Have Malicious Malware!!! Causing auto shut downs!

Joined
Nov 30, 2007
Messages
11
Reaction score
0
Malicious Malware!!! Causing auto shut downs & more!

Hey there,

Here is an updated description of my problem!

I get an Auto Shut down error window within 30 seconds of booting up in safe or normal mode. The shut down is initiated by NT Authority\System and the process noted is c:windows\system32\lsass.exe. The code referenced is 1073741819. Sometimes the error reads Remote Procedure Call (RPC) shut down un-expectantly. The message pops up again after each restart and counts down from 60 seconds, then restarts again. It’s like “Ground Hog Day”.

With help from another forum member:
1. I disabled the shut down with shutdown-a in "Start" & "Run".
2. I ran Symantec's removal tools for Sasser & Blaster.
3. I ran McAfee's Avert Stinger for Sasser & Blaster & other malwares.
4. I ran SpyBot
5. I ran SD Fix (for trojans)

All did not find anything.

* I am unable to move or copy files(though I can open them).
I'm unable to enable my windows XP or CA firewalls.
* Now the start menu in normal and safe mode periodically drops down out of site and I am unable to click and drag it back as normally I can.
It seems as though this thing is "counter punching"!

I ran a HiJack Log (see below). I had to copy it to a portable hard drive to move it to the computer I'm now using. Should I be concerned about infecting this PC?

Can anyone recommend a fix? HELP!!! Thanks!

Here is my Hijack this log!
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:06:14 PM, on 11/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Safe mode with network support
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\program files\hp\digital imaging\bin\hpdtlk02.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [cafw] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe -cl
O4 - HKLM\..\Run: [capfasem] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
O4 - HKLM\..\Run: [capfupgrade] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\RunOnce: [eFaxQuickStart] C:\PROGRA~1\EFAXME~1\quicktip.efx
O4 - HKUS\S-1-5-21-1666469000-1306132167-3961156637-500\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - HKUS\S-1-5-21-1666469000-1306132167-3961156637-500\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe (User '?')
O4 - HKUS\S-1-5-21-1666469000-1306132167-3961156637-500\..\Run: [RecordNow!] (User '?')
O4 - HKUS\S-1-5-21-1666469000-1306132167-3961156637-500\..\RunOnce: [eFaxQuickStart] C:\PROGRA~1\EFAXME~1\quicktip.efx (User '?')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by107fd.bay107.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase4009.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1144343401109
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://advweb.countrywide.com/supportfiles/msrdp.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: License Management Service ESD - element5 - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: Sprint PCS v3 Utility Service - Sprint Spectrum, L.L.C - C:\Program Files\Sprint\Sprint PCS Connection Manager\CMSPCSUtilSvc.exe
O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
O23 - Service: WinSock Svchost Manager (WinSvchostManager) - Unknown owner - C:\WINDOWS\system32\svcprs32.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe
--
End of file - 7941 by
 
Last edited:
What Operating System are you using? Windows 2000, XP, or Vista?

Could be the Sasser worm, run THIS tool to remove it if it's there. Can't hurt.

But it could be quite a few other things.

Edit: Also, when the box comes up telling you Windows has to shut down, click Start, then Run, type:

shutdown -a

and press enter. It will stop the PC from shutting down, though if you have Sasser, it will likely reappear after a minute or less.
 
Last edited:
Hi there! Thank you for your help!!! I am using Windows XP SP1a. I executed the sasser removal tool and it did not find sasser. Any thoughts?

Lou
 
I'm wondering if this could also be linked to your other problem about installing SP2 in your other thread.

Maybe better to try what I suggested there first :thumb:
 
I see you now have SP2 installed, but are still getting this problem?


If so, try this:

1. Click Start, and then click Run.
2. In the Open box, type regedit, and then click OK.
3. In Registry Editor, navigate to the following subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Winsock2
4. Right-click Winsock2, and then click Delete on the shortcut menu that appears.
5. Click Yes to confirm the deletion of the key.
6. Repeat steps 3 through 5 to remove the following registry subkeys (if present):
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Winsock2
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Winsock2
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Winsock2

7. Quit Registry Editor.
8. Restart Windows normally.

You may find afterwards you have lost internet connectivity, if so download WinSockFix and follow the instructions.

Disclaimer: You do this at your own risk ;)
 
Hey there,

Rather than updating where I am with this problem I edited the 1st post to encourage others to look in. This one is turning out to be a real challenge. Any takers??

Thanks!

Lou
 
I posted just before your post above, and also before I read your update to the original post.

The HijackThis log doesn't show any problems at all, so we can rule out viruses/adware/spyware etc.

The only suggestion I have is in my last post - but you do this at your own risk.
 
You should probably try what Adywebb suggests - your HijackThis logfile seems clean of anything bad to me.

Most people seem to report that error code (1073741819) when infected with sasser, so in this case I have no idea.

BTW Adywebb - In her other thread, LouG says that this problem is on a different PC.
 
Adyweb,

Regarding the winsock fix you recommended above, can you explain what you think the problem is and what specifically the risks you referenced are so that I may make an informed decision as to whether to proceed? Thanks! PS: I vaguely remember doing something with the extension winsock with a tech at CA (my security software). Could he have screwed something up?

Thanks!

Lou
 
Adyweb, Please read my post above first. Anyway I wanted to let you jknow that the problem is on a different PC than the SP2 issue. This is a Pentium 4 running XP Pro media edition with SP2. 1GHZ RAM, 250 GB Hard Drive and an ejectable 150 GB external hard drive. Do you need other specs??? Thanks! Lou
 
I suspect you have Winsock issues, and the reason I put the disclaimer is that I am giving advice to the best of my ability - however it is your choice whether to accept it.

The worst scenario is re-installing Windows - but if you can't find a solution then you are going to have to anyway.

Just out of interest you could try running the WinSockFix first and see if that makes a difference before doing the other.

Now its my bedtime.....:nod:
 
Back
Top