ejvindh.net - Debatforum: Rustbfix

Besøgende

· Gæster online: 1

· Brugere online: 0

· Antal brugere: 53
· Nyeste bruger: Patrick1

Log ind

Er du endnu ikke registreret bruger?
Klik her for at oprette dig.

Har du glemt dit kodeord?
Bed om et nyt ved at klikke her.

Se indlæg

ejvindh.net :: Malware og Rootkits til Windows :: Om Windows-rootkits

Rustbfix
ejvindh	#1 Lagt på d. 15-02-2007 13:26
Super Administrator Antal indlæg: 447 Tilmeldt: 15.08.06	I have been working with this automatic tool for the fixing of Rustock.b-infections. It is based upon Swandog46's Avenger-tool (thank you for the permission to include Avenger in the fix) combined with the batch-check that can be found in sUBs' Combofix, S!Ri's Smitfraudfix and AndyManchesta's SDfix. And with flexhex' ADS-tools. Basically it runs like this: Makes a check for Rustock.b-infection. If found, runs Avenger's unload-module, lets Avenger restart, and fixes the ADS attached to the system32-folder and the files found in the system32-folder. From a users point of view, the main symptom is a heavy network-activity without any obvious reason. When analysing the computer, the traditional tools do not find anything. But tools like Gmer, Combofix, Smitfraudfix and SDfix are able to detect the infection: GMER: ---- Services - GMER 1.0.11 ---- Service C:\WINDOWS\System32\lzx32.sys (* hidden * ) [SYSTEM] pe386 <-- ROOTKIT !!! ---- Registry - GMER 1.0.11 ---- Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386 Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@Type 1 Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@Start 1 ........ Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386 Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Type 1 Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Start 1 ......... ---- Files - GMER 1.0.11 ---- ADS ... File C:\WINDOWS\system32\lzx32.sys <-- ROOTKIT !!! COMBOFIX: Rootkit driver pe386 is present. A rootkit scan is required or Rootkit driver lzx32 is present. A rootkit scan is required or Rootkit driver msguard is present. A rootkit scan is required or Rootkit driver huy32 is present. A rootkit scan is required or Rootkit driver xpdt is present. A rootkit scan is required SMITFRAUDFIX (search-log): »»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard pe386 detected, use a Rootkit scanner or msguard detected, use a Rootkit scanner or lzx32 detected, use a Rootkit scanner or huy32 detected, use a Rootkit scanner or xpdt detected, use a Rootkit scanner SDFIX: Services: --------- Rootkit pe386 Present. Rootkit scan required! or Rootkit lzx32 Present. Rootkit scan required! or Rootkit msguard Present. Rootkit scan required! or Rootkit huy32 Present. Rootkit scan required! or Rootkit xpdt Present. Rootkit scan required! The tool can be found here: http://www.upload...stbfix.exe http://uploads.ej...stbfix.exe http://www.spywar...stbfix.exe http://www.ctrlal...stbfix.exe If the infection is found, the tool will produce 2 logs: A traditional Avenger-log, and the specific rustbfix-log. The rusbfix-log could look like this: *********************** Rustock.b-fix -- By ejvindh ********************* 19-10-2006 21:59:37,90 *************** Pre-run Status of system *************** Rootkit driver PE386 is found. Starting the unload-procedure.... Examine the Avenger-logfile in order to assess the success of the unload-procedure Rustock.b-ADS attached to the System32-folder: :lzx32.sys 66432 Total size: 66432 bytes. Attempting to remove ADS... system32: deleted 66432 bytes in 1 streams. *************** Post-run Status of system *************** Rustock.b-driver on the system: NONE! Rustock.b-ADS attached to the System32-folder: No streams found. *************************** End of Logfile **************************** If no rustock.b-infection is found, the logfile will look like this: ********************* Rustock.b-fix -- By ejvindh ********************* 06-10-19 22:37:34.93 No Rustock.b-rootkits found *************************** End of Logfile ****************************** Suggestion to canned speech: [code:1]Download Rustbfix from one of these locations: http://www.uploads.ejvindh.net/rustbfix.exe http://uploads.ejvindh.andymanchesta.com/Rustbfix.exe http://www.spywareinfo.dk/download/Rustbfix.exe http://www.ctrlaltdel.dk/rustbfix.exe ...and save it to your desktop. Double click on rustbfix.exe to run the tool. If a Rustock.b-infection is found, you will shortly hereafter be asked to reboot the computer. The reboot will probably take quite a while, and perhaps 2 reboots will be needed. But this will happen automatically. After the reboot 2 logfiles will open (%root%\avenger.txt & %root%\rustbfix\pelog.txt). Post the content of these logfiles along with a new HijackThis log.[/code:1]


