Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Blaster? Trojan? Please Help!


  • This topic is locked This topic is locked
2 replies to this topic

#1 mcbarton1995

mcbarton1995

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:05 PM

Posted 05 September 2007 - 03:57 PM

I've done all the steps that I was able to do (and more, such as Blaster removal tool) and yet my problems are becoming worse. It all began when I tried to download SP2. I had the blaster worm and did not know it and killed my computer. I formatted and reinstalled Windows but have continued to have problems with programs experiencing errors and shutting down. Then my computer said I had no virtual memory. I purchased 2 new memory cards 1GB each and installed them and formatted and reinstalled Windows again. Now my computer is shutting off by itself for known reason and recovering from serious problems. NT Authority Systems shut my computer down several times saying there was an error with system 32/lsass.exe. I then experienced a message where memory could not be read. I tried repairing my Windows installation and immediately there after several messages came up with LSA shell (export version) and Windows updater and internet explorer all experiencing problems and shutting down. Then the computer screen went blue and it said it was dumping memory. It had Page_Fault_In_Nonpaged_Area. It dumped for over a minute then restarted and I'm just waiting for the next crash. Please help me. I'm at my wits end. I've attached my Hijack log. Thanks!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:03:14 AM, on 9/5/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Proxyconn\PxUi.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\PeoplePC\ISP6500\Browser\Bartshel.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\GWMDMMSG.exe
C:\Program Files\Microsoft Money\System\Money Express.exe
C:\PROGRA~1\PeoplePC\ISP6500\Browser\PPShared.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Microsoft Home Publishing\MHPRMIND.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Proxyconn\PxClient.exe
C:\Program Files\Microsoft Money\System\urlmap.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:6198
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = clinic.mcafee.com; bin.mcafee.com; download.mcafee.com;<local>
O2 - BHO: EarthLink BHO Guard - {00000000-0000-0000-0000-000000000002} - C:\Program Files\PeoplePC\Toolbar\ScamGrd.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: EarthLink ScamBlocker V3 - {15F4D456-5BAA-4076-8486-EECB38CD3E57} - C:\Program Files\PeoplePC\Toolbar\ScamGrd.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PrxcnBHO Class - {7D9E713D-0388-4384-BDD8-2A42EB1C4F04} - C:\Program Files\Proxyconn\PrxcnBrsrCtrl.dll
O2 - BHO: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - C:\Program Files\PeoplePC\Toolbar\PPCToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - C:\Program Files\PeoplePC\Toolbar\PPCToolbar.dll
O4 - HKLM\..\Run: [Bart Station] C:\Program Files\PeoplePC\ISP6500\BIN\PPCOLink.exe -STATION
O4 - HKLM\..\Run: [PxClient.exe] "C:\Program Files\Proxyconn\PxUi.exe" /Automation
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [DLBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [CapFax] C:\Program Files\PhoneTools\CapFax.EXE
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - Startup: Microsoft Greetings Reminders.lnk = C:\Program Files\Microsoft Home Publishing\MHPRMIND.EXE
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: Show with Full Quality - res://C:\PROGRA~1\PROXYC~1\PRXCNB~1.DLL/IDR_HTML2
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1187809377841
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1187809326716
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\System32\dlbtcoms.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

--
End of file - 5935 bytes

BC AdBot (Login to Remove)

 


#2 mcbarton1995

mcbarton1995
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:05 PM

Posted 07 September 2007 - 08:14 AM

I just need to know if I need to throw in the towel and get a new computer! I've formatted 3 times and each time continue to experience major problems. NT Authority Systems has been shutting down my computer. I've had LSA Shell (export version) has experienced a problem and must close. Internet Explorer is constantly experiencing problems and must close. Many other programs are doing the same thing. I've had messages where it gives me numbers "instruction...referencing memory...The memory could not be read." My computer will just shut itself off and then come back on and say it has experienced a serious error but recovered. As I said, I have formatted the hard drive 3 times and reloaded my Windows XP (from an authentic disk that came with the computer from Gateway) and still continue to have problems. I have Avast Anti-Virus, Spybot S&D, Ad-Aware and have not experienced any resolution by running them. I have also run Symantec's Blaster Worm Removal Tool but it says I do not have the worm. I ran Stinger and have downloaded critical updates, though I am not running SP2 due to many issues after I loaded it. Can anyone help me?

#3 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,629 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:05 PM

Posted 20 September 2007 - 08:12 PM

Hi mcbarton1995, sorry for the delay.

Since you are getting help in another forum this topic will be closed. This forum is mostly for malware removal and there are not enough malware removal specialist to go around so if you get help somewhere else we can move on to help someone else as this forum is extremely busy.

From you description and looking at your log, which is clean, I believe you have mistaken the Lssas error for a Blaster infection and your problems are hardware related. Blaster hasn't really been around for years now and is not the only thing to cause that error, not will it cause the other errors--I'm not a hardware guy, but suspect for some reason Windows is not creating enough virtual memory so this could be a problem with your hard drive--but it could be anything. Adding more RAM is good, but it won't fix your virtual memory problem--that is on your hard drive.

Cross forum posting is frowned on in BC's other forums, but if you don't get enough good help where you have already posted, you can ask for more help in the following forums as long as you link to where you have posted before.

http://www.bleepingcomputer.com/forums/f/56/windows-xp-home-and-professional/
http://www.bleepingcomputer.com/forums/for...ums/forum7.html

The thing about people

is they change

when they walk away.--Mipso





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users