Karl`s PC Help Forums

System Shutdown Notice
crj17 - 24-3-2008 at 20:46

I am wickedly infected and do not know what to do. I am receiving a number of pop ups and desk try icons asking me to click the baloon (their spelling) to fix the various problems.

Here are some of the errors I am receiving:


Your computer might be at risk
*Latest software updates not installed
*Incorrect files association
*System appears to hang
*Firewall has errors

Click balloon to fix the problem

-----------------------------------------------------------
Tracking process is activated
**ADDRESS: 0x10A3007B
Can’t deactivate spyware program.

Click baloon to fix the problem

-----------------------------------------------

Your system is unstable.

A problem has been detected and Windows has been shutdown buggy application to prevent damage to your computer, Kernel32x.SYS – Address 0xA73C20AE, error code Co2100, DateStamp 56b836A3, Kernel Debugger on port: COM3 (Port 0x19f, Baud rate 9201)

---------------------------------------------------------------------

I am also frequently receiving these error message types as well:

Iexplore.exe – application error
The instruction at “0x66fe1082” referenced memory at “0x0672d80”. The memory could not be “read”. Click ok to terminate the program.

AND:

SysFader: IE7EXPLORER.EXE – Application Fatal Error
The instruction at 0x01cf34739 referenced memory at 0x02df2e50. The memory could not be read.

And:

SysGuard: spyware process is found
Hidden malicious code is found at 0x3cf3439 address. Data interception can not be stopped.

But perhaps the most insidious of these menaces is the one which suddenly pops up and re-starts my pc.

-------------------------------------------------------------
This system is shutting down.
Please save all work in progress and log off.
Any unsaved changes will be lost.
This shutdown was initiated by My initials / my name

Time before shutdown: (a clock starting at 60 seconds)

Critical System Error. Process: lsass.exe,
Module: kernel 321.dll at address 0x78221981.
Instruction is referenced memerogy at 0x0000000.
Null pointer exception

--------------------------------------------------------------------


Can someone please help me out with this? I'm trying to finish a major paper and this stuff is killing my productivity and my patience.


Thanks,
CJ


Daz - 25-3-2008 at 01:38

Download Hijack This, FROM HERE, and post the logs for our resident expert to check for you... Read here for advice on how to use HJT


Dreamweaver - 25-3-2008 at 02:18

Thank you xx have moved to virus help.


crj17 - 25-3-2008 at 05:17

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:17:12 AM, on 03/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32svchost.exe
C:Program FilesWindows DefenderMsMpEng.exe
C:WINDOWSSystem32svchost.exe
C:Program FilesCommon FilesSymantec SharedccSvcHst.exe
D:aawservice.exe
C:WINDOWSSystem32brsvc01a.exe
C:WINDOWSSystem32brss01a.exe
C:WINDOWSsystem32spoolsv.exe
C:WINDOWSExplorer.EXE
C:Program FilesSymantecLiveUpdateAluSchedulerSvc.exe
C:Program FilesGrisoftAVG Anti-Spyware 7.5guard.exe
C:Program FilesBonjourmDNSResponder.exe
C:WINDOWSsystem32Brmfrmps.exe
C:Program FilesNorton SystemWorksNorton GoBackGBPoll.exe
C:WINDOWSsystem32ezSP_Px.exe
C:WINDOWSsystem32gearsec.exe
C:Program FilesSonyGiga Pocketshwserv.exe
C:Program FilesCommon FilesSymantec SharedccSvcHst.exe
C:Program FilesScanSoftPaperPortpptd40nt.exe
C:Program FilesBrotherControlCenter2brctrcen.exe
C:Program FilesJavajre1.6.0_05binjusched.exe
C:Program FilesVerizonMcciTrayApp.exe
C:Program FilesWindows DefenderMSASCui.exe
C:WINDOWSsystem32ctfmon.exe
C:Program FilesAdobeAcrobat 7.0Readerreader_sl.exe
C:Program FilesBrotherBrmfcmonBrMfcWnd.exe
C:Program FilesBrotherBrmfcmonBrMfcmon.exe
C:WINDOWSSystem32svchost.exe
C:Program FilesSonyVAIO Media Integrated ServerMusicSSSvr.exe
C:Program FilesSonyVAIO Media Integrated ServerPhotoappsrvPhotoAppSrv.exe
C:Program FilesSonyVAIO Media Integrated ServerVideoGPVSvr.exe
C:Program FilesSonyVAIO Media Integrated ServerPlatformSV_Httpd.exe
C:Program FilesSonyVAIO Media Integrated ServerPlatformSV_Httpd.exe
C:Program FilesSonyVAIO Media Integrated ServerPlatformSV_Httpd.exe
C:Program FilesSonyVAIO Media Integrated ServerPlatformUPnPFramework.exe
C:Program FilesSonyVAIO Media Integrated ServerPlatformUPnPFramework.exe
C:Program FilesSonyVAIO Media Integrated ServerPlatformUPnPFramework.exe
C:WINDOWSsystem32wuauclt.exe
C:Program Filesinternet exploreriexplore.exe
C:Program FilesSonyGiga PocketRM_SV.exe
C:Program FilesTrend MicroHijackThisHijackThis.exe
C:Program FilesCommon FilesSymantec SharedCCPD-LCsymlcsvc.exe

O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:Program FilesCommon FilesSymantec SharedcoSharedBrowser2.0coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:PROGRA~1COMMON~1SYMANT~1IDSIPSBHO.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:Program FilesCommon FilesSymantec SharedcoSharedBrowser2.0CoIEPlg.dll
O3 - Toolbar: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-8CB0-AB60BB9AAE22} - C:PROGRA~1VOL_TO~1VOL_TO~1.DLL
O4 - HKLM..Run: [ezShieldProtector for Px] C:WINDOWSsystem32ezSP_Px.exe
O4 - HKLM..Run: [ccApp] "C:Program FilesCommon FilesSymantec SharedccApp.exe"
O4 - HKLM..Run: [QuickTime Task] "C:Program FilesQuickTimeqttask.exe" -atboottime
O4 - HKLM..Run: [SSBkgdUpdate] "C:Program FilesCommon FilesScansoft SharedSSBkgdUpdateSSBkgdupdate.exe" -Embedding -boot
O4 - HKLM..Run: [PaperPort PTD] C:Program FilesScanSoftPaperPortpptd40nt.exe
O4 - HKLM..Run: [IndexSearch] C:Program FilesScanSoftPaperPortIndexSearch.exe
O4 - HKLM..Run: [SetDefPrt] C:Program FilesBrotherBrmfl04aBrStDvPt.exe
O4 - HKLM..Run: [ControlCenter2.0] C:Program FilesBrotherControlCenter2brctrcen.exe /autorun
O4 - HKLM..Run: [SunJavaUpdateSched] "C:Program FilesJavajre1.6.0_05binjusched.exe"
O4 - HKLM..Run: [osCheck] "C:Program FilesNorton Internet SecurityosCheck.exe"
O4 - HKLM..Run: [Verizon Custom Uninstall Tracking] C:DOCUME~1CLIFFO~1LOCALS~1TempInstallHelper.exe /uninstalltrackingvendor=Verizon
O4 - HKLM..Run: [Verizon_McciTrayApp] C:Program FilesVerizonMcciTrayApp.exe
O4 - HKLM..Run: [Windows Defender] "C:Program FilesWindows DefenderMSASCui.exe" -hide
O4 - HKCU..Run: [ctfmon.exe] C:WINDOWSsystem32ctfmon.exe
O4 - HKCU..Run: [Yahoo! Pager] C:Program FilesYahoo!Messengerypager.exe -quiet
O4 - HKCU..Run: [MsnMsgr] "C:Program FilesMSN MessengerMsnMsgr.Exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:Program FilesAdobeAcrobat 7.0Readerreader_sl.exe
O4 - Global Startup: Status Monitor.lnk = C:Program FilesBrotherBrmfcmonBrMfcWnd.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program FilesJavajre1.6.0_05binssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program FilesJavajre1.6.0_05binssv.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:Program FilesBonjourExplorerPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:PROGRA~1MICROS~3OFFICE11REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1161970726406
O20 - Winlogon Notify: !SASWinLogon - D:SASWINLO.dll
O20 - Winlogon Notify: hskrqvgf - hskrqvgf.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - D:aawservice.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:Program FilesSymantecLiveUpdateAluSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:Program FilesGrisoftAVG Anti-Spyware 7.5guard.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:Program FilesBonjourmDNSResponder.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:WINDOWSsystem32Brmfrmps.