Masaj
(Masaj)
14 Marzec 2007 16:08
#1
Mam maly problem , a nazywa sie on bluscreen otoz wczoraj windows update znalazl 2 aktulizacje , wszystko byloby ok gdyby nie to,ze podczas instalacji pojawil sie niebieski ekran :Sytem windows napotkal blad i zostanie zamkniety, przyczyna brak skladnika w system 32… dalej nie zdazylem doczytac.
Jeden bluscreen to nie problem, ale dwa juz tak.
Podzas wylaczania kompa kliknalem wylacz z zainstalowaniem update’u.
Po wylogowaniu windy komunikat przygotwanie do instalacji updtu / instalcja 1 z 2 i nastepny niebieski ekran.
Nie wiem co z tym zobic. Pamiec i stery sa w porzadku -sprawdzilem.
Zalaczam 2 logi z MiniDumpa
Microsoft ® Windows Debugger Version 6.6.0007.5 Copyright © Microsoft Corporation. All rights reserved. Loading Dump File [C] Mini Kernel Dump File: Only registers and stack trace are available Symbol search path is: *** Invalid *** **************************************************************************** * Symbol loading may be unreliable without a symbol search path. * * Use .symfix to have the debugger choose a symbol path. * * After setting your symbol path, use .reload to refresh symbol locations. * **************************************************************************** Executable search path is: ********************************************************************* * Symbols can not be loaded because symbol path is not initialized. * * * * The Symbol Path can be set by: * * using the _NT_SYMBOL_PATH environment variable. * * using the -y argument when starting the debugger. * * using .sympath and .sympath+ * ********************************************************************* Unable to load image ntoskrnl.exe, Win32 error 2 *** WARNING: Unable to verify timestamp for ntoskrnl.exe *** ERROR: Module load completed but symbols could not be loaded for ntoskrnl.exe Windows XP Kernel Version 2600 (Service Pack 2) UP Free x86 compatible Product: WinNt, suite: TerminalServer SingleUserTS Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055a420 Debug session time: Wed Mar 14 02:40:07.843 2007 (GMT+1) System Uptime: 0 days 5:12:05.422 ********************************************************************* * Symbols can not be loaded because symbol path is not initialized. * * * * The Symbol Path can be set by: * * using the _NT_SYMBOL_PATH environment variable. * * using the -y argument when starting the debugger. * * using .sympath and .sympath+ * ********************************************************************* Unable to load image ntoskrnl.exe, Win32 error 2 *** WARNING: Unable to verify timestamp for ntoskrnl.exe *** ERROR: Module load completed but symbols could not be loaded for ntoskrnl.exe Loading Kernel Symbols … Loading User Symbols Loading unloaded module list … Unable to load image system32:lzx32.sys, Win32 error 2 *** WARNING: Unable to verify timestamp for lzx32.sys *** ERROR: Module load completed but symbols could not be loaded for lzx32.sys ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* Use !analyze -v to get detailed debugging information. BugCheck 1000008E, {c0000005, b2ff05b3, b0cc0a20, 0} ANALYSIS: Kernel with unknown size. Will force reload symbols with known size. ANALYSIS: Force reload command: .reload /f ntoskrnl.exe=FFFFFFFF804D7000,213F80,42250FF9 ***** Kernel symbols are WRONG. Please fix symbols to do analysis. ***** Kernel symbols are WRONG. Please fix symbols to do analysis. Probably caused by : system32:lzx32.sys ( lzx32+25b3 ) Followup: MachineOwner
I Drugi
Microsoft ® Windows Debugger Version 6.6.0007.5 Copyright © Microsoft Corporation. All rights reserved. Loading Dump File [C] Mini Kernel Dump File: Only registers and stack trace are available Symbol search path is: *** Invalid *** **************************************************************************** * Symbol loading may be unreliable without a symbol search path. * * Use .symfix to have the debugger choose a symbol path. * * After setting your symbol path, use .reload to refresh symbol locations. * **************************************************************************** Executable search path is: ********************************************************************* * Symbols can not be loaded because symbol path is not initialized. * * * * The Symbol Path can be set by: * * using the _NT_SYMBOL_PATH environment variable. * * using the -y argument when starting the debugger. * * using .sympath and .sympath+ * ********************************************************************* Unable to load image ntoskrnl.exe, Win32 error 2 *** WARNING: Unable to verify timestamp for ntoskrnl.exe *** ERROR: Module load completed but symbols could not be loaded for ntoskrnl.exe Windows XP Kernel Version 2600 (Service Pack 2) UP Free x86 compatible Product: WinNt, suite: TerminalServer SingleUserTS Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055a620 Debug session time: Wed Mar 14 02:54:52.859 2007 (GMT+1) System Uptime: 0 days 0:14:26.460 ********************************************************************* * Symbols can not be loaded because symbol path is not initialized. * * * * The Symbol Path can be set by: * * using the _NT_SYMBOL_PATH environment variable. * * using the -y argument when starting the debugger. * * using .sympath and .sympath+ * ********************************************************************* Unable to load image ntoskrnl.exe, Win32 error 2 *** WARNING: Unable to verify timestamp for ntoskrnl.exe *** ERROR: Module load completed but symbols could not be loaded for ntoskrnl.exe Loading Kernel Symbols … Loading User Symbols Loading unloaded module list … Unable to load image system32:lzx32.sys, Win32 error 2 *** WARNING: Unable to verify timestamp for lzx32.sys *** ERROR: Module load completed but symbols could not be loaded for lzx32.sys ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* Use !analyze -v to get detailed debugging information. BugCheck 1000008E, {c0000005, b2ff05b3, b089ea20, 0} ***** Kernel symbols are WRONG. Please fix symbols to do analysis. ***** Kernel symbols are WRONG. Please fix symbols to do analysis. Probably caused by : system32:lzx32.sys ( lzx32+25b3 ) Followup: MachineOwner ---------
adam9870
(adam9870)
14 Marzec 2007 17:11
#2
Użyj narzędzia Rustock.b-fix .
Po wykonaniu pokaż raport plus dwa logi z Gmer’a wykonane przy takich ustawieniach:
Zakładka Rootkit >>> zaznaczone wszystko oprócz Pokazuj wszystko >>> kliknij Szukaj >>> czekaj cierpliwie aż skończy >>> Kopiuj >>> wklej do posta
Zakładka Rootkit >>> zaznaczone tylko Usługi i Pokazuj wszystko >>> kliknij Szukaj >>> czekaj cierpliwie aż skończy >>> Kopiuj >>> wklej do posta
Jeśli wszystkie logi nie zmieszczą się bezpośrednio do posta, to umieść je w jakimś serwisie hostingowym jako pliki *.txt, a tu tylko zlinkuj.
http://forum.dobreprogramy.pl/viewtopic.php?t=96929
JNJN
(JNJN)
14 Marzec 2007 17:16
#3
Proszę zmienić temat postu na konkretny i używać polskich znaków,opcja zmień i popraw.JNJN
Masaj
(Masaj)
14 Marzec 2007 22:13
#4
************************* Rustock.b-fix – By ejvindh ************************* 2007-03-14 22:51:34,28 ******************* Pre-run Status of system ******************* Rootkit driver PE386 is found. Starting the unload-procedure… Rustock.b-ADS attached to the System32-folder: :lzx32.sys 80118 Total size: 80118 bytes. Attempting to remove ADS… system32: deleted 80118 bytes in 1 streams. Looking for Rustock.b-files in the System32-folder: No Rustock.b-files found in system32 ******************* Post-run Status of system ******************* Rustock.b-driver on the system: NONE! Rustock.b-ADS attached to the System32-folder: No System32-ADS found. Looking for Rustock.b-files in the System32-folder: No Rustock.b-files found in system32 ******************************* End of Logfile ********************************
////////////////////////////////////////// Avenger Pre-Processor log ////////////////////////////////////////// Error: could not register cleanup batch. Error code: 0 ////////////////////////////////////////// Logfile of The Avenger version 1, by Swandog46 Running from registry key: \Registry\Machine\System\CurrentControlSet\Services\pdcskyyc ******************* Script file located at: ??\C:\WINDOWS\manxbivs.txt Script file opened successfully. Script file read successfully Backups directory opened successfully at C:\Avenger ******************* Beginning to process script file: Driver PE386 unloaded successfully. Program C:\Rustbfix\2run.bat successfully set up to run once on reboot. Completed script processing. ******************* Finished! Terminate.
http://rapidshare.com/files/21058000/gmer__txt.txt.html
http://rapidshare.com/files/21058161/gmer_txt2.txt.html
I log z RkU
>SSDT State NtClose Actual Address 0xF89DE9AC Hooked by: C:\Program Files\Softwin\BitDefender9\bdrsdrv.sys NtCreateKey Actual Address 0xF89DE95E Hooked by: C:\Program Files\Softwin\BitDefender9\bdrsdrv.sys NtDeleteKey Actual Address 0xF89DEA12 Hooked by: C:\Program Files\Softwin\BitDefender9\bdrsdrv.sys NtDeleteValueKey Actual Address 0xF89DEA3C Hooked by: C:\Program Files\Softwin\BitDefender9\bdrsdrv.sys NtEnumerateKey Actual Address 0xF89DEE6A Hooked by: C:\Program Files\Softwin\BitDefender9\bdrsdrv.sys NtEnumerateValueKey Actual Address 0xF89DEEE0 Hooked by: C:\Program Files\Softwin\BitDefender9\bdrsdrv.sys NtFlushKey Actual Address 0xF89DE9E8 Hooked by: C:\Program Files\Softwin\BitDefender9\bdrsdrv.sys NtLoadKey Actual Address 0xF89DEF58 Hooked by: C:\Program Files\Softwin\BitDefender9\bdrsdrv.sys NtOpenFile Actual Address 0xB099EF1F Hooked by: C:\Program Files\Softwin\BitDefender9\bdfsdrv.sys NtOpenKey Actual Address 0xF89DE91C Hooked by: C:\Program Files\Softwin\BitDefender9\bdrsdrv.sys NtQueryKey Actual Address 0xF89DEEA6 Hooked by: C:\Program Files\Softwin\BitDefender9\bdrsdrv.sys NtQueryValueKey Actual Address 0xF89DEF1C Hooked by: C:\Program Files\Softwin\BitDefender9\bdrsdrv.sys NtSetValueKey Actual Address 0xF89DEAE9 Hooked by: C:\Program Files\Softwin\BitDefender9\bdrsdrv.sys NtUnloadKey Actual Address 0xF89DEF86 Hooked by: C:\Program Files\Softwin\BitDefender9\bdrsdrv.sys >Processes >Drivers >Files Suspect File: C:\Documents and Settings…\Ustawienia lokalne\Temporary Internet Files\Content.IE5\HSHXRHTZ_nn[1].htm Status: Hidden Suspect File: D:$Extend$UsnJrnl:$J:$DATA Status: Opened for exclusive access by other app or by System Suspect File: D:$Extend$UsnJrnl:$Max:$DATA Status: Opened for exclusive access by other app or by System Suspect File: D:\Transkrypt I i II$Extend Status: Hidden >Hooks ntoskrnl.exe+0x0000BA84, Type: Inline - RelativeJump at address 0x804E2A84 hook handler located in [unknown_code_page] [2456]alg.exe–>kernel32.dll–>LoadLibraryA, Type: Inline - RelativeJump at address 0x7C801D77 hook handler located in [sockspy.dll] [2456]alg.exe–>ws2_32.dll–>accept, Type: Inline - RelativeJump at address 0x71A61028 hook handler located in [sockspy.dll] [2456]alg.exe–>ws2_32.dll–>bind, Type: Inline - RelativeJump at address 0x71A53E00 hook handler located in [sockspy.dll] [2456]alg.exe–>ws2_32.dll–>closesocket, Type: Inline - RelativeJump at address 0x71A59639 hook handler located in [sockspy.dll] [2456]alg.exe–>ws2_32.dll–>connect, Type: Inline - RelativeJump at address 0x71A5406A hook handler located in [sockspy.dll] [2456]alg.exe–>ws2_32.dll–>gethostbyname, Type: Inline - RelativeJump at address 0x71A54FD4 hook handler located in [sockspy.dll] [2456]alg.exe–>ws2_32.dll–>listen, Type: Inline - RelativeJump at address 0x71A588D3 hook handler located in [sockspy.dll] [2456]alg.exe–>ws2_32.dll–>recvfrom, Type: Inline - RelativeJump at address 0x71A52D0F hook handler located in [sockspy.dll] [2456]alg.exe–>ws2_32.dll–>send, Type: Inline - RelativeJump at address 0x71A5428A hook handler located in [sockspy.dll] [2456]alg.exe–>ws2_32.dll–>sendto, Type: Inline - RelativeJump at address 0x71A52C69 hook handler located in [sockspy.dll] [2456]alg.exe–>wsock32.dll–>recv, Type: Inline - RelativeJump at address 0x71A72E70 hook handler located in [sockspy.dll] [2720]skypePM.exe–>kernel32.dll–>LoadLibraryA, Type: Inline - RelativeJump at address 0x7C801D77 hook handler located in [sockspy.dll] [284]Skype.exe–>user32.dll–>ScrollWindow, Type: IAT modification at address 0x00D9F864 hook handler located in [skype.exe] [284]Skype.exe–>user32.dll–>ScrollWindowEx, Type: IAT modification at address 0x00D9F860 hook handler located in [skype.exe] [3320]wuauclt.exe–>kernel32.dll–>LoadLibraryA, Type: Inline - RelativeJump at address 0x7C801D77 hook handler located in [sockspy.dll] [3320]wuauclt.exe–>ws2_32.dll–>accept, Type: Inline - RelativeJump at address 0x71A61028 hook handler located in [sockspy.dll] [3320]wuauclt.exe–>ws2_32.dll–>bind, Type: Inline - RelativeJump at address 0x71A53E00 hook handler located in [sockspy.dll] [3320]wuauclt.exe–>ws2_32.dll–>closesocket, Type: Inline - RelativeJump at address 0x71A59639 hook handler located in [sockspy.dll] [3320]wuauclt.exe–>ws2_32.dll–>connect, Type: Inline - RelativeJump at address 0x71A5406A hook handler located in [sockspy.dll] [3320]wuauclt.exe–>ws2_32.dll–>gethostbyname, Type: Inline - RelativeJump at address 0x71A54FD4 hook handler located in [sockspy.dll] [3320]wuauclt.exe–>ws2_32.dll–>listen, Type: Inline - RelativeJump at address 0x71A588D3 hook handler located in [sockspy.dll] [3320]wuauclt.exe–>ws2_32.dll–>recvfrom, Type: Inline - RelativeJump at address 0x71A52D0F hook handler located in [sockspy.dll] [3320]wuauclt.exe–>ws2_32.dll–>send, Type: Inline - RelativeJump at address 0x71A5428A hook handler located in [sockspy.dll] [3320]wuauclt.exe–>ws2_32.dll–>sendto, Type: Inline - RelativeJump at address 0x71A52C69 hook handler located in [sockspy.dll] [3584]logon.scr–>kernel32.dll–>LoadLibraryA, Type: Inline - RelativeJump at address 0x7C801D77 hook handler located in [sockspy.dll] !!POSSIBLE ROOTKIT ACTIVITY DETECTED!! =)
adam9870
(adam9870)
15 Marzec 2007 14:24
#5
Logi są czyste.
Użyj programu ATF Cleaner i przeczyść TEMP’y.
Masaj
(Masaj)
15 Marzec 2007 21:57
#6
adam9870:
Logi są czyste.
Czyste to sa moze z Rustock.b-fix. i Gmera , ale NIE z RkU
jest podejrzenie rootkita i nalezaloby go chyba usunac. Tylko jakie wpisy usunac i w jaki sposob, zeby nieuszkodzic kompa. Co z tym zrobic?