Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

NT authority system32/lsass.exe error code 1073741819


  • This topic is locked This topic is locked
5 replies to this topic

#1 Imaloser

Imaloser

  • Members
  • 87 posts
  • OFFLINE
  •  
  • Local time:10:09 AM

Posted 28 February 2012 - 06:11 AM

Hello.

When I turned one my computer a window popped up prompting it to shutdown. It mentioned some about "Shudown due to NT authority system32/lsass.exe" Error code 1073741819

Here is my MBAM log:

Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.02.28.02

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 7.0.5730.13
Owner :: SAVAGE [administrator]

2/28/2012 1:38:34 AM
mbam-log-2012-02-28 (01-38-34).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 229528
Time elapsed: 56 minute(s), 58 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Documents and Settings\Owner\Local Settings\temp\ATT-SST_Installer\Setup\MotiveClient\AXB.exe (Adware.BHO) -> Quarantined and deleted successfully.

(end)

I have googled this problem and it looks like I may have "sasser" computer worm.

Appreciate any help. Thank you.

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,323 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:09 AM

Posted 28 February 2012 - 10:54 PM

Hello,we can look further.

Please download MiniToolBox, save it to your desktop and run it.

Checkmark the following checkboxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Users, Partitions and Memory size.
Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

Note: When using "Reset FF Proxy Settings" option Firefox should be closed.

>>>
Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
    For instructions with screenshots, please refer to the How to use SUPERAntiSpyware to scan and remove malware from your computer Guide.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If it will not start, go to Start > All Prgrams > SUPERAntiSpyware and click on Alternate Start.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all other options as they are set):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the Control Center screen.
  • Back on the main screen, under "Select Scan Type" check the box for Complete Scan.
  • If your computer is badly infected, be sure to check the box next to Enable Rescue Scan (Highly Infected Systems ONLY).
  • Click the Scan your computer... button.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the scan log after reboot, launch SUPERAntiSpyware again.
  • Click the View Scan Logs button at the bottom.
  • This will open the Scanner Logs Window.
  • Click on the log to highlight it and then click on View Selected Log to open it.
  • Copy and paste the scan log results in your next reply.
-- Some types of malware will disable security tools. If SUPERAntiSpyware will not install, please refer to these instructions for using the SUPERAntiSpyware Installer. If SUPERAntiSpyware is already installed but will not run, then follow the instructions for using RUNSAS.EXE to launch the program.

>>>>
I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Under scan settings, check Posted Image and check Remove found threats
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image


NOTE: In some instances if no malware is found there will be no log produced.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Imaloser

Imaloser
  • Topic Starter

  • Members
  • 87 posts
  • OFFLINE
  •  
  • Local time:10:09 AM

Posted 02 March 2012 - 11:05 AM

Thank you boopme for the quick response. :) Sorry it took me long so to reply, it took a while to scan my sluggish craputer.

Here are the logs

MiniToolBox by Farbar Version: 18-01-2012
Ran by Owner (administrator) on 28-02-2012 at 21:57:57
Microsoft Windows XP Home Edition Service Pack 3 (X86)
Boot Mode: Normal
***************************************************************************

========================= Flush DNS: ===================================


Windows IP Configuration



Could not flush the DNS Resolver Cache: Function failed during execution.




========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

"Reset IE Proxy Settings": IE Proxy Settings were reset.

========================= FF Proxy Settings: ==============================


"Reset FF Proxy Settings": Firefox Proxy settings were reset.

========================= Hosts content: =================================












































































127.0.0.1 localhost

========================= IP Configuration: ================================

Realtek RTL8139 Family PCI Fast Ethernet NIC = Local Area Connection (Connected)
1394 Net Adapter = 1394 Connection (Connected)


# ----------------------------------
# Interface IP Configuration
# ----------------------------------
pushd interface ip


# Interface IP Configuration for "Local Area Connection"

set address name="Local Area Connection" source=dhcp
set dns name="Local Area Connection" source=dhcp register=PRIMARY
set wins name="Local Area Connection" source=dhcp


popd
# End of interface IP configuration




Windows IP Configuration



Host Name . . . . . . . . . . . . : SAVAGE

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Broadcast

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

DNS Suffix Search List. . . . . . : att.net



Ethernet adapter Local Area Connection:



Connection-specific DNS Suffix . : att.net

Description . . . . . . . . . . . : Realtek RTL8139 Family PCI Fast Ethernet NIC

Physical Address. . . . . . . . . : 00-E0-18-82-A5-80

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 192.168.1.65

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.1.254

DHCP Server . . . . . . . . . . . : 192.168.1.254

DNS Servers . . . . . . . . . . . : 192.168.1.254

Lease Obtained. . . . . . . . . . : Tuesday, February 28, 2012 9:43:25 PM

Lease Expires . . . . . . . . . . : Wednesday, February 29, 2012 9:43:25 PM

Server: dsldevice.att.net
Address: 192.168.1.254

Name: google.com
Addresses: 74.125.227.98, 74.125.227.99, 74.125.227.100, 74.125.227.101
74.125.227.102, 74.125.227.103, 74.125.227.104, 74.125.227.105, 74.125.227.110
74.125.227.96, 74.125.227.97



Pinging google.com [74.125.227.96] with 32 bytes of data:



Reply from 74.125.227.96: bytes=32 time=54ms TTL=52

Reply from 74.125.227.96: bytes=32 time=68ms TTL=52



Ping statistics for 74.125.227.96:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 54ms, Maximum = 68ms, Average = 61ms

Server: dsldevice.att.net
Address: 192.168.1.254

Name: yahoo.com
Addresses: 98.139.183.24, 209.191.122.70, 98.139.127.62



Pinging yahoo.com [209.191.122.70] with 32 bytes of data:



Reply from 209.191.122.70: bytes=32 time=59ms TTL=49

Reply from 209.191.122.70: bytes=32 time=59ms TTL=49



Ping statistics for 209.191.122.70:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 59ms, Maximum = 59ms, Average = 59ms

Server: dsldevice.att.net
Address: 192.168.1.254

Name: bleepingcomputer.com
Address: 208.43.87.2



Pinging bleepingcomputer.com [208.43.87.2] with 32 bytes of data:



Reply from 208.43.87.2: Destination host unreachable.

Reply from 208.43.87.2: Destination host unreachable.



Ping statistics for 208.43.87.2:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms



Pinging 127.0.0.1 with 32 bytes of data:



Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128



Ping statistics for 127.0.0.1:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 e0 18 82 a5 80 ...... Realtek RTL8139 Family PCI Fast Ethernet NIC - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.254 192.168.1.65 30
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
169.254.0.0 255.255.0.0 192.168.1.65 192.168.1.65 30
192.168.1.0 255.255.255.0 192.168.1.65 192.168.1.65 30
192.168.1.65 255.255.255.255 127.0.0.1 127.0.0.1 30
192.168.1.255 255.255.255.255 192.168.1.65 192.168.1.65 30
224.0.0.0 240.0.0.0 192.168.1.65 192.168.1.65 30
255.255.255.255 255.255.255.255 192.168.1.65 192.168.1.65 1
Default Gateway: 192.168.1.254
===========================================================================
Persistent Routes:
None
========================= Winsock entries =====================================

Catalog5 01 C:\Windows\System32\mswsock.dll [245248] (Microsoft Corporation)
Catalog5 02 C:\Windows\System32\winrnr.dll [16896] (Microsoft Corporation)
Catalog5 03 C:\Windows\System32\mswsock.dll [245248] (Microsoft Corporation)
Catalog5 04 C:\Program Files\Bonjour\mdnsNSP.dll [147456] (Apple Inc.)
Catalog9 01 C:\WINDOWS\system32\VetRedir.dll [74864] (Computer Associates International, Inc.)
Catalog9 02 C:\WINDOWS\system32\VetRedir.dll [74864] (Computer Associates International, Inc.)
Catalog9 03 C:\WINDOWS\system32\VetRedir.dll [74864] (Computer Associates International, Inc.)
Catalog9 04 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 05 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 06 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 07 C:\Windows\system32\rsvpsp.dll [92672] (Microsoft Corporation)
Catalog9 08 C:\Windows\system32\rsvpsp.dll [92672] (Microsoft Corporation)
Catalog9 09 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 10 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 11 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 12 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 13 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 14 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 15 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 16 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 17 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 18 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 19 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 20 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 21 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 22 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 23 C:\WINDOWS\system32\VetRedir.dll [74864] (Computer Associates International, Inc.)

========================= Event log errors: ===============================

Application errors:
==================
Error: (02/28/2012 09:45:42 PM) (Source: Application Error) (User: )
Description: Faulting application khost.exe, version 2.21.40318.0, faulting module khost.exe, version 2.21.40318.0, fault address 0x001575b8.
Processing media-specific event for [khost.exe!ws!]

Error: (02/28/2012 04:35:41 PM) (Source: Application Error) (User: )
Description: Faulting application khost.exe, version 2.21.40318.0, faulting module khost.exe, version 2.21.40318.0, fault address 0x001575b8.
Processing media-specific event for [khost.exe!ws!]

Error: (02/28/2012 03:11:28 AM) (Source: Application Hang) (User: )
Description: Hanging application mbam.exe, version 1.60.0.61, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (02/28/2012 02:41:07 AM) (Source: Application Error) (User: )
Description: Faulting application khost.exe, version 2.21.40318.0, faulting module khost.exe, version 2.21.40318.0, fault address 0x001575b8.
Processing media-specific event for [khost.exe!ws!]

Error: (02/28/2012 01:25:41 AM) (Source: Application Error) (User: )
Description: Faulting application khost.exe, version 2.21.40318.0, faulting module khost.exe, version 2.21.40318.0, fault address 0x001575b8.
Processing media-specific event for [khost.exe!ws!]

Error: (02/28/2012 01:21:10 AM) (Source: Winlogon) (User: )
Description: A critical system process, C:\WINDOWS\system32\lsass.exe, failed with status code c0000005. The machine
must now be restarted.

Error: (02/28/2012 01:20:29 AM) (Source: Application Error) (User: )
Description: Faulting application lsass.exe, version 5.1.2600.5512, faulting module msvcrt.dll, version 7.0.2600.5512, fault address 0x0003681e.
Processing media-specific event for [lsass.exe!ws!]

Error: (02/28/2012 01:15:44 AM) (Source: Application Error) (User: )
Description: Faulting application khost.exe, version 2.21.40318.0, faulting module khost.exe, version 2.21.40318.0, fault address 0x001575b8.
Processing media-specific event for [khost.exe!ws!]

Error: (02/27/2012 03:52:43 PM) (Source: Application Error) (User: )
Description: Faulting application khost.exe, version 2.21.40318.0, faulting module khost.exe, version 2.21.40318.0, fault address 0x001575b8.
Processing media-specific event for [khost.exe!ws!]

Error: (02/27/2012 03:38:33 PM) (Source: Application Error) (User: )
Description: Faulting application khost.exe, version 2.21.40318.0, faulting module khost.exe, version 2.21.40318.0, fault address 0x001575b8.
Processing media-specific event for [khost.exe!ws!]


System errors:
=============
Error: (02/28/2012 09:47:55 PM) (Source: Service Control Manager) (User: )
Description: The Fast User Switching Compatibility service depends on the following nonexistent service: TermService

Error: (02/28/2012 09:47:35 PM) (Source: Service Control Manager) (User: )
Description: The NVIDIA Driver Helper Service service failed to start due to the following error:
%%2

Error: (02/28/2012 09:47:35 PM) (Source: Service Control Manager) (User: )
Description: The npkcrypt service failed to start due to the following error:
%%2

Error: (02/28/2012 05:12:12 PM) (Source: Service Control Manager) (User: )
Description: The Fast User Switching Compatibility service depends on the following nonexistent service: TermService

Error: (02/28/2012 04:37:53 PM) (Source: Service Control Manager) (User: )
Description: The Fast User Switching Compatibility service depends on the following nonexistent service: TermService

Error: (02/28/2012 04:37:34 PM) (Source: Service Control Manager) (User: )
Description: The NVIDIA Driver Helper Service service failed to start due to the following error:
%%2

Error: (02/28/2012 04:37:34 PM) (Source: Service Control Manager) (User: )
Description: The npkcrypt service failed to start due to the following error:
%%2

Error: (02/28/2012 03:22:00 AM) (Source: Service Control Manager) (User: )
Description: The Fast User Switching Compatibility service depends on the following nonexistent service: TermService

Error: (02/28/2012 02:43:44 AM) (Source: Service Control Manager) (User: )
Description: The Fast User Switching Compatibility service depends on the following nonexistent service: TermService

Error: (02/28/2012 02:43:42 AM) (Source: Service Control Manager) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
agp440
IntelIde
nv_agp
SISAGP
viaagp
ViaIde


Microsoft Office Sessions:
=========================
Error: (02/28/2012 09:45:42 PM) (Source: Application Error)(User: )
Description: khost.exe2.21.40318.0khost.exe2.21.40318.0001575b8

Error: (02/28/2012 04:35:41 PM) (Source: Application Error)(User: )
Description: khost.exe2.21.40318.0khost.exe2.21.40318.0001575b8

Error: (02/28/2012 03:11:28 AM) (Source: Application Hang)(User: )
Description: mbam.exe1.60.0.61hungapp0.0.0.000000000

Error: (02/28/2012 02:41:07 AM) (Source: Application Error)(User: )
Description: khost.exe2.21.40318.0khost.exe2.21.40318.0001575b8

Error: (02/28/2012 01:25:41 AM) (Source: Application Error)(User: )
Description: khost.exe2.21.40318.0khost.exe2.21.40318.0001575b8

Error: (02/28/2012 01:21:10 AM) (Source: Winlogon)(User: )
Description: C:\WINDOWS\system32\lsass.exec0000005

Error: (02/28/2012 01:20:29 AM) (Source: Application Error)(User: )
Description: lsass.exe5.1.2600.5512msvcrt.dll7.0.2600.55120003681e

Error: (02/28/2012 01:15:44 AM) (Source: Application Error)(User: )
Description: khost.exe2.21.40318.0khost.exe2.21.40318.0001575b8

Error: (02/27/2012 03:52:43 PM) (Source: Application Error)(User: )
Description: khost.exe2.21.40318.0khost.exe2.21.40318.0001575b8

Error: (02/27/2012 03:38:33 PM) (Source: Application Error)(User: )
Description: khost.exe2.21.40318.0khost.exe2.21.40318.0001575b8


=========================== Installed Programs ============================

AAC Decoder (Version: 7.1.0)
Ad-Aware SE Personal (Version: 1.06)
Ad Muncher v4.81 Build 31376
Adobe Acrobat 5.0 (Version: 5.1)
Adobe Atmosphere Player for Acrobat and Adobe Reader
Adobe Flash Player 10 ActiveX (Version: 10.0.22.87)
Adobe Flash Player 10 Plugin (Version: 10.0.32.18)
Adobe Photoshop 7.0 (Version: 7.0)
Adobe Reader 8.1.0 (Version: 8.1.0)
Adobe Shockwave Player 11.5 (Version: 11.5)
AIM 7
AIM Toolbar
AOL Coach Version 1.0(Build:20020605.1)
AOL Instant Messenger
AOL Uninstaller (Choose which Products to Remove)
Apple Mobile Device Support (Version: 1.1.4.7)
Apple Software Update (Version: 2.1.1.116)
ArcSoft PhotoImpression
ArcSoft Software Suite
Ask.com Toolbar (Version: 1.0.1.1)
AudibleManager
AutoUpdate (Version: 1.1)
avast! Free Antivirus (Version: 5.0.677.0)
AVIcodec (remove only)
AviSynth 2.5
BitComet 0.59 (Version: 0.59)
Bonjour (Version: 1.0.104)
Camera Window DS (Version: 5.2)
Camera Window DVC (Version: 5.4)
Camera Window MC (Version: 5.4)
Canon Camera Support Core Library (Version: 7.3.0.4)
Canon Camera Window DC_DV 5 for ZoomBrowser EX (Version: 5.4)
Canon Camera Window DS for ZoomBrowser EX (Version: 5.2)
Canon Camera Window MC 5 for ZoomBrowser EX (Version: 5.4)
Canon MovieEdit Task for ZoomBrowser EX (Version: 1.3.1.21)
Canon PhotoRecord (Version: 02.02.02000)
Canon RAW Image Task for ZoomBrowser EX (Version: 2.1)
Canon Utilities PhotoStitch 3.1 (Version: 3.1.14)
Canon ZoomBrowser EX (Version: 5.02.0100)
CCleaner (remove only)
COMODO Internet Security (Version: 3.14.147648.588)
Coupon Printer for Windows (Version: 4.0)
Dell Photo Printer 720
Dell Photo Printer 720 Logger (Version: 1.0)
Direct Show Ogg Vorbis Filter (remove only)
DirectShow subtitle filter colleciton (remove only)
DivX Codec (Version: 6.8.5)
DivX Converter (Version: 7.1.0)
DivX Player (Version: 7.2.0)
DivX Plus DirectShow Filters
DivX Version Checker (Version: 7.1.0.2)
DivX Web Player (Version: 1.5.0)
Download Updater (AOL LLC)
DVD Decrypter (Remove Only)
Easy Internet Sign-up
Eeyore's Lost Tail Screen Saver
EncSpot Basic 2.0
Enhanced Multimedia Keyboard Solution
EPSON Copy Utility
EPSON EIC CX5400
EPSON Photo Print
EPSON Printer Software
EPSON Scan
EPSON Smart Panel
ESET Online Scanner v3
ffdshow [rev 1953] [2008-05-04] (Version: 1.0)
Google Toolbar for Internet Explorer
H.264 Decoder (Version: 1.1.0)
HandBrake 0.9.3 (Version: 0.9.3)
HijackThis 2.0.2 (Version: 2.0.2)
hp center
HP Deskjet 5700 (Version: 1.00.0000)
HP DLA (Version: 3.26)
hp instant support (Version: 4.03.00)
hp learning adventure
HP Memories Disc (Version: 1.0.1.795)
HP Photo Printing Software
HP RecordNow (Version: 3.56)
HP Update (Version: 5.002.001.004)
Inactive HP Printer Drivers (Remove only)
Intel® Extreme Graphics Driver
InterActual Player
InterVideo WinDVD
iPod for Windows 2005-03-23 (Version: 3.8.0)
iPod for Windows 2005-10-12 (Version: 4.3.0)
iPod for Windows 2006-01-10 (Version: 4.7.0)
iRiver Updater
iTunes (Version: 7.6.1.9)
J2SE Runtime Environment 5.0 Update 11 (Version: 1.5.0.110)
J2SE Runtime Environment 5.0 Update 3 (Version: 1.5.0.30)
J2SE Runtime Environment 5.0 Update 4 (Version: 1.5.0.40)
J2SE Runtime Environment 5.0 Update 6 (Version: 1.5.0.60)
J2SE Runtime Environment 5.0 Update 9 (Version: 1.5.0.90)
Jasc Paint Shop Photo Album (Version: 4.0.4)
Jasc Paint Shop Pro 8 Dell Edition (Version: 8.10.0000)
Java 2 Runtime Environment, SE v1.4.0_01
Java 2 Runtime Environment, SE v1.4.2_04 (Version: 1.4.2_04)
Java Web Start
Java™ 6 Update 13 (Version: 6.0.130)
Java™ 6 Update 2 (Version: 1.6.0.20)
Java™ 6 Update 3 (Version: 1.6.0.30)
Java™ 6 Update 5 (Version: 1.6.0.50)
Java™ SE Runtime Environment 6 Update 1 (Version: 1.6.0.10)
Kazaa Media Desktop 2.0.2
Lernout & Hauspie TruVoice American English TTS Engine
Linksys VPN Client
LiveUpdate 2.6 (Symantec Corporation) (Version: 2.6.14.0)
Macromedia Shockwave Player (Version: 10.1.0.11)
MadCatz NDS Customizer
MadCatz NDS Customizer (C:\Program Files\MadCatz NDS Customizer\)
Magic ISO Maker v5.4 (build 0251)
Malwarebytes Anti-Malware version 1.60.1.1000 (Version: 1.60.1.1000)
Mastermind
Microsoft .NET Compact Framework 2.0 (Version: 2.0.5239)
Microsoft .NET Framework 1.1 (Version: 1.1.4322)
Microsoft .NET Framework 1.1 Security Update (KB2656353)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2 (Version: 2.2.30729)
Microsoft .NET Framework 3.0 Service Pack 2 (Version: 3.2.30729)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729)
Microsoft Compression Client Pack 1.0 for Windows XP (Version: 1)
Microsoft Data Access Components KB870669
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money 2002 (Version: 10.0.50)
Microsoft Money 2002 System Pack (Version: 10.0.80)
Microsoft National Language Support Downlevel APIs
Microsoft Office Outlook 2003 SMS Add-in (Version: 11.0.0027.0)
Microsoft Office XP Professional with FrontPage (Version: 10.0.2627.0)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.56336)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Works and Money 2002 Setup Launcher
Microsoft XML Parser and SDK (Version: 4.10.9406.0)
MKV Splitter (Version: 1.0.1)
MovieEdit Task (Version: 1.3.1.21)
Mozilla Firefox (3.6.27) (Version: 3.6.27 (en-US))
Mozilla Sunbird (0.2)
Mozilla Sunbird (0.3.1) (Version: 0.3.1 (en-US))
MP3 Player Driver Install 1.0
MSN Music Assistant
MSXML 4.0 SP2 (KB927978) (Version: 4.20.9841.0)
MSXML 4.0 SP2 (KB936181) (Version: 4.20.9848.0)
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
MSXML 6.0 Parser (KB933579) (Version: 6.10.1200.0)
MUSICMATCH Jukebox
neroxml (Version: 1.0.0)
Netscape (7.1)
Netscape Communicator 4.8
Netscape Navigator (9.0.0.6) (Version: 9.0.0.6 (en-US))
NVIDIA Windows 2000/XP Display Drivers
OpenMG Secure Module 4.2.00 (Version: 4.2.00.06070)
PC-Doctor for Windows
PhotoStitch (Version: 3.1.14)
Plaxo Toolbar for Windows
Popup Manager (remove only)
Power MP3 WMA Converter 1.15
PRINT DATA SENDER
PS2
Python 1.5 combined Win32 extensions
Python 1.5.2 (final)
Quicken Financial Center
QuickSFV (Remove only)
QuickTime (Version: 7.60.92.0)
RAW Image Task 2.1 (Version: 2.1)
RealPlayer
Rhapsody Player Engine (Version: 1.0.604)
RTP for RM2K (Png, Wav, Midi, Fonts)
SBC Yahoo! Applications
ScanToWeb
Secunia PSI
Secure Delivery
Sonic Foundry Super Duper Music Looper XPress (Version: 1.0.69)
Sophos Anti-Rootkit 1.5.0 (Version: 1.5.0)
SoundMAX
SSH Secure Shell
SUPERAntiSpyware Free Edition (Version: 4.26.0.1006)
Tcl 8.0.5 for Windows
The Lounge 1.0 (Version: 1.0)
Trillian
Tukati Client:GameZone
TuneSleeve (Version: 1.0.5)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707) (Version: 1)
Update for Windows Internet Explorer 7 (KB976749) (Version: 1)
Update for Windows Internet Explorer 7 (KB980182) (Version: 1)
Update for Windows XP (KB2141007) (Version: 1)
Update for Windows XP (KB2345886) (Version: 1)
Update for Windows XP (KB2467659) (Version: 1)
Update for Windows XP (KB2541763) (Version: 1)
Update for Windows XP (KB2607712) (Version: 1)
Update for Windows XP (KB2616676) (Version: 1)
Update for Windows XP (KB2641690) (Version: 1)
Update for Windows XP (KB951072-v2) (Version: 2)
Update for Windows XP (KB951978) (Version: 1)
Update for Windows XP (KB955759) (Version: 1)
Update for Windows XP (KB955839) (Version: 1)
Update for Windows XP (KB967715) (Version: 1)
Update for Windows XP (KB968389) (Version: 1)
Update for Windows XP (KB971029) (Version: 1)
Update for Windows XP (KB971737) (Version: 1)
Update for Windows XP (KB973687) (Version: 1)
Update for Windows XP (KB973815) (Version: 1)
VC80CRTRedist - 8.0.50727.762 (Version: 1.0.0)
VERITAS StorageGuard (Version: 2.62.0)
Videora iPod Converter 0.91 (Version: 0.91)
Viewpoint Manager (Remove Only)
Viewpoint Media Player
Viewpoint Toolbar
VobSub v2.18 (Remove Only)
WebFldrs XP (Version: 9.50.5318)
WildTangent Channel Manager
WildTangent Web Driver
Windows Genuine Advantage Notifications (KB905474) (Version: 1.7.0018.5)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Genuine Advantage Validation Tool (KB892130) (Version: 1.7.0069.2)
Windows Internet Explorer 7 (Version: 20070813.185237)
Windows Live Messenger (Version: 8.1.0178.00)
Windows Live Sign-in Assistant (Version: 4.100.313.1)
Windows Media Format 11 runtime
Windows Media Player 10
Windows XP Service Pack 3 (Version: 20080414.031525)
WinRAR archiver
Works Suite OS Pack (Version: 1.0.0.0000)
Yahoo! Toolbar

========================= Memory info: ===================================

Percentage of memory in use: 72%
Total physical RAM: 510.52 MB
Available physical RAM: 141.09 MB
Total Pagefile: 1245.27 MB
Available Pagefile: 882 MB
Total Virtual: 2047.88 MB
Available Virtual: 1971.03 MB

========================= Partitions: =====================================

2 Drive c: (HP_PAVILION) (Fixed) (Total:52.36 GB) (Free:18.55 GB) NTFS
3 Drive d: (HP_RECOVERY) (Fixed) (Total:4.87 GB) (Free:0.75 GB) FAT32

========================= Users: ========================================

User accounts for \\SAVAGE

Administrator ASPNET Guest
HelpAssistant l7915799271 Owner
SUPPORT_388945a0 SUPPORT_fddfa904


**** End of log ****





SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/01/2012 at 03:06 AM

Application Version : 4.56.1000

Core Rules Database Version : 8206
Trace Rules Database Version: 6018

Scan type : Complete Scan
Total Scan Time : 11:26:36

Memory items scanned : 517
Memory threats detected : 0
Registry items scanned : 7952
Registry threats detected : 0
File items scanned : 139450
File threats detected : 67

Adware.Tracking Cookie
C:\Documents and Settings\Owner\Cookies\JL5ALYE0.txt
C:\Documents and Settings\Owner\Cookies\29KA6L1B.txt
C:\Documents and Settings\Owner\Cookies\owner@anrtx.tacoda[1].txt
C:\Documents and Settings\Owner\Cookies\QVMDF7FL.txt
C:\Documents and Settings\Owner\Cookies\TKYL1BE8.txt
C:\Documents and Settings\Owner\Cookies\77FS1B65.txt
C:\Documents and Settings\Owner\Cookies\39QNJCK3.txt
C:\Documents and Settings\Owner\Cookies\owner@citi.bridgetrack[2].txt
C:\Documents and Settings\Owner\Cookies\MX6J7AUC.txt
C:\Documents and Settings\Owner\Cookies\N8N3TFOI.txt
.atdmt.com [ C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\o9jk3gjp.default\cookies.sqlite ]
.revsci.net [ C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\o9jk3gjp.default\cookies.sqlite ]
.serving-sys.com [ C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\o9jk3gjp.default\cookies.sqlite ]
.serving-sys.com [ C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\o9jk3gjp.default\cookies.sqlite ]
.serving-sys.com [ C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\o9jk3gjp.default\cookies.sqlite ]
.serving-sys.com [ C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\o9jk3gjp.default\cookies.sqlite ]
.serving-sys.com [ C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\o9jk3gjp.default\cookies.sqlite ]
.serving-sys.com [ C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\o9jk3gjp.default\cookies.sqlite ]
.bs.serving-sys.com [ C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\o9jk3gjp.default\cookies.sqlite ]
tracking.foundry42.com [ C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\o9jk3gjp.default\cookies.sqlite ]
.adserver.adtechus.com [ C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\o9jk3gjp.default\cookies.sqlite ]
.mediaplex.com [ C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\o9jk3gjp.default\cookies.sqlite ]
.doubleclick.net [ C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\o9jk3gjp.default\cookies.sqlite ]
.apmebf.com [ C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\o9jk3gjp.default\cookies.sqlite ]
.pro-market.net [ C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\o9jk3gjp.default\cookies.sqlite ]
.statcounter.com [ C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\o9jk3gjp.default\cookies.sqlite ]
ad.yieldmanager.com [ C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\o9jk3gjp.default\cookies.sqlite ]
ad.yieldmanager.com [ C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\o9jk3gjp.default\cookies.sqlite ]
ad.yieldmanager.com [ C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\o9jk3gjp.default\cookies.sqlite ]
.adbrite.com [ C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\o9jk3gjp.default\cookies.sqlite ]
.stopzilla.com [ C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\o9jk3gjp.default\cookies.sqlite ]
.collective-media.net [ C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\o9jk3gjp.default\cookies.sqlite ]
.revsci.net [ C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\o9jk3gjp.default\cookies.sqlite ]
.revsci.net [ C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\o9jk3gjp.default\cookies.sqlite ]
.revsci.net [ C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\o9jk3gjp.default\cookies.sqlite ]
.media6degrees.com [ C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\o9jk3gjp.default\cookies.sqlite ]
.media6degrees.com [ C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\o9jk3gjp.default\cookies.sqlite ]
ia.media-imdb.com [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\YJJ79PCP ]
media.nbcwashington.com [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\YJJ79PCP ]
media2.shopto.net [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\YJJ79PCP ]
.adlegend.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bhqe3228.default\cookies.sqlite ]
deepdiscount.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bhqe3228.default\cookies.sqlite ]
deepdiscount.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bhqe3228.default\cookies.sqlite ]
.deepdiscount.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bhqe3228.default\cookies.sqlite ]
.deepdiscount.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bhqe3228.default\cookies.sqlite ]
.deepdiscount.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bhqe3228.default\cookies.sqlite ]
deepdiscount.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bhqe3228.default\cookies.sqlite ]
deepdiscount.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bhqe3228.default\cookies.sqlite ]
www.deepdiscount.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bhqe3228.default\cookies.sqlite ]
www.deepdiscount.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bhqe3228.default\cookies.sqlite ]
www.deepdiscount.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bhqe3228.default\cookies.sqlite ]
www.deepdiscount.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bhqe3228.default\cookies.sqlite ]
.liveperson.net [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bhqe3228.default\cookies.sqlite ]
.apmebf.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bhqe3228.default\cookies.sqlite ]
.mediaplex.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bhqe3228.default\cookies.sqlite ]
.mediaplex.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bhqe3228.default\cookies.sqlite ]
.apmebf.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bhqe3228.default\cookies.sqlite ]
accounts.google.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bhqe3228.default\cookies.sqlite ]
media.gsimedia.net [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bhqe3228.default\cookies.sqlite ]
.mediaforge.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bhqe3228.default\cookies.sqlite ]
.mediaforge.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bhqe3228.default\cookies.sqlite ]
.accounts.google.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bhqe3228.default\cookies.sqlite ]
.accounts.google.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bhqe3228.default\cookies.sqlite ]
.stats.ebay.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bhqe3228.default\cookies.sqlite ]
.mediafire.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bhqe3228.default\cookies.sqlite ]
.mediafire.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bhqe3228.default\cookies.sqlite ]
.mediafire.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bhqe3228.default\cookies.sqlite ]



ESET log:
C:\Updater.exe probably a variant of Win32/Adware.Virtumonde.JMIMDOZ application cleaned by deleting - quarantined
C:\Documents and Settings\Administrator\Desktop\SmitfraudFix\Process.exe Win32/PrcView application cleaned by deleting - quarantined
C:\Documents and Settings\Administrator\Desktop\SmitfraudFix\restart.exe Win32/Shutdown.NAA application cleaned by deleting - quarantined
C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\SmitfraudFix.exe multiple threats deleted - quarantined
C:\Documents and Settings\Owner\My Documents\couponprinter.exe probably a variant of Win32/Adware.Softomate.AD application deleted - quarantined
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq227.tmp\update.exe probably a variant of Win32/Agent.DXIJLWR trojan deleted - quarantined
C:\WINDOWS\inf\alchem.inf probably a variant of Win32/Agent.GESWFOG trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\winlogon.exe Win32/Spy.Ursnif.A virus unable to clean
Operating memory Win32/Spy.Ursnif.A virus

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,323 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:09 AM

Posted 02 March 2012 - 12:16 PM

Hello, we need to move and start a new topic as this is ion ESET..
C:\WINDOWS\system32\winlogon.exe Win32/Spy.Ursnif.A virus unable to clean


Please go here....Preparation Guide ,do steps 6-9.

Create a DDS log and post it in the new topic explained in step 9 which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
If GMER won't run skip it and move on.

Let me know if that went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 Imaloser

Imaloser
  • Topic Starter

  • Members
  • 87 posts
  • OFFLINE
  •  
  • Local time:10:09 AM

Posted 02 March 2012 - 08:27 PM

Thank you for your time. I was able to run all the programs and made a new thread in the other section. I posted my DDS log, attached the "attach.txt" but when I went to upload the ark.txt, it said "error file is too big to up". It's 695KB.

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,323 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:09 AM

Posted 02 March 2012 - 09:13 PM

You're welcome and good that you noted the upload issue there.

Now that your log is properly posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a Malware Removal Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the Malware Removal Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the Malware Removal Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the Malware Removal Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MRL Team member is already assisting you and not open the thread to respond.

The current wait time is 1 - 3 days and ALL logs are answered.

To avoid confusion, I am closing this topic.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users