Rustbfix is among applications created by me the one that has gained most attention. Basically it runs like this: It makes a check for Rustock.b-infection. If found, it runs Swandog46’s Avenger to unload it, fixes the ADS attached to the system32-folder and the files found in the system32-folder.

Rustbfix is essentially merely a batch-script — Avenger does the tough work of getting behind the rootkits that hide Rustock.b. Nevertheless Rustbfix got some attention internationally because from a user perspective much of the work was automated.

CANNED SPEECH:
Download Rustbfix from one of these locations:
http://www.uploads.ejvindh.net/rustbfix.exe
http://uploads.ejvindh.andymanchesta.com/Rustbfix.exe
http://www.spywareinfo.dk/download/Rustbfix.exe
http://www.ctrlaltdel.dk/rustbfix.exe
...and save it to your desktop.

Double click on rustbfix.exe to run the tool. If a Rustock.b-infection is found, you will shortly hereafter be asked to reboot the computer. The reboot will probably take quite a while, and perhaps 2 reboots will be needed. But this will happen automatically. After the reboot 2 logfiles will open (%root%\avenger.txt & %root%\rustbfix\pelog.txt). Post the content of these logfiles along with a new HijackThis log.

The tool also creates a log-file that can be uploaded in anti-spyware communities for analysis:

************************* Rustock.b-fix -- By ejvindh *************************
19-10-2006 21:59:37,90


******************* Pre-run Status of system *******************

Rootkit driver PE386 is found. Starting the unload-procedure....
Examine the Avenger-logfile in order to assess the success of the unload-procedure

Rustock.b-ADS attached to the System32-folder:
:lzx32.sys 66432
Total size: 66432 bytes.
Attempting to remove ADS...
system32: deleted 66432 bytes in 1 streams.


******************* Post-run Status of system *******************

Rustock.b-driver on the system: NONE!

Rustock.b-ADS attached to the System32-folder:
No streams found.


******************************* End of Logfile ********************************

The tool has not been updated for several years now, so it is mainly of historical interest.