lzx32.sys - Please help!!

Discussion in 'Malware Help (A Specialist Will Reply)' started by PetitJedi, Jan 12, 2007.

  1. PetitJedi

    PetitJedi Private E-2

    STOP: 0x000000D1 (0x7FFDE010,0x00000002, 0x00000000, oxBBAS3A08)

    DRIVER_NOT_LESS_OR_EQUAL

    adress bbas 3A08 base at BBA4C00, Datestamp 457101916 lzx32.sys

    Starts stocking physical memory

    So. This lzx32.sys appears to be a Trojan Horse, hidden by rootkit-technology

    http://www.symantec.com/security_response/writeup.jsp?docid=2006-070513-1305-99&tabid=2

    Ouch. So, when I go to the removal-process, I find out I need to restart with Windows Recovery Console ... which is on a CD I do not have!!

    Besides, it is recommended that you are an advanced user in order to use this recovery-console. Something I am not!

    What do I do? So far this thing has caused a couple of blue-screens and my computer is acting weird... and I have no idea of how to remove it!

    Thank you in advance for your help.
     
    PetitJedi, Jan 12, 2007
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Welcome to Majorgeeks!

    Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.

    * Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support
    * Make sure you check version numbers and get all updates.
    * Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

    * After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

    Downloading, Installing, and Running HijackThis

    Make sure you also rename HijackThis.exe as suggested in the procedures. Use analyse.exe for the new name. This is very important due to some new infections going around.


    * When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too:
    o CounterSpy
    o AVG Antispyware log - ONLY IF NEEDED you were not able to run CounterSpy
    o Bitdefender - from step 6
    o Panda Scan - from step 6
    o runkeys.txt - the log from GetRunKey.bat
    o newfiles.txt - the log from ShowNew.bat
    o HijackThis

    NOTE: You can only attach 3 files in a single message so it will require that you use two messages to attach all of these logs!
     
    TimW, Jan 12, 2007
    #2
  3. PetitJedi

    PetitJedi Private E-2

    I've tried running Hijackthis, but ran into some problems... I will have to try again though, even if it's scary. I don't want to delete anything by accident, that shouldn't have been deleted.
     
    PetitJedi, Jan 12, 2007
    #3
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please pay close attention to the HijackThis instructions in the Read and Run ...especially as to where you install it and renaming it.
     
    TimW, Jan 12, 2007
    #4
  5. PetitJedi

    PetitJedi Private E-2

    How do I use the Ccleaner with default-option? Every time I get to that step I chicken out because I'm worried I'm not using the default-option and will delete something important and destroy my computer more than the malware u_u
     
    PetitJedi, Jan 13, 2007
    #5
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please run this first AVG Anti-Rootkit and attach the log! Then fix the entry that will show something like c:\windows\system32:lzx32.sys
    Attach the log to be sure of the entry that needs to be fixed.
    You should be able to run the rest of the scans after this procedure.
     
    TimW, Jan 13, 2007
    #6
  7. PetitJedi

    PetitJedi Private E-2

    Right. I will do that now, when I've run into some hijackthis-problems. I can't run ShowNew, every time I try I get a bluescreen and my PC automatically restarts.... so it's too fast for me to remember what the error-message is.

    EDIT: Erh... so I ran AVG anti-rootkit, and it found the bugger.... should I delete it? I don't think that is' dangerous for my system, but every time I get one of those messages... I get worried, heheh. Whenever they tell me I need to be an advanced user, I panic, because I'm so not.
     
    PetitJedi, Jan 14, 2007
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Attach the log from AVG Anti-Rootkit. The only item we really want you to fix with it (that is without us seeing the log) is c:\windows\system:lzx32.sys
     
    chaslang, Jan 14, 2007
    #8
  9. PetitJedi

    PetitJedi Private E-2

    Right, well lzx32.sys was the only problem there....

    I suppose I'm still doing Hijackthis, right? In that case, I really can't use ShowNews, starting the process always makes my computer bluescreen.
     
    PetitJedi, Jan 14, 2007
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You need to do what was requested multiple times!! Run AVG Anti-rootkit and have it fix the lzx32.sys problem. Then reboot your PC and run AVG Anti-rootkit again and attach a log from it.
     
    chaslang, Jan 14, 2007
    #10
  11. PetitJedi

    PetitJedi Private E-2

    Heh, okay! I am dopey and not very clever, I say ... I've already found and fixed the problem, and now that I run AVG Anti-rootkit again, it doesn't find any problems, so .. it might just be due to my dopey-ness, but it doesn't seem like I can attach a log from a scanning that finds no problems at all?
     
    PetitJedi, Jan 15, 2007
    #11
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    So then I guess we are done since you don't have anymore problems!
     
    chaslang, Jan 16, 2007
    #12
  13. PetitJedi

    PetitJedi Private E-2

    Oh that's great n_n does this mean I won't have to do a hijack-this log? The thing is so complicated... -_-
     
    PetitJedi, Jan 16, 2007
    #13
  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    If you are not having any malware problems, we don't need anything else! However it would be in your best interest to run the full READ & RUN ME sticky procedure and attach all requested logs. Infections like you had rarely come alone. You may have other malware even if you don't notice it.


    If you are not going to run the READ & RUN ME (and I assume you are not going to since we are at message # 14 and you have not started it yet), you should toggle system restore to remove any infected restore points.
    If you are running Windows XP or Windows ME, do the below:
    • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
    • Then reboot and Enable System Restore to create a new clean Restore Point.
     
    chaslang, Jan 16, 2007
    #14

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds