# problem with bsnl's internet connexion



## slugger (Apr 9, 2007)

I am using win Server 2003. I recently got an always on Internet connection form BSNL. however immediately after logging on I get these messages and my computer restarts with a countdown of 60 seconds. Please tell me how to solve this problem.



> Windows must now restart because the Remote Procedure Call (RPC) service terminated unexpectedly
> [\quote]
> 
> 
> ...


----------



## Choto Cheeta (Apr 9, 2007)

seems that system has plenty of Virus and Possible infection of Maleware...

Get a Good AVS to run a full system scan...
Install the Windows Server 2003 SP1 or upgrade to Windows Server 2003 R2  ..

Now by Error trouble shoot,



> The system process 'C:\WINDOWS\system32\lsass.exe' terminated unexpectedly with status code 128. The system will now shut down and restart.



Follow this bellow guide to resolve the issue...

*www.microsoft.com/technet/security/bulletin/MS04-011.mspx



> Windows must now restart because the Remote Procedure Call (RPC) service terminated unexpectedly



Possible due to *W32.Blaster.Worm* ... You may use the bellow tool from Symantec to resolve the issue, and get Windows Server 2003 SP1 or Upgrade to the Windows Server 2003 R2...

and for all other Install the latest updates for Windows Server 2003 !! get the SP1... and scan the system with a Good AVS like Symantec CE 10.1 or KAV !!


----------



## outlaw (Apr 9, 2007)

temporary solution :

run -> cmd

on the cmd prompt window

type "shutdown -a" {without quotes}

the shutdown window will be closed......


----------



## slugger (Apr 9, 2007)

i had avast running yesterday when i first faced this problem [i l8r formatted disk]
also i'm unable to copy paste anythin from web pages and not able to save the pages.
will dowload the patches and wuill keep u posted

i installed the security update that was provided in the link by saurav_cheeta, but did not solve my problem. i'm currently operating usin the method provided by outlaw. i'm also unable to save any webpages or copy paste anything from any web page dat i've opened

i opened task manager and found some files running

they were

oiumpg.exe
uayajhxj.exe
kqkzgmk.exe
wmiprvse.exe
w3wp.exe
ylchv.exe

do they mean any thing


----------



## Choto Cheeta (Apr 9, 2007)

Visit this link to download a tool called HijackThis. Run a system scan and save the log file, then Copy Paste the log here... let us look at it..


----------



## Quiz_Master (Apr 9, 2007)

@slugger

Hi mate!!!

There is 98 % chance that ur pc is infected witha trojen horse / spyware.

Install spyware search and destroy and clean ur pc with it. Also check that u r using the original windows not pirated one.

Remove any suspicious entry from ur startup. Using command msconfig.

Post a detailed info about ur problem.


----------



## slugger (Apr 10, 2007)

a problem that i noticed was that, i've been getting this shutdown message only when i'm opening a browser window, be it ie or firefox. i ran a spybot s&d scan for which it connected to the net for downloading updates but there was no shutdown message


@saurav_cheeta 
posting the log file


Logfile of HijackThis v1.99.1
Scan saved at 11:26:41 PM, on 4/9/2007
Platform: Windows 2003  (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 (6.00.3790.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVAST\aswUpdSv.exe
C:\Program Files\AVAST\aswServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\Dfssvc.exe
C:\Program Files\Huawei\MT882\dslagent.exe
C:\WINDOWS\system32\kqkzgmk.exe
C:\WINDOWS\system32\lssas.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVAST\aswDisp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\FIREFOX\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\FDM\iefdmcks.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [SAInstall] SaInstall.exe
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\Huawei\MT882\dslagent.exe
O4 - HKLM\..\Run: [Windows Logon Application] C:\WINDOWS\system32\winIogon.exe
O4 - HKLM\..\Run: [Advanced DHTML Enable] C:\WINDOWS\system32\kqkzgmk.exe
O4 - HKLM\..\Run: [Local Security Authority Service] C:\WINDOWS\system32\lssas.exe
O4 - HKLM\..\Run: [Microsoft Internet Explorer] C:\WINDOWS\system32\iexplore.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\AVAST\aswDisp.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\FDM\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\FDM\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\FDM\dllink.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O17 - HKLM\System\CCS\Services\Tcpip\..\{77A37C51-90AA-4290-B3DA-31F84E701F21}: NameServer = 218.248.240.208 218.248.255.193
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\AVAST\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\AVAST\aswServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\AVAST\aswMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\AVAST\aswWebSv.exe" /service (file missing)

i installed win2k3 sp2. i also ran the security tool provided by ms. installed spybot s&d and wormguard. as of now my rig doesn't seem to be giving me the shutdown message anymore.
however  noticed a few things
spybot give me this message
*img201.imageshack.us/img201/9894/errorkx2.gif
the names of the old file and the file it replaces keeps changing

also in my startup there is this entry
*img254.imageshack.us/img254/3217/startupro2.gif


----------



## Choto Cheeta (Apr 10, 2007)

ooppss... Sorry mate, one may see from the log you have posted you have mulitple infection of some masty Virus and Trojan !!

lets see,

*C:\WINDOWS\system32\lssas.exe*

Possible Sober Worm  W32.Sober ... Follow *this guide* of Symantec to download the tool and remove the worm..

*O4 - HKLM\..\Run: [Windows Logon Application] C:\WINDOWS\system32\winIogon.exe*

W32.LinkBot.M 

Follow *this guide* of Symantec to download the tool and remove the worm..

*O4 - HKLM\..\Run: [Local Security Authority Service] C:\WINDOWS\system32\lssas.exe

O4 - HKLM\..\Run: [Local Security Authority Service] C:\WINDOWS\system32\lssas.exe
*

Try and delete the file... and get a good AVS, SP2 should have taken care !! r u sure u have deployed the SP2 successfully ?? looks to me you may have a currupt installation of SP2 where its not installed with all patches.. !!

*O4 - HKLM\..\Run: [Microsoft Internet Explorer] C:\WINDOWS\system32\iexplore.exe*

Its a Trojan !! Run a full system scan with your spybot search and destry !! it should clean it up... !!

I seriously doubt that you have a successful deplyment of the SP2 !! HijackThis also doesnt reflect that installation !!

Get a proper AVS.. looks like for some reason Avast is not doing its job !! if you run a business, then time to switch to Symantec CE or Kaspersky solutions... !!


----------



## slugger (Apr 11, 2007)

@saurav_cheeta
sorry m8, i ran d hijack scan b4 installing sp2
here i'm posting the log now dat i've installed sp2



> Logfile of HijackThis v1.99.1
> Scan saved at 8:23:57 AM, on 4/11/2007
> Platform: Windows 2003 SP2 (WinNT 5.02.3790)
> MSIE: Internet Explorer v6.00 SP2 (6.00.3790.3959)
> ...



also i inadvertently allowed a certain program to run using spybot s&d. now i'm unable to undo it.
the program dat i allowed to run was


> 4/10/2007 4:34:38 PM Allowed value "Advanced DHTML Enable" (new data: "C:\WINDOWS\system32\lgyzi.exe") changed in System Startup global entry!


plz tell me how to go about doing this

i also ran the sober tool from from symantec, but it was unable to find anythin [i ran it in normal boot mode] 

i also noticed dat with win2003 sumtimes when i try to shutdown, it instead restarts. happens quite often


----------



## Choto Cheeta (Apr 11, 2007)

well still atleast there are 2 Worms present...

*O4 - HKLM\..\Run: [Local Security Authority Service] C:\WINDOWS\system32\lssas.exe*

POEBOT-J WORM .... 

and 

*C:\WINDOWS\system32\lssas.exe*

W32.Sober

I suggest, uninstall the Avast and get a good AVS like Kaspersky or Norton,

try one more thing, run a online scan from either Kaspersky Online Scanner or Symantec Online Scanner not sure but i think they do support Server 2003 !!


----------



## slugger (Apr 13, 2007)

thanx saurav_cheeta
ur suggestion of using kaspersky av proved useful. it detected a lot of torjans on my computer
*img227.imageshack.us/img227/4346/treatedkw5.gif

ran hijack this after that
results

```
Logfile of HijackThis v1.99.1
Scan saved at 4:40:03 PM, on 4/13/2007
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 SP2 (6.00.3790.3959)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\KASPERSKY AV\avp.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Huawei\MT882\dslagent.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\KASPERSKY AV\avp.exe
C:\Program Files\SPYBOT\TeaTimer.exe
C:\Program Files\ADOBE READER\Reader\reader_sl.exe
C:\Program Files\KASPERSKY AV\avp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdoclc.dll/hardAdmin.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = res://shdoclc.dll/hardAdmin.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\FDM\iefdmcks.dll
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\Huawei\MT882\dslagent.exe
O4 - HKLM\..\Run: [SAInstall] SaInstall.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [AVP] "C:\Program Files\KASPERSKY AV\avp.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\SPYBOT\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\ADOBE READER\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\ADOBE READER\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\FDM\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\FDM\dlselected.htm
O8 - Extra context menu item: Download web site with Free Download Manager - file://C:\Program Files\FDM\dlpage.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\FDM\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\OFFICE~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\OFFICE~1\OFFICE11\REFIEBAR.DLL
O17 - HKLM\System\CCS\Services\Tcpip\..\{77A37C51-90AA-4290-B3DA-31F84E701F21}: NameServer = 218.248.240.208 218.248.255.193
O20 - Winlogon Notify: dimsntfy - C:\WINDOWS\SYSTEM32\dimsntfy.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\KASPERSKY AV\avp.exe" -r (file missing)
```

also a million thanx to outlaw for suggesting the 
	
	



```
shutdown -a
```
which proved to be a boon in the first few sessions


shud i remove wormguard and spybot s&d and rely only on kspaersky to give me a decent level of protection

is there any freeware protection sw that can offer a similar level of protection [i don't mind installing different freewares for different types of protection]


----------



## Quiz_Master (Apr 13, 2007)

Don't Remove S&D. Use it as a extra protection. Running S&D once in a week won't hurt will it???


----------



## Choto Cheeta (Apr 13, 2007)

slugger said:
			
		

> thanx saurav_cheeta
> ur suggestion of using kaspersky av proved useful. it detected a lot of torjans on my computer



Welcome 

about the HijackThis log now, it looks clean to me 



> shud i remove wormguard and spybot s&d and rely only on kspaersky to give me a decent level of protection



keep the spybot  but u may remove any thing else.. if you have Kaspersky as full time AVS, then you wont need any thing else


----------

