I have an Acer laptop, with Windows XP Home Edition, Service Pack 2, and it didn't have anti-spyware for about a year. Then it got infected with spyware and adware. So I put Mcafee on my computer, which seemed to clean up all my viruses (except for some that it only partially removed, but which didn't bug me). Then a week later my laptop crashed (first blue screening and giving me a stop message for 1 second which i didn't have time to read). It rebooted getting as far as telling me to diskcheck which I skipped, and then crashing (with same blue screen as last time). It rebooted again getting to the same place, this time I allowed the diskcheck, and it still crashed. I tried starting with last good configuration and it again got as far as disk check (tried twice, once allowing and once skipping disk check) and it still crashed. I tried starting it in safemode and it started loading drivers, got as far as mup.sys then told me to "press Esc to skip loading Stpd.sys", I did, and it froze. I manually rebooted retried safe mode, it got as far as mup again, asked me same thing as last time, this time I didn't press Escape and it froze again.
I took a picture of the blue screens I was getting on my phone, and downloaded it to another desktop I have at home, and got a stop message of:
*** STOP: 0x0000008E (0xC0000005,0xBF841D43,0xF86A4AEC,0x00000000)
*** win32k.sys - Address BF841D43 base at BF800000, Datestamp 45f013f6
After not managing to boot normally, I tried repairing Windows from the Acer system, and recovery cds, 3 times, and it didn't help.
Reinstalling Windows from that cd would mean total reformatting of the disk and loss of all data, so I tried something else.
I installed a copy of Windows XP Proffesional (not compatible for my laptop of course) which installed, booted, and came up fine.
So now I have a copy of working Windows on my computer but that isn't compatible with my laptop, so I'm trying to use the working version to debug the old one. The working copy of Windows though doesn't recognize my network hardware though, so using a usb pen drive to get data off my laptop, I'm using the desktop as my base of operations.
I put the minidumps from my laptop on to the pen drive, and copied them to the desktop, where I setup Debugging Tools for Windows, and read them.
For the first minidump (the only one in the directory of the original Windows, probably reffering to the first crash that started all my problems) it was having trouble with the symbols, sometimes saying only lzx32.sys couldn't find its symbols and sometimes saying that both lzx32.sys and ntoskrnl.exe couldn't find their symbols. These times the debugger blamed lzx32.sys.
I googled lzx32.sys and found that it was the driver for Rustock Rootkit, but all the tools too remove it require the windows infected with it to be running either in safe or normal mode neither of wich manages to load.
I checked if lzx32.sys existed in the directory it's supposed to be in (even though it's supposed to be hidden) and it was there (probably because I checked using an operating system besides the one that was infected). Exact wording as follows:
Microsoft (R) Windows Debugger Version 6.6.0007.5
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\Documents and Settings\Daniel\Desktop\MINIDUMPS\Mini040807-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
Symbol search path is: C:\Windows\Symbols
Executable search path is: C:\Windows\Symbols
Unable to load image ntoskrnl.exe, Win32 error 2
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
Windows XP Kernel Version 2600 (Service Pack 2) UP Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Kernel base = 0x804d7000 PsLoadedModuleList = 0x805533a0
Debug session time: Sun Apr 8 22:53:37.390 2007 (GMT+2)
System Uptime: 0 days 13:22:35.965
Unable to load image ntoskrnl.exe, Win32 error 2
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
Loading Kernel Symbols
.................................................................................................................................................
Loading User Symbols
Loading unloaded module list
............
Unable to load image lzx32.sys, Win32 error 2
*** WARNING: Unable to verify timestamp for lzx32.sys
*** ERROR: Module load completed but symbols could not be loaded for lzx32.sys
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 1000008E, {c0000005, aafaf5cf, aa591a20, 0}
*** WARNING: Unable to verify timestamp for mssmbios.sys
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: mssmbios!_SMBIOS_DATA_OBJECT ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: mssmbios!_SMBIOS_DATA_OBJECT ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: mssmbios!_SMBIOS_DATA_OBJECT ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: mssmbios!_SMBIOS_DATA_OBJECT ***
*** ***
*************************************************************************
Probably caused by : lzx32.sys ( lzx32+25cf )
Followup: MachineOwner
---------
I took a picture of the blue screens I was getting on my phone, and downloaded it to another desktop I have at home, and got a stop message of:
*** STOP: 0x0000008E (0xC0000005,0xBF841D43,0xF86A4AEC,0x00000000)
*** win32k.sys - Address BF841D43 base at BF800000, Datestamp 45f013f6
After not managing to boot normally, I tried repairing Windows from the Acer system, and recovery cds, 3 times, and it didn't help.
Reinstalling Windows from that cd would mean total reformatting of the disk and loss of all data, so I tried something else.
I installed a copy of Windows XP Proffesional (not compatible for my laptop of course) which installed, booted, and came up fine.
So now I have a copy of working Windows on my computer but that isn't compatible with my laptop, so I'm trying to use the working version to debug the old one. The working copy of Windows though doesn't recognize my network hardware though, so using a usb pen drive to get data off my laptop, I'm using the desktop as my base of operations.
I put the minidumps from my laptop on to the pen drive, and copied them to the desktop, where I setup Debugging Tools for Windows, and read them.
For the first minidump (the only one in the directory of the original Windows, probably reffering to the first crash that started all my problems) it was having trouble with the symbols, sometimes saying only lzx32.sys couldn't find its symbols and sometimes saying that both lzx32.sys and ntoskrnl.exe couldn't find their symbols. These times the debugger blamed lzx32.sys.
I googled lzx32.sys and found that it was the driver for Rustock Rootkit, but all the tools too remove it require the windows infected with it to be running either in safe or normal mode neither of wich manages to load.
I checked if lzx32.sys existed in the directory it's supposed to be in (even though it's supposed to be hidden) and it was there (probably because I checked using an operating system besides the one that was infected). Exact wording as follows:
Microsoft (R) Windows Debugger Version 6.6.0007.5
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\Documents and Settings\Daniel\Desktop\MINIDUMPS\Mini040807-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
Symbol search path is: C:\Windows\Symbols
Executable search path is: C:\Windows\Symbols
Unable to load image ntoskrnl.exe, Win32 error 2
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
Windows XP Kernel Version 2600 (Service Pack 2) UP Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Kernel base = 0x804d7000 PsLoadedModuleList = 0x805533a0
Debug session time: Sun Apr 8 22:53:37.390 2007 (GMT+2)
System Uptime: 0 days 13:22:35.965
Unable to load image ntoskrnl.exe, Win32 error 2
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
Loading Kernel Symbols
.................................................................................................................................................
Loading User Symbols
Loading unloaded module list
............
Unable to load image lzx32.sys, Win32 error 2
*** WARNING: Unable to verify timestamp for lzx32.sys
*** ERROR: Module load completed but symbols could not be loaded for lzx32.sys
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 1000008E, {c0000005, aafaf5cf, aa591a20, 0}
*** WARNING: Unable to verify timestamp for mssmbios.sys
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: mssmbios!_SMBIOS_DATA_OBJECT ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: mssmbios!_SMBIOS_DATA_OBJECT ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: mssmbios!_SMBIOS_DATA_OBJECT ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: mssmbios!_SMBIOS_DATA_OBJECT ***
*** ***
*************************************************************************
Probably caused by : lzx32.sys ( lzx32+25cf )
Followup: MachineOwner
---------
