Physical Memory Dump Issues.

[zonda]

All right... well here's the full story.

 

 

 

 

 

 

 

I set up my laptop to run as a server for counter-strike. Along the way of downloading junk I noticed I had some spyware and what not, so I cleaned it all up with adaware + spybot and what have you. I leave for a day or so and I come back to a screen with a bunch of pop up's and stuff.

 

 

 

 

 

 

 

At this point I am like "all well, no big deal" So I minorly clean it up. Adware, defrag, cleanup, so on and so on.

 

 

 

 

 

 

 

Now the other day I go to join my server from my box, and notice that the server is off line. I go to the other room where my lap top is and I noticed that I wasn't signed on the computer for some reason...

 

 

 

 

 

 

 

I sign in, start everything up just fine, after about 5 minutes the computer shuts down. After a couple of tries I watch the computer, and see that it get's a blue screen of death saying "physical memory dump" yadda yadda yadda.

 

 

 

 

 

 

 

So in other words, I have no idea what to do. I don't even have enough time to do much before it crashs. I know it create's a long when it has to dump memory... but I don't know where. I can post it if you guys need it.

 

 

 

 

 

 

 

I don't know if this is a virus or spyware or hardware problem but I would really appreciate some help.

 

 

 

 

 

 

 

Its windows 2000 pro, 1.6ghz processor, 384 MB RAM, 16 meg ATI video card, 13 gig hard drive. It's not running hot or anything like that. Other then that I don't know what else to say. Maybe I will try to disconnect it from the internet for a bit and do some repair work.

 

 

 

 

 

 

 

I hope you guys know what's going on because I am stumped, I have never had to deal with this kind of a problem before so I guess it will be a learning expeirience for me :lol:

 

 

 

 

 

 

 

Thanks guys!

 

 

 

 

 

 

 

EDIT: Also, every now and then when I would boot up I would get a message saying that my drive needed to be checked for errors, so I would let it procede... but that's only when I would shut it down improperly (I.E. holding power button for 5 seconds due to errors or something) Dunno if that has to do with anything or not.

 

 

 

 

 

 

 

I will see if I can at LEAST get you guys a HJT log off the laptop.

 

 

 

 

 

 

 

Okay, that's all. Thanks!

[Pyro]

I'd run a memory test first to rule out that kind of hardware error.

 

 

 

 

 

 

 

http://www.memtest86.com/

[zonda]

All right well no that didn't really get me much of anything to be honest, thanks though.

 

 

 

 

 

 

 

I tried starting up and this time windows didn't even get to the login screen before it crashed. After a few more tries I got on, and downloaded adaware SE. I had 6.0 installed, I knew it was out dated but, in all honesty, I'm not really worried about the security on my laptop as I usually use it to test stuff out on anyways, if something goes wrong it's no big deal.

 

 

 

 

 

 

 

Alright, so I went to download SE and twice I tried to run the EXE and the computer crashed... I thought "no way, this isn't a coincidence" I redownloaded the EXE (because it kept getting mysteriously deleted...) and unhooked my laptop from, the router. Scanned, and came up with tons of stuff that wasn't registering before.

 

 

 

 

 

 

 

I also uninstalled some junk that I found on there that I had no clue what it was or how it got there.

 

 

 

 

 

 

 

I will try and get a HJT log and will go scan with housecall as well as keep you guys updated on the situation as it currently stands.

 

 

 

 

 

 

 

Oh, btw, is there a way to get to safemode on 2000 pro (I really know nothing about this OS and rarely do I use it lol) because when I tried, all I got was a screen asking which OS I would like to boot... and I only have 2000 installed so obviously that's the one I chose, but there were no other options like "start in safe mode" or "safe mode with networking" ect ect.

 

 

 

 

 

 

 

Didn't have any ways to boot up either, like "boot up with last known good windows config" and such. I would just put XP on there but I am already using the key for it on this computer... and I don't know if it is legal or not to use it again on my laptop, can anyone clear the air up about this for me? Thanks!

[zonda]

Well I've done what I can. AVG didn't get rid of 2 trojan for some reason, so I will try again and then if no avail I can try housecall or something else...

 

 

 

 

 

 

 

Heres a HJT log for you. I know there's prolly some junk, and a lot of unessaries but I tried to get what I knew 100% was uneeded. Theres alot of stuff at start up I know I don't need. Well, here it is.

 

 

 

 

 

 

 

Logfile of HijackThis v1.99.1



Scan saved at 11:48:21 PM, on 9/10/2005



Platform: Windows 2000 SP4 (WinNT 5.00.2195)



MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)







Running processes:



C:\WINNT\System32\smss[Caution: ExecutableFile]



C:\WINNT\system32\winlogon[Caution: ExecutableFile]



C:\WINNT\system32\services[Caution: ExecutableFile]



C:\WINNT\system32\lsass[Caution: ExecutableFile]



C:\WINNT\System32\ibmpmsvc[Caution: ExecutableFile]



C:\WINNT\System32\Ati2evxx[Caution: ExecutableFile]



C:\WINNT\system32\hidserv[Caution: ExecutableFile]



C:\WINNT\System32\QCONSVC[Caution: ExecutableFile]



C:\WINNT\system32\svchost[Caution: ExecutableFile]



C:\WINNT\System32\mspmspsv[Caution: ExecutableFile]



C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr[Caution: ExecutableFile]



C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc[Caution: ExecutableFile]



C:\WINNT\System32\svchost[Caution: ExecutableFile]



C:\WINNT\Explorer[Caution: ExecutableFile]



C:\WINNT\system32\tp4serv[Caution: ExecutableFile]



C:\WINNT\system32\atiptaxx[Caution: ExecutableFile]



C:\WINNT\LTSMMSG[Caution: ExecutableFile]



C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR[Caution: ExecutableFile]



C:\WINNT\system32\PRPCUI[Caution: ExecutableFile]



C:\Program Files\QuickTime\qttask[Caution: ExecutableFile]



C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc[Caution: ExecutableFile]



C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc[Caution: ExecutableFile]



C:\program files\steam\steam[Caution: ExecutableFile]



C:\Program Files\HJT\HijackThis[Caution: ExecutableFile]







R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/sp/*http://www.yahoo.com



R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.clanetd.com/



R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com



O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx



O4 - HKLM\..\Run: [TrackPointSrv] tp4serv[Caution: ExecutableFile]



O4 - HKLM\..\Run: [AtiPTA] atiptaxx[Caution: ExecutableFile]



O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG[Caution: ExecutableFile]



O4 - HKLM\..\Run: [synchronization Manager] mobsync[Caution: ExecutableFile] /logon



O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR[Caution: ExecutableFile]



O4 - HKLM\..\Run: [TP4EX] tp4ex[Caution: ExecutableFile]



O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI[Caution: ExecutableFile]



O4 - HKLM\..\Run: [LoadQM] loadqm[Caution: ExecutableFile]



O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask[Caution: ExecutableFile]" -atboottime



O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc[Caution: ExecutableFile] /STARTUP



O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc[Caution: ExecutableFile]



O4 - HKLM\..\RunServices: [Configuration Loader] scvhost[Caution: ExecutableFile]



O4 - HKCU\..\Run: [steam] "c:\program files\steam\steam[Caution: ExecutableFile]" -silent



O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9[Caution: ExecutableFile]



O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim[Caution: ExecutableFile]



O10 - Broken Internet access because of LSP provider 'xfire_lsp_8742.dll' missing



O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)



O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1076432558265



O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx[Caution: ExecutableFile]



O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr[Caution: ExecutableFile]



O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc[Caution: ExecutableFile]



O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINNT\System32\ibmpmsvc[Caution: ExecutableFile]



O23 - Service: QCONSVC - Unknown owner - C:\WINNT\System32\QCONSVC[Caution: ExecutableFile]

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Here, thought I might as well post this for kicks and giggles...

