TechSpot

BSODs and Viruses HJT log

By hatty
Jan 10, 2007
  1. Hello All. I've just connected a new power supply unit after a month waiting for itand my PC is not happy at all.

    I suspect it is a Trojan or some malware , and nothing to do with new PSU

    I can't get the pc to run for very long before I get BSOD with either win32k.sys or Page_fault_in_NonPaged_Area.

    I've been trying to follow the instructions on this page for cleaning but my PC shutsdown before I can download the most recent updates for AVG SS&D AdAware etcor before any scan is complete

    I have managed to run Trojan Hunter which found Trojan.Generic, Trojan.Downloader.Zlob.63O, Worm.MiMail.100

    I did also manage to run HJTand so I've attatched the log file here.

    Could there be a RAM problem as well: I read that this can cause win32k.sys faults.

    Thanks for reading!
     
  2. wolfram

    wolfram TechSpot Paladin Posts: 1,967   +9

    Hi,

    Please check this topic here:
    http://www.techspot.com/vb/topic58138.html

    Then, have HJT fix these nasty entries:

    O4 - HKLM\..\Run: [RDLL] RunDll16.exe Must be fixed!Added as a result of the SDBOT.F WORM.

    O4 - HKLM\..\RunServices: [RDLL] RunDll16.exe Must be fixed! Added as a result of the SDBOT.F WORM.

    O4 - HKLM\..\RunServices: [SystemSAS] system32.exe Added as a result of the KWBOT.C VIRUS!

    And post a fresh HJT log. Also, you should follow Howard's advice.

    Regards :wave:

    EDIT: If you suspect it is a RAM problem, download and run Memtest86, and let it run for several passes. Check this link for more info:
    http://www.techspot.com/vb/topic62524.html
     
  3. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hello and welcome to Techspot.

    As wolfram quite rightly points out, your system is infected with a worm. However, do not fix them with HJT yet, as simply fixing something won`t get rid of the infection and can make any subsequent fix more difficult.

    Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.

    If after reading the above, you wish to clean your system, do the following.

    Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

    Post fresh HJT and AVG Antispyware logs as attachments into this thread, only after doing the above.

    Regards Howard :wave: :wave:

    This thread is for the use of hatty only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  4. wolfram

    wolfram TechSpot Paladin Posts: 1,967   +9

    I told you hatty... Follow Howard's advice. He's an expert ;)
     
  5. hatty

    hatty TS Rookie Topic Starter

    Thankyou Howard and Wolfram,

    I should have made it more obvious in my original post that I have been trying to follow Howard's instructions on the Viruses/Spyware/Malware preliminary removal instructions page.
    My problem was the constant BSOD shutdowns even in Safe Mode. With your encouragement that I was on the right track I've been persevering though.
    I remembered that when I re-assembled the motherboard and its new PSU I changed the order of my RAM modules, so changing them back seems to have helped with the BSODs to some degree.

    Here's a round-up of my progress so far:

    I haven't been able to run Housecall: I have patchy internet access in Normal Mode, when I can get online to start the Housecall scan, the scan gets stuck at the "checking system platform" stage.

    I have run the four tools suggested, only Smitfraud came up with anything to fix.

    I have run Avast in Safe Mode with my Folders unhidden: it takes 35minutes to perform a quick scan and finds nothing.

    When I try to run SS&D in safe mode it tells me I haven't updated the detection rules files: even though i have, they must get deleted/corrupted on re-booting to Safe Mode.
    When I ran SS&D in Normal Mode it insists that I haven't downloaded the services detection rules: this is what I need to detect the worm isn't it? When I check for updates it doesn't give me the option to download the services detection rules.

    When I ran the check for problems SS&D came up with three items: Funwebproducts, hotsearchbar, Kazaa.irc.spybot13.world, which I fixed.

    The offending worm is still undetected, my question is, which of the programs is likely to detect it and then I can concentrate on getting that to work. I can try re-installing SS&D, running a full scan with avast, persevering with Housecall…

    And if none of these is successful should I use HJT to fix the registry entries or is there another manual way to remove this worm?

    I may well try installing AVG instead of Avast and see what that brings up.

    Thanks again!

    hatty
     
  6. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Since you`re having problems with some of the scans/tools etc, please post fresh HJT and AVG Antispyware logs.

    Regards Howard :)

    This thread is for the use of hatty only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  7. hatty

    hatty TS Rookie Topic Starter

    Hi Howard,

    I ran AVG in Safe Mode and it didn't find anything.

    Here are my latest HJT and AVG-AS logs.

    hatty
     
  8. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Click start/run and type services.msc into the run box and press the enter key.

    When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

    SystemSAS

    Close the services window.


    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    system32.exe

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm

    O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll (file missing)

    O4 - HKLM\..\RunServices: [SystemSAS] system32.exe

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\WINDOWS\SYSTEM\blank.htm
    system32.exe<Search your system for this file and delete all instances found.

    Reboot into normal mode and rehide your protected OS files.

    Post a fresh HJT log and let us know how your system is running.

    Regards Howard :)

    This thread is for the use of hatty only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  9. hatty

    hatty TS Rookie Topic Starter

    thanks Howard, followed your instructions and seems to be no sign of system32.exe. Here's the latest HJT log. Computer seems much happier, i'll let you know if i hit any problems in the next few days.
    hatty:)

    what a ***** I am :blush:
     
  10. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Your HJT log is now clean.

    If you have any further virus/spyware problems, please post in this thread.

    Regards Howard :)

    This thread is for the use of hatty only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...