Rustbfix is among applications created by me the one that has gained most attention. Basically it runs like this: It makes a check for Rustock.b-infection. If found, it runs Swandog46’s Avenger to unload it, fixes the ADS attached to the system32-folder and the files found in the system32-folder.
Rustbfix is essentially merely a batch-script — Avenger does the tough work of getting behind the rootkits that hide Rustock.b. Nevertheless Rustbfix got some attention internationally because from a user perspective much of the work was automated.
CANNED SPEECH: Download Rustbfix from one of these locations: http://www.uploads.ejvindh.net/rustbfix.exe http://uploads.ejvindh.andymanchesta.com/Rustbfix.exe http://www.spywareinfo.dk/download/Rustbfix.exe http://www.ctrlaltdel.dk/rustbfix.exe ...and save it to your desktop. Double click on rustbfix.exe to run the tool. If a Rustock.b-infection is found, you will shortly hereafter be asked to reboot the computer. The reboot will probably take quite a while, and perhaps 2 reboots will be needed. But this will happen automatically. After the reboot 2 logfiles will open (%root%\avenger.txt & %root%\rustbfix\pelog.txt). Post the content of these logfiles along with a new HijackThis log.
The tool also creates a log-file that can be uploaded in anti-spyware communities for analysis:
************************* Rustock.b-fix -- By ejvindh ************************* 19-10-2006 21:59:37,90 ******************* Pre-run Status of system ******************* Rootkit driver PE386 is found. Starting the unload-procedure.... Examine the Avenger-logfile in order to assess the success of the unload-procedure Rustock.b-ADS attached to the System32-folder: :lzx32.sys 66432 Total size: 66432 bytes. Attempting to remove ADS... system32: deleted 66432 bytes in 1 streams. ******************* Post-run Status of system ******************* Rustock.b-driver on the system: NONE! Rustock.b-ADS attached to the System32-folder: No streams found. ******************************* End of Logfile ********************************
The tool has not been updated for several years now, so it is mainly of historical interest.