{"id":94,"date":"2015-10-31T22:06:06","date_gmt":"2015-10-31T21:06:06","guid":{"rendered":"http:\/\/ejvindh.net\/?p=94"},"modified":"2015-10-31T22:22:05","modified_gmt":"2015-10-31T21:22:05","slug":"rustbfix","status":"publish","type":"post","link":"http:\/\/ejvindh.net\/en\/rustbfix\/","title":{"rendered":"Rustbfix"},"content":{"rendered":"<p>Rustbfix is among applications created by me the one that has gained most attention. Basically it runs like this: It makes a check for<a href=\"https:\/\/www.symantec.com\/security_response\/writeup.jsp?docid=2006-070513-1305-99\" target=\"_blank\"> Rustock.b<\/a>-infection. If found, it runs Swandog46&#8217;s <a href=\"http:\/\/swandog46.geekstogo.com\/avenger2\/avenger2.html\" target=\"_blank\">Avenger<\/a>\u00a0to unload it, fixes the ADS attached to the system32-folder and the files found in the system32-folder.<\/p>\n<p>Rustbfix is essentially merely a batch-script &#8212; Avenger does the tough work of getting behind the rootkits that hide Rustock.b. Nevertheless Rustbfix got some attention internationally because from a user perspective much of the work was automated.<\/p>\n<pre style=\"padding-left: 30px;\">CANNED SPEECH:\r\nDownload Rustbfix from one of these locations:\r\nhttp:\/\/www.uploads.ejvindh.net\/rustbfix.exe\r\nhttp:\/\/uploads.ejvindh.andymanchesta.com\/Rustbfix.exe\r\nhttp:\/\/www.spywareinfo.dk\/download\/Rustbfix.exe\r\nhttp:\/\/www.ctrlaltdel.dk\/rustbfix.exe\r\n...and save it to your desktop.\r\n\r\nDouble click on rustbfix.exe to run the tool. If a Rustock.b-infection is found, you will shortly hereafter be asked to reboot the computer. The reboot will probably take quite a while, and perhaps 2 reboots will be needed. But this will happen automatically. After the reboot 2 logfiles will open (%root%\\avenger.txt &amp; %root%\\rustbfix\\pelog.txt). Post the content of these logfiles along with a new HijackThis log.\r\n\r\n<\/pre>\n<p>The tool also creates a log-file that can be uploaded in anti-spyware communities for analysis:<\/p>\n<pre style=\"padding-left: 30px;\">************************* Rustock.b-fix -- By ejvindh *************************\r\n19-10-2006 21:59:37,90\r\n\r\n\r\n******************* Pre-run Status of system *******************\r\n\r\nRootkit driver PE386 is found. Starting the unload-procedure....\r\nExamine the Avenger-logfile in order to assess the success of the unload-procedure\r\n\r\nRustock.b-ADS attached to the System32-folder:\r\n:lzx32.sys 66432\r\nTotal size: 66432 bytes.\r\nAttempting to remove ADS...\r\nsystem32: deleted 66432 bytes in 1 streams.\r\n\r\n\r\n******************* Post-run Status of system *******************\r\n\r\nRustock.b-driver on the system: NONE!\r\n\r\nRustock.b-ADS attached to the System32-folder:\r\nNo streams found.\r\n\r\n\r\n******************************* End of Logfile ********************************\r\n\r\n<\/pre>\n<p>The tool has not been updated for several years now, so it is mainly of historical interest.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Rustbfix is among applications created by me the one that has gained most attention. Basically it runs like this: It makes a check for Rustock.b-infection. If found, it runs Swandog46&#8217;s Avenger\u00a0to unload<a class=\"moretag\" href=\"http:\/\/ejvindh.net\/en\/rustbfix\/\">Read More&#8230;<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[14,8,5,4],"tags":[],"class_list":["post-94","post","type-post","status-publish","format-standard","hentry","category-batchbash","category-computerit","category-programmering","category-spyware"],"translation":{"provider":"WPGlobus","version":"3.0.2","language":"en","enabled_languages":["dk","en"],"languages":{"dk":{"title":true,"content":true,"excerpt":false},"en":{"title":true,"content":true,"excerpt":false}}},"_links":{"self":[{"href":"http:\/\/ejvindh.net\/en\/wp-json\/wp\/v2\/posts\/94","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/ejvindh.net\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/ejvindh.net\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/ejvindh.net\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/ejvindh.net\/en\/wp-json\/wp\/v2\/comments?post=94"}],"version-history":[{"count":3,"href":"http:\/\/ejvindh.net\/en\/wp-json\/wp\/v2\/posts\/94\/revisions"}],"predecessor-version":[{"id":97,"href":"http:\/\/ejvindh.net\/en\/wp-json\/wp\/v2\/posts\/94\/revisions\/97"}],"wp:attachment":[{"href":"http:\/\/ejvindh.net\/en\/wp-json\/wp\/v2\/media?parent=94"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/ejvindh.net\/en\/wp-json\/wp\/v2\/categories?post=94"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/ejvindh.net\/en\/wp-json\/wp\/v2\/tags?post=94"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}