Rustock.b - msguard, pe386, & lzx32 RootKit Removal

Discussion in 'Malware Removal FAQ' started by chaslang, Dec 16, 2006.

Thread Status:
Not open for further replies.
  1. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Rustock.b (msguard, pe386, & lzx32) Removal Instructions!

    This is not easily detected since it use ADS and Rootkit technology to hide from you. However a typical sign when detected would be a message from a scanner showing a file like below:

    C:\WINDOWS\system32\lzx32.sys or C:\WINDOWS\system32:lzx32.sys

    Note the : in the file name indicates the ADS (Alternate Data Stream) being used.

    To remove this, follow the below steps!
    1. Download this removal tool to your Desktop: rustbfix.exe
    2. Double click on rustbfix.exe to run the tool.
      • If a Rustock.b-infection is found, you will be asked to reboot the computer. The reboot will probably take quite a while, and perhaps 2 reboots will be needed. But this will happen automatically.
      • After the reboot 2 logfiles will open (%root%\avenger.txt & %root%\rustbfix\pelog.txt). Please attach these two logs to your next message.
    Note: If an infection is found, the specific rusbfix-log will look similar to the below:
    If no rustock.b-infection is found, the logfile will look like this:


    Credit: ejvindh and Swandog46 for the original procedure and tool!
     
    Last edited: Dec 16, 2006
    chaslang, Dec 16, 2006
    #1
Thread Status:
Not open for further replies.

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds