Kedriik
(Kedriik)
1 Luty 2007 19:25
#1
Problem wygląda nasptępująco: gdy uruchamiam komputer i nie włączam internetu (neostrady) wszystko chodzi dobrze, jednak po połączeniu sie z internetem po około 5-10 minutach, albo wyskakuje błąd (brzmi to mniej więcej tak “System windows zostanie zamknięty za 00.00.59 sekund nieoczekiwany koniec services.exe” i jednocześnie z tym wyskakuje tabelka “wsytapił błąd z services.exe.”) albo komputer sam sie resetuje bez ostrzeżenia (w komputerze słychać jakis dziwny dźwięk, jednak trudno mi go przelać na ekran) . mam odchaczone to że przy resecie pokazuje sie ten niebieski ekran, jednak teraz on sie nie pokazuje
Logi HiJack’a
Logfile of HijackThis v1.99.1 Scan saved at 20:22:09, on 2007-01-01 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\Ati2evxx.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\VIA\RAID\raid_tool.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\RTHDCPL.EXE C:\Program Files\Winamp\winampa.exe C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\PROGRA~1\NEOSTR~1\CnxMon.exe C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Skype\Phone\Skype.exe C:\PROGRA~1\Wapster\AQQ\AQQ.exe C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.8472\GoogleToolbarNotifier.exe C:\Program Files\eMule\emule.exe C:\Program Files\Logitech\SetPoint\SetPoint.exe C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE C:\Program Files\Neostrada TP\NeostradaTP.exe C:\Program Files\Neostrada TP\ComComp.exe C:\Program Files\Neostrada TP\Watch.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\Opera\Opera.exe C:\Documents and Settings\Odik\Pulpit\HijackThis.exe C:\WINDOWS\system32\NOTEPAD.EXE R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neostrada.pl R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada TP R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll O3 - Toolbar: FlashGet - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\Program Files\FlashGet\fgiebar.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM…\Run: [RaidTool] C:\Program Files\VIA\RAID\raid_tool.exe O4 - HKLM…\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM…\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM…\Run: [speedTouch USB Diagnostics] “C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” /icon O4 - HKLM…\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM…\Run: [Logitech Hardware Abstraction Layer] “C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE” O4 - HKLM…\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE O4 - HKLM…\Run: [AtiPTA] atiptaxx.exe O4 - HKLM…\Run: [RivaTunerStartupDaemon] “C:\Program Files\RivaTuner v2.0 RC 15.7\RivaTuner.exe” /S O4 - HKLM…\Run: [!AVG Anti-Spyware] “C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe” /minimized O4 - HKLM…\Run: [FlashGet] C:\Program Files\FlashGet\FlashGet.exe /min O4 - HKLM…\Run: [WooCnxMon] C:\PROGRA~1\NEOSTR~1\CnxMon.exe O4 - HKLM…\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch.exe O4 - HKLM…\Run: [WOOTASKBARICON] C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU…\Run: [AtiTrayTools] C:\Program Files\Radeon Omega Drivers\v2.6.61\ATI Tray Tools\atitray.exe O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray O4 - HKCU…\Run: [skype] “C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized O4 - HKCU…\Run: [AQQ] C:\PROGRA~1\Wapster\AQQ\AQQ.exe O4 - HKCU…\Run: [Odkurzacz-MCD] C:\Program Files\Odkurzacz\odk_mcd.exe O4 - HKCU…\Run: [EdHTML] C:\Program Files\Binboy\EdHTMLv5.0\EdHTML.exe /none O4 - HKCU…\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.8472\GoogleToolbarNotifier.exe O4 - HKCU…\Run: [eMuleAutoStart] C:\Program Files\eMule\emule.exe -AutoStart O4 - Global Startup: Logitech SetPoint.lnk = ? O8 - Extra context menu item: &Ściągnij przy pomocy FlashGet’a - C:\Program Files\FlashGet\jc_link.htm O8 - Extra context menu item: &Ściągnij wszystko przy pomocy FlashGet’a - C:\Program Files\FlashGet\jc_all.htm O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe O9 - Extra ‘Tools’ menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe O17 - HKLM\System\CCS\Services\Tcpip…{456691AF-ED21-43B8-8F1E-D7B5BBEA49EE}: NameServer = 194.204.152.34 217.98.63.164 O20 - Winlogon Notify: partnershipreg - C:\Documents and Settings\All Users\Dokumenty\Settings\partnership.dll (file missing) O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: RadClock - Unknown owner - C:\WINDOWS\system32\RadClock.exe
Mini dump
Microsoft ® Windows Debugger Version 6.6.0007.5 Copyright © Microsoft Corporation. All rights reserved. Loading Dump File [C] Mini Kernel Dump File: Only registers and stack trace are available Symbol search path is: *** Invalid *** **************************************************************************** * Symbol loading may be unreliable without a symbol search path. * * Use .symfix to have the debugger choose a symbol path. * * After setting your symbol path, use .reload to refresh symbol locations. * **************************************************************************** Executable search path is: ********************************************************************* * Symbols can not be loaded because symbol path is not initialized. * * * * The Symbol Path can be set by: * * using the _NT_SYMBOL_PATH environment variable. * * using the -y argument when starting the debugger. * * using .sympath and .sympath+ * ********************************************************************* Unable to load image ntoskrnl.exe, Win32 error 2 *** WARNING: Unable to verify timestamp for ntoskrnl.exe *** ERROR: Module load completed but symbols could not be loaded for ntoskrnl.exe Windows XP Kernel Version 2600 (Service Pack 2) MP (2 procs) Free x86 compatible Product: WinNt, suite: TerminalServer SingleUserTS Kernel base = 0x804d7000 PsLoadedModuleList = 0x805624a0 Debug session time: Mon Jan 1 19:39:21.281 2007 (GMT+1) System Uptime: 0 days 0:03:30.010 ********************************************************************* * Symbols can not be loaded because symbol path is not initialized. * * * * The Symbol Path can be set by: * * using the _NT_SYMBOL_PATH environment variable. * * using the -y argument when starting the debugger. * * using .sympath and .sympath+ * ********************************************************************* Unable to load image ntoskrnl.exe, Win32 error 2 *** WARNING: Unable to verify timestamp for ntoskrnl.exe *** ERROR: Module load completed but symbols could not be loaded for ntoskrnl.exe Loading Kernel Symbols … Loading User Symbols Loading unloaded module list … Unable to load image system32:lzx32.sys, Win32 error 2 *** WARNING: Unable to verify timestamp for lzx32.sys *** ERROR: Module load completed but symbols could not be loaded for lzx32.sys Unable to load image ndiswan.sys, Win32 error 2 *** WARNING: Unable to verify timestamp for ndiswan.sys *** ERROR: Module load completed but symbols could not be loaded for ndiswan.sys ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* Use !analyze -v to get detailed debugging information. BugCheck 1000007F, {8, f7ac7d70, 0, 0} ***** Kernel symbols are WRONG. Please fix symbols to do analysis. ***** Kernel symbols are WRONG. Please fix symbols to do analysis. *** WARNING: Unable to verify timestamp for wanarp.sys *** ERROR: Module load completed but symbols could not be loaded for wanarp.sys *** WARNING: Unable to verify timestamp for tcpip.sys *** ERROR: Module load completed but symbols could not be loaded for tcpip.sys *** WARNING: Unable to verify timestamp for psched.sys *** ERROR: Module load completed but symbols could not be loaded for psched.sys *** WARNING: Unable to verify timestamp for NDIS.sys *** ERROR: Module load completed but symbols could not be loaded for NDIS.sys ************************************************************************* *** *** *** *** *** Your debugger is not using the correct symbols *** *** *** *** In order for this command to work properly, your symbol path *** *** must point to .pdb files that have full type information. *** *** *** *** Certain .pdb files (such as the public OS symbols) do not *** *** contain the required information. Contact the group that *** *** provided you with these symbols if you need this command to *** *** work. *** *** *** *** Type referenced: nt!_KPRCB *** *** *** ************************************************************************* ************************************************************************* *** *** *** *** *** Your debugger is not using the correct symbols *** *** *** *** In order for this command to work properly, your symbol path *** *** must point to .pdb files that have full type information. *** *** *** *** Certain .pdb files (such as the public OS symbols) do not *** *** contain the required information. Contact the group that *** *** provided you with these symbols if you need this command to *** *** work. *** *** *** *** Type referenced: nt!KPRCB *** *** *** ************************************************************************* ************************************************************************* *** *** *** *** *** Your debugger is not using the correct symbols *** *** *** *** In order for this command to work properly, your symbol path *** *** must point to .pdb files that have full type information. *** *** *** *** Certain .pdb files (such as the public OS symbols) do not *** *** contain the required information. Contact the group that *** *** provided you with these symbols if you need this command to *** *** work. *** *** *** *** Type referenced: nt!