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:WINDOWSSystem32brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:Program FilesCommon FilesSymantec SharedccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:Program FilesCommon FilesSymantec SharedccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:Program FilesCommon FilesSymantec SharedccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:Program FilesCommon FilesSymantec SharedVAScannercomHost.exe
O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:Program FilesNorton SystemWorksNorton GoBackGBPoll.exe
O23 - Service: GEARSecurity - GEAR Software - C:WINDOWSsystem32gearsec.exe
O23 - Service: Giga Pocket Hardware Detector - Sony Corporation - C:Program FilesSonyGiga Pocketshwserv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:Program FilesCommon FilesInstallShieldDriver11Intel 32IDriverT.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:WINDOWSsystem32driversKodakCCS.exe (file missing)
O23 - Service: LiveUpdate - Symantec Corporation - C:Program FilesSymantecLiveUpdateLuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:Program FilesCommon FilesSymantec SharedccSvcHst.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:WINDOWSSystem32nvsvc32.exe
O23 - Service: Sony TV Tuner Controller - Sony Corporation - C:Program FilesSonyGiga Pockethalsv.exe
O23 - Service: Sony TV Tuner Manager - Sony Corporation - C:Program FilesSonyGiga PocketRM_SV.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:Program FilesCommon FilesSony SharedAVLibSptisrv.exe
O23 - Service: Symantec Core LC - Unknown owner - C:Program FilesCommon FilesSymantec SharedCCPD-LCsymlcsvc.exe
O23 - Service: VAIO Media Music Server (VAIOMediaPlatform-MusicServer-AppServer) - Sony Corporation - C:Program FilesSonyVAIO Media Integrated ServerMusicSSSvr.exe
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Sony Corporation - C:Program FilesSonyVAIO Media Integrated ServerPlatformSV_Httpd.exe
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:Program FilesSonyVAIO Media Integrated ServerPlatformUPnPFramework.exe
O23 - Service: VAIO Media Photo Server (VAIOMediaPlatform-PhotoServer-AppServer) - Sony Corporation - C:Program FilesSonyVAIO Media Integrated ServerPhotoappsrvPhotoAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Sony Corporation - C:Program FilesSonyVAIO Media Integrated ServerPlatformSV_Httpd.exe
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:Program FilesSonyVAIO Media Integrated ServerPlatformUPnPFramework.exe
O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Sony Corporation - C:Program FilesSonyVAIO Media Integrated ServerVideoGPVSvr.exe
O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Sony Corporation - C:Program FilesSonyVAIO Media Integrated ServerPlatformSV_Httpd.exe
O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:Program FilesSonyVAIO Media Integrated ServerPlatformUPnPFramework.exe

--
End of file - 10658 bytes


LSemmens - 25-3-2008 at 10:03

What security are you running on your computer? I see references to Norton, AVG, Kaspersky and others. The combinations may actually be causing more grief than protecting you. Wait for Pancake, our resident expert, to help you though. Meantime, he will want to know exactly what security you are running are are updates turned on?

Welcome to KF, too.


Daz - 25-3-2008 at 10:17

Just to get you prepared, while you're waiting for Pancake...

I think Pancake will also ask you to run ComboFix...

Quote:
Originally posted by Pancake

Download Combofix from any of the links below, and save it to your desktop. For further information regarding this download you can see this on this http://www.bleepingcomputer.com/combofix/how-to-use-combofix Information Page

http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe

http://subs.geekstogo.com/ComboFix.exe

**Note: It is important that it is saved directly to your desktop**

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:ComboFix.txt" along with a new HijackThis log for further review.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

Caution...Never run and remove files using ComboFix without being supervised by a security analyst


There's nothing jumping out at me in your HJT log, but I'm no expert, so wait for Pancake to advise further... (He might say don't run ComboFix, you never know...!)

Agree with Leigh though, your log looks strange with so many AV references, and anti spyware products.


LSemmens - 4-4-2008 at 13:34

Hi RAA, welcome to the madhouse, most of us are harmless. Have a read of the first few topics stickied at the top of this forum, they'll give you some ideas regarding system security and the hows, and whys.

Now, to your problem, please start a new thread in this forum giving us as much detail as you possibly can. A HijackThis log would also assist, too.


Katzy - 4-4-2008 at 20:13

One thing worth trying...

Click "Start" and select "Run". In the box that opens, type "services.msc" and you'll get a new window named "Services".

Scroll down to "Remote procedure Call (RPC)" and double-click on it.

Click the "Recovery" tab.

Make sure all the "failure" entries are set to "Do nothing".

Do the same for "Remote procedure Call (RPC) Locator".


Pancake - 4-4-2008 at 22:51

I will need to see the Combofix log....


TooCute4Words - 4-4-2008 at 22:58

Quote:
Originally posted by LSemmens

Hi RAA, welcome to the madhouse, most of us are harmless.


Except some of the smileys hiding Here ;);)


LSemmens - 7-4-2008 at 10:41

The reason why I suggest it is to eliminate confusion, your problems may have the same symptoms, but the causes may be quite different. No two computers are configured exactly the same once they leave the factory. If you like, I'll split your thread off so that you don't have to re-type everything.


tonydimo - 27-4-2008 at 11:19

Quote:
Originally posted by crj17
I am wickedly infected and do not know what to do. I am receiving a number of pop ups and desk try icons asking me to click the baloon (their spelling) to fix the various problems.

Here are some of the errors I am receiving:


Your computer might be at risk
*Latest software updates not installed
*Incorrect files association
*System appears to hang
*Firewall has errors

Click balloon to fix the problem

-----------------------------------------------------------
Tracking process is activated
**ADDRESS: 0x10A3007B
Can’t deactivate spyware program.

Click baloon to fix the problem

-----------------------------------------------

Your system is unstable.

A problem has been detected and Windows has been shutdown buggy application to prevent damage to your computer, Kernel32x.SYS – Address 0xA73C20AE, error code Co2100, DateStamp 56b836A3, Kernel Debugger on port: COM3 (Port 0x19f, Baud rate 9201)

---------------------------------------------------------------------

I am also frequently receiving these error message types as well:

Iexplore.exe – application error
The instruction at “0x66fe1082” referenced memory at “0x0672d80”. The memory could not be “read”. Click ok to terminate the program.

AND:

SysFader: IE7EXPLORER.EXE – Application Fatal Error
The instruction at 0x01cf34739 referenced memory at 0x02df2e50. The memory could not be read.

And:

SysGuard: spyware process is found
Hidden malicious code is found at 0x3cf3439 address. Data interception can not be stopped.

But perhaps the most insidious of these menaces is the one which suddenly pops up and re-starts my pc.

-------------------------------------------------------------
This system is shutting down.
Please save all work in progress and log off.
Any unsaved changes will be lost.
This shutdown was initiated by My initials / my name

Time before shutdown: (a clock starting at 60 seconds)

Critical System Error. Process: lsass.exe,
Module: kernel 321.dll at address 0x78221981.
Instruction is referenced memerogy at 0x0000000.
Null pointer exception

--------------------------------------------------------------------


Can someone please help me out with this? I'm trying to finish a major paper and this stuff is killing my productivity and my patience.


Thanks,
CJ


tonydimo - 27-4-2008 at 11:20

I am having the exact same problem with my pc. Can anyone help me.

thanks

Tony;)


LSemmens - 27-4-2008 at 11:55

Hi, tonydimo, welcome to Karls place please post your question in a new thread. If you've read my previous replies to RAA further up this thread you'll see the reasoning.


Katzy - 27-4-2008 at 12:31

With all those references to Sony, my radar's bleeping "Rootkit"!

I might be well-wrong, though.


Pancake - 27-4-2008 at 23:05

No HJT or Combofix yet..????