Hi, Hoping you guys can help as this our last line. We have discovered that a member of IT staff was avoiding our desktop security by using a server to surf the web. Needless to say - he is no more but his actions left us with a stack of malware that we have endeavoured to remove. However, we now have an isue that the server reboots - usually on a spyware/antivirus scan but at random other intervals. We get the Blue screen of death together with a message the lzx32.sys caused the issue. One of the problems we have is that Combofix won't run on Server 2003. Any help will be gratefully appreciated. - rebuilding this one from scratch would be a nightmare. cheers

Well, as you know,you NEVER use a server to surf the web...absolutely never... What do you have for antivirus on the server???...I expect you have run full scans... I suggest the following... 1. From another workstation download the following... A. Ewido from http://www.ewido.net/en/download/ ... get it updated, and here I think you will have to put your server on the net...Reboot in Safe Mode and run a full scan... B. Consider doing the same with Kaspersky antivirus...this is my preferred... C. Start / Run / msconfig...uncheck anything you cannot identify... D. Start / Run /regedit / HKLM/Software/Windows/Microsoft/Current Version/Run...Back up the hive...then delete anything out of the right panel that you think does not belong there... E. LZX32.sys is described both as a rootkit and as a trojan...more info here http://www.bleepingcomputer.com/for... What OS do you have???...how is this server used???...do you have RAID???...little more info would help... Good luck Steve

Thanks for your help - we seem to have cracked it. Found a couple of strange looking service lurking in MSConfig and also managed to track down the rootkit thanks to Avira Anti-Rootkit. Everything looks to be clear - nothing reported since running all of this 3 days ago. Thanks again