Jump to content

Another Laxzyldodalp Infection


Recommended Posts

Good day,

Today I discovered Laxzyldodalp.exe hiding in plainsight in my C:/User/ folder. I found that I couldn't turn on Real-Time protection on Microsoft Security Essentials or update virus definitions. I could not delete the file, and after installing AVG from Safe Mode, my computer would suffer from a "Windows Critical Error" and be forced to a reboot within a minute. Upon rebooting, AVG suffered many of the same symptoms MSE did.

Before installing in Safe Mode, AVG and MSE were both downloaded (after uninstalling my current MSE) and neither would open, stating something to the fact I did not have sufficient permissions. Google brought me to a similar thread on Emsisoft dealing with Laxzyldodalp. I followed the steps but was unsuccesful in ridding my system of the infection.

I have used TDSSKiller and Combo Fixer, both which did not solve the issue. I attempted Blitzbank, but it came back saying the path was invalid. Through reading the forums I read about Hitman Pro. This program seemed to have rid my system of the laxzyldodalp.exe file however it is still facing various symptoms. When I start my PC, my Windows Start screen turns to a black screen with my arrow visible and controllable, and stays there for a few minutes before showing the login/welcome screen. My MSE is still unable to be run with Real Time protection, and will only update virus definitions on a fresh install.

I've gone back to square one and attached the log files as it appears I cannot solve this dillema on my own, please advise.

Link to post
Share on other sites

javaicon.gif Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application. NOT supported for use in 9x or ME

Upgrading Java:

  • Download the latest version of JRE 7 Update 5.
  • Click the "Download JRE" button to the right.
  • Accept the license agreement.
  • Click on the download link for your system and save it to your desktop. Users of Windows Vista/7 64-bit can install both the 32-bit and 64-bit JRE without conflicts.
    Windows x86 Offline (jre-7u5-windows-i586.exe)
    Windows x64 (jre-7u5-windows-x64.exe)
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.(Vista/7 users, right click on the JRE download and select "Run as an Administrator.")

The installed version of Adobe Reader on this computer is out-dated. Install the latest version of Adobe Reader available from Adobe.

The installed version of Adobe Shockwave Player on this computer is out-dated. Install the latest version of Adobe Shockwave Player available from Adobe.

Using Add or Remove Programs in the Control Panel; uninstall the following:

Java(TM) 6 Update 32

Run OTL.exe

  • Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
    :OTL
    SRV:[b]64bit:[/b] - (3a6fc25194d09901) -- C:\Windows\SysNative\drivers\3a6fc25194d09901.sys ()
    DRV:[b]64bit:[/b] - (3a6fc25194d09901) -- C:\Windows\SysNative\drivers\3a6fc25194d09901.sys ()
    O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O18:[b]64bit:[/b] - Protocol\Handler\livecall - No CLSID value found
    O18:[b]64bit:[/b] - Protocol\Handler\ms-help - No CLSID value found
    O18:[b]64bit:[/b] - Protocol\Handler\ms-itss - No CLSID value found
    O18:[b]64bit:[/b] - Protocol\Handler\msnim - No CLSID value found
    O18:[b]64bit:[/b] - Protocol\Handler\skype4com - No CLSID value found
    O18:[b]64bit:[/b] - Protocol\Handler\wlmailhtml - No CLSID value found
    O18:[b]64bit:[/b] - Protocol\Handler\wlpg - No CLSID value found
    O20:[b]64bit:[/b] - HKLM Winlogon: VMApplet - (/pagefile) -  File not found
    O20 - HKLM Winlogon: VMApplet - (/pagefile) -  File not found
    [2012/08/05 21:06:59 | 000,328,704 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\services.exe.4882CB930E82EC99
    [2012/08/05 18:56:36 | 000,328,704 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\services.exe.F16949B780419561
    [2012/08/05 18:35:32 | 000,328,704 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\services.exe.8E2BE5A57ADCFF31
    [2012/08/05 18:25:18 | 000,328,704 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\services.exe.14C2A6CB50BF7454
    [2012/08/05 18:02:51 | 000,328,704 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\services.exe.D7423BF09D0B1A68
    [2012/08/05 17:53:38 | 000,328,704 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\services.exe.4CE28997A566D6C1
    [2012/08/05 17:09:16 | 000,328,704 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\services.exe.2D507EC490981580
    [2012/07/28 15:35:23 | 000,000,000 | ---D | C] -- C:\Users\Hawley\AppData\Local\{9CBA1801-4D34-42C4-B191-56A6F26E7839}
    [2012/07/28 15:35:13 | 000,000,000 | ---D | C] -- C:\Users\Hawley\AppData\Local\{7B9D5591-0B6A-4432-9B1D-98A2BE85FBB7}
    [3 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
    [1 C:\Users\Hawley\Desktop\*.tmp files -> C:\Users\Hawley\Desktop\*.tmp -> ]
    [2012/08/04 14:26:10 | 000,085,976 | ---- | M] () -- C:\Windows\SysNative\drivers\3a6fc25194d09901.sys
    [2012/01/10 15:01:17 | 000,002,048 | -HS- | C] () -- C:\Users\Hawley\AppData\Local\{84282f89-6e68-70c4-ec9e-0752afed4226}\@
    @Alternate Data Stream - 128 bytes -> C:\Windows\SysWow64\zlib.dll:SummaryInformation
    @Alternate Data Stream - 128 bytes -> C:\Windows\SysWow64\zlib.dll:DocumentSummaryInformation
    