_KPRCB *** *** *** ************************************************************************* ************************************************************************* *** *** *** *** *** Your debugger is not using the correct symbols *** *** *** *** In order for this command to work properly, your symbol path *** *** must point to .pdb files that have full type information. *** *** *** *** Certain .pdb files (such as the public OS symbols) do not *** *** contain the required information. Contact the group that *** *** provided you with these symbols if you need this command to *** *** work. *** *** *** *** Type referenced: nt!KPRCB *** *** *** ************************************************************************* ************************************************************************* *** *** *** *** *** Your debugger is not using the correct symbols *** *** *** *** In order for this command to work properly, your symbol path *** *** must point to .pdb files that have full type information. *** *** *** *** Certain .pdb files (such as the public OS symbols) do not *** *** contain the required information. Contact the group that *** *** provided you with these symbols if you need this command to *** *** work. *** *** *** *** Type referenced: nt!_KPRCB *** *** *** ************************************************************************* Probably caused by : system32:lzx32.sys ( lzx32+6016 ) Followup: MachineOwner ---------
Skanowałem hdd 3 anty wirami (a-squared free (wykrył jednegowirusa jednak po jego wykasowaniu nie moge uruchomic neostrady, musze ją instalowac jeszcze raz po czym wir znów sie pojawia), avast-czysto, AVG-aty spyware-czysto)
Serdecznie dziękuję za wszelką pomoc !
pozdrawwiam ;]
Kiedyś też miałem takie coś z tym resetowaniem się kompa za iles tam sekund tyle że ja miałem jakiegos wirusa. Może ty też masz. Poczekaj na kogoś kto zna sie na logach
adam9870
(adam9870)
1 Luty 2007 19:43
#3
Usuń wpis HJT.
Użyj narzędzia Rustock.b-fix i wklej raport.
Kedriik
(Kedriik)
1 Luty 2007 19:57
#4
nie wiem co to jest, ale wyświetliło mi sie gdy użyłem w/w narzędzia xD
Pelog:
************************* Rustock.b-fix – By ejvindh ************************* 2007-01-01 20:52:20,81 ******************* Pre-run Status of system ******************* Rootkit driver PE386 is found. Starting the unload-procedure… Rustock.b-ADS attached to the System32-folder: :lzx32.sys 70570 Total size: 70570 bytes. Attempting to remove ADS… system32: deleted 70570 bytes in 1 streams. Looking for Rustock.b-files in the System32-folder: No Rustock.b-files found in system32 ******************* Post-run Status of system ******************* Rustock.b-driver on the system: NONE! Rustock.b-ADS attached to the System32-folder: No System32-ADS found. Looking for Rustock.b-files in the System32-folder: No Rustock.b-files found in system32 ******************************* End of Logfile ********************************
Avenger:
Logfile of The Avenger version 1, by Swandog46 Running from registry key: \Registry\Machine\System\CurrentControlSet\Services\xgalbqod ******************* Script file located at: ??\C:\Program Files\iikmkyov.txt Script file opened successfully. Script file read successfully Backups directory opened successfully at C:\Avenger ******************* Beginning to process script file: Driver PE386 unloaded successfully. Program C:\Rustbfix\2run.bat successfully set up to run once on reboot. Completed script processing. *******************
adam9870
(adam9870)
1 Luty 2007 20:02
#5
Już nie powinno być resetów ponieważ Rustock.b-fix kompletnie usunął rootkita pe386, który powodował występowanie tego problemu.
Jeśli problem nadal będzie występował to wykonaj kompletny Windows Update i wklej zawartość nowego minidump’a.
Kedriik
(Kedriik)
1 Luty 2007 20:14
#6
Jak narazie jest ok, jeśli wystąpią jeszcze resety zrobie co napisałeś
Dzięki za pomoc ;]