkit scan required!
or
Rootkit msguard Present. Rootkit scan required!


Rustock.b (pe386, lzx32, msguard) Removal Instructions:
  • Download - rustbfix.exe ...and save it to your desktop.
  • Double click on rustbfix.exe to run the tool.
  • If a Rustock.b-infection is found, you will shortly hereafter be asked to reboot the computer. The reboot will probably take quite a while, and perhaps 2 reboots will be needed. But this will happen automatically.
  • After the reboot 2 logfiles will open (%root%\avenger.txt & %root%\rustbfix\pelog.txt). If needed (still infected), post the content of these logfiles along with a new HijackThis log.
Note: If the infection is found, the tool will produce 2 logs: The specific rusbfix-log could look like this:

************************* Rustock.b-fix -- By ejvindh *************************
19-10-2006 21:59:37,90


******************* Pre-run Status of system *******************

Rootkit driver PE386 is found. Starting the unload-procedure....
Examine the Avenger-logfile in order to assess the success of the unload-procedure

Rustock.b-ADS attached to the System32-folder:
:lzx32.sys 66432
Total size: 66432 bytes.
Attempting to remove ADS...
system32: deleted 66432 bytes in 1 streams.


******************* Post-run Status of system *******************

Rustock.b-driver on the system: NONE!

Rustock.b-ADS attached to the System32-folder:
No streams found.


******************************* End of Logfile ********************************


If no rustock.b-infection is found, the logfile will look like this:

************************* Rustock.b-fix -- By ejvindh *************************
06-10-19 22:37:34.93


No Rustock.b-rootkits found


******************************* End of Logfile ********************************


  • 0

Advertisements


#2
admin

admin

    Founder Geek

  • Community Leader
  • 24,639 posts
This topic has been left open to allow specific questions and comments related ONLY to this guide. It's NOT for posting HJT logs, links to your logs, or any other general malware help. Replies not following these rules will be deleted. Thanks for your cooperation.
  • 0

#3
andyroo54

andyroo54

    New Member

  • Member
  • Pip
  • 1 posts
Hi

I would just love to thank both of the developers of this app which helped remove the trojan, the only reason I signed up for this forum is to thank you two! Thank you so much, your work does not go unappreciated!
  • 0

#4
roeeo

roeeo

    New Member

  • Member
  • Pip
  • 8 posts
Hi, i seem to have a rootkit that i can't get rid of.

GMER log file below

i have even received an email from the ACMA's Australian Internet Security Initiative (AISI) via my ISP advising as follows
[2010-05-07 11:50:35] [xxx.xx.xxx.xxx] Trojan: Rustock

can anyone please help me follow this to ground and get rid of it, i am not happy to be spamming the world.
FYI, i am somewhat capable on the computer but i may require some more detailed instructions on registry changes or in depth investigations.

Edited by Rorschach112, 12 May 2010 - 05:37 AM.
removed log

  • 0

#5
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Please go to the malware forum and follow the instructions at the top....Especially the CLICK HERE.

That will give you several steps that will help you clean up 70 percent of all problems by yourself. If at the end of the process you are still having difficulty--and you may not be-- then post an OTListIt log in THAT forum.
  • 0

#6
roeeo

roeeo

    New Member

  • Member
  • Pip
  • 8 posts
ok, just read the teachers post, i'll redact the comment and try following the directions first.

Edited by roeeo, 12 May 2010 - 06:25 AM.

  • 0




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

featured
Malware Removal How to Guides Windows 7 System Building Download Files Register welcome

Never used a forum? Learn how.