    :Commands
    [Purity]
    [EmptyTemp]
    [EmptyFlash]
    [EmptyJava]
    [Reboot]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • Attach the new log produced by OTL (C:\_OTL). (USE THE "MORE REPLY OPTIONS" BUTTON TO BE ABLE TO DO THIS)

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

Link to post
Share on other sites

Not noticing any real difference after the fix. Computer still goes to black screen for a couple of minutes before log-in screen. Log in itself is a bit quicker however. I've uninstalled MSE and installed a fresh version of AVG. MSE still would not run Real-Time Protection and AVG prompts for a restart every time it is logged on. No forced restart as when laxyldodalp.exe was present on the system, however all anti-virus active protections still not initialising.

**Edit

- On another note, found out that windows disk defrag does not allow an analyse either... appears to begin the process and quickly cancels itself

Link to post
Share on other sites

I did not want a new OTL scan, I wanted the log, created by OTL, when you ran the fix.

Download BlitzBlank and save it to your desktop. Open Blitzblank.exe

Click OK at the warning (and take note of it, this is a VERY powerful tool!).

Click the script tab and copy/paste the following text there:

DisableDriver:
3a6fc25194d09901
DeleteFile:
C:\Windows\system32\drivers\3a6fc25194d09901.sys

Click Execute Now. Your computer will need to reboot in order to replace the files.

When done, attach the report created by Blitzblank.

Edited by ShadowPuterDude
Edit BlitzBlank code
Link to post
Share on other sites

Changing tools.

Download ComboFix from one of these locations:

Save as Combo-Fix.exe during the download. ComboFix must be renamed before you download to your Desktop

Link 1

Link 2

* IMPORTANT !!! Save ComboFix to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
    See HERE for help
  • Double click on Combo-Fix & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: (This applies to Windows XP systems only) If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

whatnext.png

Click on Yes, to continue scanning for malware.

When finished, ComboFix will produce a log.

Note:

1. Do not mouseclick combofix's window while it's running. That may cause it to stall!

2. Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet.

Attach logs for: (USE THE "MORE REPLY OPTIONS" BUTTON TO BE ABLE TO DO THIS)

  • ComboFix (C:\combofix.txt)

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

Link to post
Share on other sites

Managed to run Combo-Fix, but upon restart it gave me the log and was unable to open up any .exe files (including firefox) giving me a registry error and prompting for deletion of any file that came up. Fortunately a second reboot solved that problem.

Would a system restore be of any use? I recall the affected file had a creation date of 3 Aug 2012. I have restore points on the 5th and 6th of Aug, however, it appears as all of my other system restore points were wiped up until 6 Jun 2010.

Sorry I 'saved as' the combofix log as 'log', however the attached file is the log that was generated after Combo-Fix was run.

Link to post
Share on other sites

You can try restoring the system to an earlier date, but I can't guarantee that will fix things. This particular infection often severely damages the system to the point that a "Clean Install" is usually necessary.

Download Runscanner to your desktop and run it.

  • When the first page comes up select Beginner Mode
  • On the next page select Save a binary .Run file (Recommended) then click Start full scan at the top.
  • At this time Runscanner.exe may request access to the Internet through your firewall please allow it to do so, it will then run for two or three minutes.
  • On completion it will ask for a location to save the file and a name. It will do this for both the .run file and the log file
  • Call the .run file runnscanner.run and save it to your desktop. You will see the .run file on your desktop. Zip runscanner.run and attach it to your next reply.
    To create a Zip file in Windows:
    • Right-click on runnscanner.run.
    • Select "Send To", and then click "Compressed (zipped) Folder". A new compressed file name runnscanner.zip will be created.

Link to post
Share on other sites

This infection definitely seems like a nasty one. I noticed a few other users experiencing this one too. Does it generally have the same symptoms as disabling anti-virus etc? Your best guess where it came from would be the outdated Java Runtime correct?

Link to post
Share on other sites

There are several malware strains that disable anti-virus programs, this is one of them. Out dated versions of Java and Flash are targeted quite a bit.

After reviewing your runscanner.run file, your system is damaged beyond repair. A "Clean Install" of Windows 7 will be necessary.

Link to post
Share on other sites

That sucks, was hoping not to have do that, but you're the expert and I'll give a shot. I have a Gateway FX6802 Desktop with Windows 7 Home Premium SP 1. I do not have a hardcopy backup disc... do you know if there is a "return" to factory settings method through BIOS or am I going to have to purchase another copy of windows?

Thanks for all the help, end result is not necessarily the preferred outcome, but thank-you nonetheless. You provide a very knowledgeable and helpful service.

Link to post
Share on other sites

Disregard above question, re-imaged using clean install of Windows 7. I was able to backup and recover most of my files... MSE is now working as intended, and the start up is back to original.

Thanks for trying at least. If you like I could run another OTL or EEK to see if the repair process was succesful.

Link to post
Share on other sites

Thread Closed

Reason: Clean Install of Windows

The procedures contained in this thread are for this user and this user only. Attempting to use the instructions in this thread on your system could result in damaging the Operating System beyond repair. Do Not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist.

All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE, if you don't we are just going to send you back to this thread.

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...