Virus Removal Story: Rootkit Rustock(a,b,c) - lzx32.sys

Rustock is a hidden rootkit with kernel driver "lzx32.sys".

I tested the sample rootkit file and I found that it′s hardly hidden than other known rootkits. The lzx32.sys driver is loaded by the system at the early part of Windows boot. It′s masked as the boot device. This why it′s hard in removal.

UnHackMe 4 (with Partizan) detects the rootkit keys but it could not remove Rustock.

UnHackme Pro 4 correctly detected Rustock′s registry key: PE386.

The driver is located in the NTFS stream in the %Windir%\System32:lzx32.sys.

It could not be deleted during Windows normal mode.

No panic!

I found the simple way how to stop Rustock :-).

Removal

Download RegRun Reanimator

Unzip it to any folder. Installation is not required.

  1. Open reanimator.exe.
  2. Click on the "Remove Rustock Rootkit".
  3. You will be prompted for using "RootkitNO" utility.
  4. Run it!
  5. You will be prompted to restart your computer.
  6. After restarting the Rustock file will be removed using Partizan.

After finishing removal process you may remove Partizan from your Windows boot.

Click on the "UnInstall Partizan" button.

Also you can delete "RootkitNo" folder from your drive where installed the Windows.

Conclusion

Suggest you to use RegRun Platinum Edition to be sure that you are clear!
Good luck!
Dmitry Sokolov
Add or See Comments (>10)
}