ejvindh	#2 Lagt på d. 06-03-2009 22:12
Super Administrator Antal indlæg: 447 Tilmeldt: 15.08.06	ejvindh skrev: I have been working with this automatic tool for the fixing of Rustock.b-infections. It is based upon Swandog46's Avenger-tool (thank you for the permission to include Avenger in the fix) combined with the batch-check that can be found in sUBs' Combofix, S!Ri's Smitfraudfix and AndyManchesta's SDfix. And with flexhex' ADS-tools. Basically it runs like this: Makes a check for Rustock.b-infection. If found, runs Avenger's unload-module, lets Avenger restart, and fixes the ADS attached to the system32-folder and the files found in the system32-folder. From a users point of view, the main symptom is a heavy network-activity without any obvious reason. When analysing the computer, the traditional tools do not find anything. But tools like Gmer, Combofix, Smitfraudfix and SDfix are able to detect the infection: GMER: ---- Services - GMER 1.0.11 ---- Service C:\WINDOWS\System32\lzx32.sys (* hidden * ) [SYSTEM] pe386 <-- ROOTKIT !!! ---- Registry - GMER 1.0.11 ---- Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386 Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@Type 1 Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@Start 1 ........ Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386 Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Type 1 Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Start 1 ......... ---- Files - GMER 1.0.11 ---- ADS ... File C:\WINDOWS\system32\lzx32.sys <-- ROOTKIT !!! COMBOFIX: Rootkit driver pe386 is present. A rootkit scan is required or Rootkit driver lzx32 is present. A rootkit scan is required or Rootkit driver msguard is present. A rootkit scan is required or Rootkit driver huy32 is present. A rootkit scan is required or Rootkit driver xpdt is present. A rootkit scan is required SMITFRAUDFIX (search-log): »»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard pe386 detected, use a Rootkit scanner or msguard detected, use a Rootkit scanner or lzx32 detected, use a Rootkit scanner or huy32 detected, use a Rootkit scanner or xpdt detected, use a Rootkit scanner SDFIX: Services: --------- Rootkit pe386 Present. Rootkit scan required! or Rootkit lzx32 Present. Rootkit scan required! or Rootkit msguard Present. Rootkit scan required! or Rootkit huy32 Present. Rootkit scan required! or Rootkit xpdt Present. Rootkit scan required! The tool can be found here: http://www.upload...stbfix.exe http://uploads.ej...stbfix.exe http://www.spywar...stbfix.exe http://www.ctrlal...stbfix.exe If the infection is found, the tool will produce 2 logs: A traditional Avenger-log, and the specific rustbfix-log. The rusbfix-log could look like this: *********************** Rustock.b-fix -- By ejvindh ********************* 19-10-2006 21:59:37,90 *************** Pre-run Status of system *************** Rootkit driver PE386 is found. Starting the unload-procedure.... Examine the Avenger-logfile in order to assess the success of the unload-procedure Rustock.b-ADS attached to the System32-folder: :lzx32.sys 66432 Total size: 66432 bytes. Attempting to remove ADS... system32: deleted 66432 bytes in 1 streams. *************** Post-run Status of system *************** Rustock.b-driver on the system: NONE! Rustock.b-ADS attached to the System32-folder: No streams found. *************************** End of Logfile **************************** If no rustock.b-infection is found, the logfile will look like this: ********************* Rustock.b-fix -- By ejvindh ********************* 06-10-19 22:37:34.93 No Rustock.b-rootkits found *************************** End of Logfile **************************** Suggestion to canned speech: Kode** Download Rustbfix from one of these locations: http://www.upload...stbfix.exe http://uploads.ej...stbfix.exe http://www.spywar...stbfix.exe http://www.ctrlal...stbfix.exe ...and save it to your desktop. Double click on rustbfix.exe to run the tool. If a Rustock.b-infection is found, you will shortly hereafter be asked to reboot the computer. The reboot will probably take quite a while, and perhaps 2 reboots will be needed. But this will happen automatically. After the reboot 2 logfiles will open (%root%\avenger.txt & %root%\rustbfix\pelog.txt). Post the content of these logfiles along with a new HijackThis log.

Spring til debat: