Virus Issue

  1. 26-04-2009  #1
    Hmahale
    Hmahale is offline Newbie

    Virus Issue

    Hello all
    i am hemant mahale from India

    recently i visited to this site and found very useful, i have read one post running cmd and msconfig cause Windows XP to reboot. and the solution is also meeting to my problem but i observed while trying, to all those solution my computer restarts automatically. even if i want to run hijack this for logfile it wont let me do that, suddenly my pc get restarts.
    even though i tried sysinternal utility provided by Microsoft, that also gives same problem i mean if i want to run killbox or HJT or any other application which is performing system scan pc restarts automatically, i am also not able to start it in to SAFE mode, suddenly the Blue screen appears.


    Pls Help me

    if u want more details pls let me knwo.....

    Rgds

    Hemant

  3. 26-04-2009  #2
    broni
    broni is offline Senior Member
    What does the blue screen say?
  4. 27-04-2009  #3
    Hmahale
    Hmahale is offline Newbie
    The Error message i seen on screen is Stop 0x0000007B(0xf7aee524,0x00000034,0x00000000,0x0000 0000) Check for viruses on your computer run chkdsk /f to check HDD etc etc......


    i have also ran that utility with chkdsk /f /r option and no error found on the machine....

    the system configuration is HCL machine with

    512 MB DDR RAM, 160 GB HDD, Intel IV D processor, and intel chipset..
    Last edited by Hmahale; 27-04-2009 at 05:06 AM.
  5. 27-04-2009  #4
    broni
    broni is offline Senior Member
    Is your computer operable?
    When does the BSOD error happen?

    Navigate to: C:\Windows\Minidump folder.
    If you see any .dmp files, zip all of them, and attach zipped file to your next reply.
  6. 27-04-2009  #5
    Hmahale
    Hmahale is offline Newbie
    Broni thanks for your instant replies,

    Here is the file, i searched my entire hdd and found these two dump files

    pls check d dmp file
    there is also another dmp file on my system, memory.dmp and file size is near abt 1 gb
    but not able to zip dat file, Bro, 1 doubt i just wanted to clear from you,
    do you think its any Hardware issue? or Virus also may be a cause for BSOD......
    Attached Files
  7. 27-04-2009  #6
    broni
    broni is offline Senior Member
    You never answered:
    Is your computer operable?
    When does the BSOD error happen?
    Did you find only one .dmp file in C:\Windows\Minidump
    IfBSODhappens all the time, you should have more files there.
    That one file is inconclusive.
    It lists PFN_LIST_CORRUPT error, which may indicate RAM problem, but I don't want to judge anything from one .dmp file.

    You need to say little bit more about the circumstances, when the restart happens.

    Download System Information for Windows: SIW | Download to your Desktop.
    Get SIW Standalone (English-Only).
    Double click on siw.exe to run the program.
    Go File>Create Report File>HTML
    Save the file to known location.
    Zip the file, and attach it to your next reply.
  8. 27-04-2009  #7
    Hmahale
    Hmahale is offline Newbie
    Hey Broni

    as u asked me earlier yes my pc is operable and BSOD happens everytime when i tried to boot my pc in safe mode or if i tried to run GMER s/w which scans pc for virus infection,
    in GMER s/w situation it either restarts or gave me BSOD screen, another thing is m not able to dwnld SIW s/w my browser shows me "ERROR
    The requested URL could not be retrieved

    While trying to retrieve the URL: http://www.gtopala.com/download/siw-setup.exe

    The following error was encountered:

    * Zero Sized Reply

    Squid did not receive any data for this request.

    Your cache administrator is root.
    Generated Mon, 27 Apr 2009 05:52:15 GMT by netserv (squid/2.6.STABLE6) "

    Error message, my network admin has installed firewall over our network so dat may be a problem for me to download this utility, would there be any other way to downlad this utility...


    Pls help me,
  9. 27-04-2009  #8
    Hmahale
    Hmahale is offline Newbie
    Broni i found 1 more strange problem, if i want to shutdown d pc its not happening pc restarts so for proper shutdown i have to unplugged power cord, is it give u any idea about how i can cleaned the virus?
  10. 27-04-2009  #9
    broni
    broni is offline Senior Member
    Nobody said virus, yet, but it may be a good idea to check.

    Download HijackThis:
    TrendSecure | Download TrendMicro HijackThis
    by clicking on Download HijackThis Installer
    Install, and run it.
    Post HijackTHis log.
    Do NOT attempt to fix anything!

    NOTE. If you're using Vista, right click on HijackThis, and click Run as Administrator

    I'll move the thread, if necessary.
  11. 29-04-2009  #10
    Hmahale
    Hmahale is offline Newbie
    Save 20% on AVG Internet Security 2012 Suite!
    Goood morning Broni

    i have run the s/w on system it has generated the log

    pls see below





    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 9:30:16 AM, on 4/29/2009
    Platform: Windows 2003 SP2 (WinNT 5.02.3790)
    MSIE: Internet Explorer v6.00 SP2 (6.00.3790.3959)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\Dfssvc.exe
    C:\WINDOWS\System32\dns.exe
    C:\WINDOWS\SYSTEM32\DWRCS.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\F-Secure\FSAUS.PM\bin\server.exe
    C:\Program Files\F-Secure\FSAUS.PM\bin\bwserver.exe
    C:\Program Files\F-Secure\Management Server 5\apache.exe
    C:\Program Files\F-Secure\Management Server 5\Web Reporting\bin\fspmwrservice.exe
    C:\Program Files\F-Secure\Management Server 5\Web Reporting\firebird\bin\fbserver.exe
    C:\WINDOWS\System32\ismserv.exe
    C:\Program Files\F-Secure\Management Server 5\Web Reporting\runtime\bin\fspmwr.exe
    C:\WINDOWS\system32\ntfrs.exe
    C:\Program Files\RealVNC\WinVNC\WinVNC.exe
    C:\WINDOWS\system32\tcpsvcs.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\F-Secure\Management Server 5\apache.exe
    C:\WINDOWS\system32\cmd.exe
    C:\WINDOWS\system32\cmd.exe
    C:\Program Files\F-Secure\Management Server 5\bin\rotatelogs.exe
    C:\Program Files\F-Secure\Management Server 5\bin\rotatelogs.exe
    C:\WINDOWS\SYSTEM32\DWRCST.exe
    C:\WINDOWS\Explorer.exe
    C:\WINDOWS\system32\SysMax\postgres.exe
    C:\WINDOWS\system32\SysMax\postmaster.exe
    C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = 192.168.100.197:8080
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 172.*;http://cmifpedc;192.168.*.*;<local>
    F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\SysMax\postgres.exe
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll (file missing)
    O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
    O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" BOOT
    O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
    O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = cmifpe.com
    O17 - HKLM\System\CCS\Services\Tcpip\..\{63293CA0-55F7-41A0-9C5D-AEDBB7CF1063}: NameServer = 172.16.0.4,172.16.20.4,172.16.60.4
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = cmifpe.com
    O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINDOWS\SYSTEM32\DWRCS.EXE
    O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\F-Secure\FSAUA\program\fsaua.exe
    O23 - Service: F-Secure Automatic Update Server (FSAUS) - BackWeb - C:\Program Files\F-Secure\FSAUS.PM\bin\server.exe
    O23 - Service: F-Secure Policy Manager Server (fsms) - Unknown owner - C:\Program Files\F-Secure\Management Server 5\apache.exe
    O23 - Service: F-Secure Policy Manager Web Reporting (fspmwr) - Unknown owner - C:\Program Files\F-Secure\Management Server 5\Web Reporting\bin\fspmwrservice.exe
    O23 - Service: VNC Server (winvnc) - RealVNC Ltd. - C:\Program Files\RealVNC\WinVNC\WinVNC.exe

    --
    End of file - 4302 bytes
+ Reply to Thread
Page 1 of 2 1 2 LastLast
« Computer running random numbered .exe files (3538920.exe) | Used, but new PC, checking for malware etc. »