 

 

 

 

 

 

 

StartupList report, 9/10/2005, 11:51:35 PM



StartupList version: 1.52



Started from : C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Rar$EX01.766\StartupList[Caution: ExecutableFile]



Detected: Windows 2000 SP4 (WinNT 5.00.2195)



Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)



* Using default options



==================================================







Running processes:







C:\WINNT\System32\smss[Caution: ExecutableFile]



C:\WINNT\system32\winlogon[Caution: ExecutableFile]



C:\WINNT\system32\services[Caution: ExecutableFile]



C:\WINNT\system32\lsass[Caution: ExecutableFile]



C:\WINNT\System32\ibmpmsvc[Caution: ExecutableFile]



C:\WINNT\System32\Ati2evxx[Caution: ExecutableFile]



C:\WINNT\system32\hidserv[Caution: ExecutableFile]



C:\WINNT\System32\QCONSVC[Caution: ExecutableFile]



C:\WINNT\system32\svchost[Caution: ExecutableFile]



C:\WINNT\System32\mspmspsv[Caution: ExecutableFile]



C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr[Caution: ExecutableFile]



C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc[Caution: ExecutableFile]



C:\WINNT\System32\svchost[Caution: ExecutableFile]



C:\WINNT\Explorer[Caution: ExecutableFile]



C:\WINNT\system32\tp4serv[Caution: ExecutableFile]



C:\WINNT\system32\atiptaxx[Caution: ExecutableFile]



C:\WINNT\LTSMMSG[Caution: ExecutableFile]



C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR[Caution: ExecutableFile]



C:\WINNT\system32\PRPCUI[Caution: ExecutableFile]



C:\Program Files\QuickTime\qttask[Caution: ExecutableFile]



C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc[Caution: ExecutableFile]



C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc[Caution: ExecutableFile]



C:\program files\steam\steam[Caution: ExecutableFile]



C:\Program Files\Mozilla Firefox\firefox[Caution: ExecutableFile]



C:\Program Files\WinRAR\WinRAR[Caution: ExecutableFile]



C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Rar$EX01.766\StartupList[Caution: ExecutableFile]







--------------------------------------------------







Listing of startup folders:







Shell folders Common Startup:



[C]



Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9[Caution: ExecutableFile]







--------------------------------------------------







Checking Windows NT UserInit:







[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]



UserInit = C:\WINNT\system32\userinit[Caution: ExecutableFile],







--------------------------------------------------







Autorun entries from Registry:



HKLM\Software\Microsoft\Windows\CurrentVersion\Run







TrackPointSrv = tp4serv[Caution: ExecutableFile]



AtiPTA = atiptaxx[Caution: ExecutableFile]



LTSMMSG = LTSMMSG[Caution: ExecutableFile]



Synchronization Manager = mobsync[Caution: ExecutableFile] /logon



TPHOTKEY = C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR[Caution: ExecutableFile]



TP4EX = tp4ex[Caution: ExecutableFile]



PRPCMonitor = PRPCUI[Caution: ExecutableFile]



LoadQM = loadqm[Caution: ExecutableFile]



QuickTime Task = "C:\Program Files\QuickTime\qttask[Caution: ExecutableFile]" -atboottime



AVG7_CC = C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc[Caution: ExecutableFile] /STARTUP



AVG7_EMC = C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc[Caution: ExecutableFile]







--------------------------------------------------







Autorun entries from Registry:



HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices







Configuration Loader = scvhost[Caution: ExecutableFile]







--------------------------------------------------







Autorun entries from Registry:



HKCU\Software\Microsoft\Windows\CurrentVersion\Run







Steam = "c:\program files\steam\steam[Caution: ExecutableFile]" -silent







--------------------------------------------------







Shell & screensaver key from C:\WINNT\SYSTEM.INI:







Shell=*INI section not found*



SCRNSAVE[Caution: ExecutableFile]=*INI section not found*



drivers=*INI section not found*







Shell & screensaver key from Registry:







Shell=Explorer[Caution: ExecutableFile]



SCRNSAVE[Caution: ExecutableFile]=C:\WINNT\system32\sstext3d.scr



drivers=*Registry value not found*







Policies Shell key:







HKCU\..\Policies: Shell=*Registry key not found*



HKLM\..\Policies: Shell=*Registry value not found*







--------------------------------------------------











Enumerating Task Scheduler jobs:







BMMTask.job



Low Battery Alarm Program.job







--------------------------------------------------







Enumerating Download Program Files:







[WUWebControl Class]



InProcServer32 = C:\WINNT\System32\wuweb.dll



CODEBASE = http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1076432558265







[shockwave Flash Object]



InProcServer32 = C:\WINNT\System32\macromed\flash\Flash.ocx



CODEBASE = http://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab







--------------------------------------------------







Enumerating Winsock LSP files:







Protocol #1: xfire_lsp_8742.dll (file MISSING)



Protocol #2: xfire_lsp_8742.dll (file MISSING)



Protocol #3: xfire_lsp_8742.dll (file MISSING)



Protocol #4: xfire_lsp_8742.dll (file MISSING)



Protocol #5: xfire_lsp_8742.dll (file MISSING)



Protocol #25: xfire_lsp_8742.dll (file MISSING)







--------------------------------------------------







Enumerating ShellServiceObjectDelayLoad items:







Network.ConnectionTray: C:\WINNT\system32\NETSHELL.dll



WebCheck: C:\WINNT\system32\webcheck.dll



SysTray: stobject.dll







--------------------------------------------------



End of report, 5,087 bytes



Report generated in 0.060 seconds







Command line options:



  /verbose  - to add additional info on each section



  /complete - to include empty sections and unsuspicious data



  /full     - to include several rarely-important sections



  /force9x  - to include Win9x-only startups even if running on WinNT



  /forcent  - to include WinNT-only startups even if running on Win9x



  /forceall - to include all Win9x and WinNT startups, regardless of platform



  /history  - to list version history only

 

 

 

 

 

 

 

Once again, thanks again guys!

[zonda]

bump

[Veiva]

Could you post what is exactly says? The thing under "Technical Info".

[zonda]

That 100% copy pasted, control + A, control + c, I didn't leave anything out.

[Veiva]

Meh, I was thinking of Windows XP for a moment. Post all the info the pops up when you get a BSOD.

 

 

 

 

 

 

 

Like so:

 

 

 

http://en.wikipedia.org/wiki/Blue_scree ... NT4.2F2000

 

 

 

 

 

 

 

Oh, and exactly what version of Windows 2000 is it? Just 2000 Pro?

[zonda]

Windows 2000 pro with Service pack 4.

 

 

 

 

 

 

 

I go rid of the problem with the blue screen of death, it was a bunch of spyware and trojans.

 

 

 

 

 

 

 

However, now I am having 1 particular problem.

 

 

 

 

 

 

 

My AVG Tells me there is a virus over and over in the same directory (in /system32) and I can press delete over and over yet it keeps coming back, which is why I wanted someone to look at the HJT log I posted...

 

 

 

 

 

 

 

Also, I am having a problem where my svchost[Caution: ExecutableFile] is hogging ALL my cpu. Like litterally it is using 99% of my cpu for NO reason and I am guyssing this is linked to the trojan I am having. I will give some more info when I get my laptop, it's currently at my friends house acting as a server.

[Mementh]

have you tried going into safe mode? and running msconfig (from xp)

 

 

 

 

 

 

 

and stopping just about everything from loading..

 

 

 

 

 

 

 

then only enabling what you want to load?