LOG + walka z błędem od 3 tygodni

[dantetg]

Witam
Od paru tygodni walczę z błędem services.exe
Kompa sprawdzałem pandą, na stałe używam avasta
i ad-aware. Wszystko uaktualnione. Oprócz tego
przeleciałem shredderem i spy removberem 2.54.
Wszystko uaktualnione.

Intel Pentium 2.8 HT
512 DDR
XP +SP2 +update na bieżąco

Wywala mi services.exe z kodem stanu 1073741819
Sprzęt w środku sprawdzałem, kable i wszystko dociśnięte, wyczyszczone
temperatura ok.

Próba uruchomienia "sfc.exe /scannow" daje komunikat
o braku bezpośredniego dostępu do RPC (awaryjny i normalny).
Firewall windowsowy jest wyłączony (z mojej inicjatywy bo mam
avasta) ale przy próbie uruchomienia go wywala mi
błąd STOP.

Komunikat o błędzie services.exe pojawia się zaraz po uruchomieniu
komputera. Scandisk, defrag i memtest były robione.
Defragmentacja rejestru i REGCLEANER oraz
Norton System Works One Button CheckUp też.

POMóżCIE!!!!
Amen i dzięki za wszystko.
Czekam z niecierpliwością.


====LOG====
Logfile of HijackThis v1.99.1
Scan saved at 03:20:54, on 2006-07-15
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Gadu-Gadu\gg.exe
C:\Program Files\SpyRemover\Remover.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Orionek\Pulpit\hijackthis\HijackThis.exe

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -
C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program
Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [Uniblue Registry Booster] C:\Program Files\Uniblue\Registry
Booster\RegistryBooster.exe /S
O4 - HKCU\..\Run: [SpyRemover TeaTimer] C:\Program Files\SpyRemover\TeaTimer.exe
O4 - Startup: Kopia memory.txt
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -
C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O16 - DPF: {22371112-FFB4-471E-A2F3-626B864780EE} -
www.citrid.sk/plugin/MaeCi3D.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program
Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} -
C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner -
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner -
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. -
C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil
Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil
Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil
Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec
Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division
Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
====LOG====

[Gość: Kolobos]

> Wywala mi services.exe z kodem stanu 1073741819

Wklej log z:
www.silentrunners.org/Silent%20Runners.vbs
Zobacz w menadzerze zadan czy jakis proces nie obciaza procesora lub nie
wykorzystuje duzej ilosci ramu.

> Próba uruchomienia "sfc.exe /scannow" daje komunikat
> o braku bezpośredniego dostępu do RPC (awaryjny i normalny).

Podaj dokladna tresc komunikatu.

> Firewall windowsowy jest wyłączony (z mojej inicjatywy bo mam
> avasta) ale przy próbie uruchomienia go wywala mi błąd STOP.

Podaj numer bledu stop.

Zakoncz proces:
C:\Program Files\SpyRemover\Remover.exe

W hjt usun:
O4 - HKCU\..\Run: [SpyRemover TeaTimer] C:\Program
Files\SpyRemover\TeaTimer.exe <- odinstaluj i usun katalog SpyRemover
O4 - Startup: Kopia memory.txt <- po co Ci ten plik txt w autostarcie?

Do tego przeskanuj system przy pomocy ewido (link znajdziesz na google).

[dantetg]

1. w hjt usunalem co mowiles
2. odinstalowalem spy removera
3. zmienilem avasta na AVK2006
4. mam Kerio Personal Firewall
5. "sfc.exe /scannow" daje błąd
ochrona plików systemu windows nie może dokonać żadnej zmiany
określony kod błędu to 0x000006ba (serwer RPC jest niedostępny).
6. teraz już mi nie wywala services z okienkiem ponownego restartu
teraz już jest tylko błąd STOP (na BSOD)
Kod błędu STOP:
0x0000008E (0xC0000005, 0x81E0153A, 0xB8466A44, 0x00000000).
7. Nortona nie usune poki co,bo dziala mi tylko awaryjny.
Normalny zaraz sie wiesza. A w awaryjnym instalator windows
sie nie uruchamia.
8.
===LOG===
"Silent Runners.vbs", revision 46, www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Gadu-Gadu" = ""C:\Program Files\Gadu-Gadu\gg.exe" /tray" ["Gadu-Gadu Sp. z oo"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" ["Sun
Microsystems, Inc."]
"AVKTray" = ""C:\Program Files\AntiVirenKit 2006\AVKTray\AVKTray.exe"" ["G DATA
Software"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program
Files\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll"
["Hilgraeve, Inc."]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "C:\Program Files\Real
Alternative\rpshell.dll" ["RealNetworks, Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program
Files\WinRAR\rarext.dll" [null data]
"{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band"
-> {HKLM...CLSID} = "Shell Search Band"
\InProcServer32\(Default) =
"C:\WINDOWS\system32\browseui.dll" [MS]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {HKLM...CLSID} = "Portable Media Devices"
\InProcServer32\(Default) =
"C:\WINDOWS\system32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {HKLM...CLSID} = "Portable Media Devices Menu"
\InProcServer32\(Default) =
"C:\WINDOWS\system32\Audiodev.dll" [MS]
"{32020A01-506E-484D-A2A8-BE3CF17601C3}" = "AlcoholShellEx"
-> {HKLM...CLSID} = "AlcoholShellEx"
\InProcServer32\(Default) =
"C:\PROGRA~1\ALCOHO~1\ALCOHO~1\axshlex.dll" ["Alcohol Soft Development Team"]
"{0561EC90-CE54-4f0c-9C55-E226110A740C}" = "Haali Column Provider"
-> {HKLM...CLSID} = "Haali Column Provider"
\InProcServer32\(Default) = "C:\Program
Files\Haali\MatroskaSplitter\mmfinfo.dll" [null data]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon
Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) =
"C:\PROGRA~1\MICROS~2\Office12\OLKFSTUB.DLL" [MS]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop
Icon Handler"
-> {HKLM...CLSID} = "Microsoft Office Outlook"
\InProcServer32\(Default) =
"C:\PROGRA~1\MICROS~2\Office12\MLSHEXT.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft
Office\Office12\msohev.dll" [MS]
"{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}" = "Microsoft Office Metadata Handler"
-> {HKLM...CLSID} = "Microsoft Office Metadata Handler"
\InProcServer32\(Default) =
"C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}" = "Microsoft Office Thumbnail Handler"
-> {HKLM...CLSID} = "Microsoft Office Thumbnail Handler"
\InProcServer32\(Default) =
"C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]

HKLM\Software\Classes\PROTOCOLS\Filter\
INFECTION WARNING! text/xml\CLSID = "{807563E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Common
Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL" [MS]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{0561EC90-CE54-4f0c-9C55-E226110A740C}\(Default) = "Haali Column Provider"
-> {HKLM...CLSID} = "Haali Column Provider"
\InProcServer32\(Default) = "C:\Program
Files\Haali\MatroskaSplitter\mmfinfo.dll" [null data]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
AVK9CM\(Default) = "{CAF4C320-32F5-11D3-A222-004095200FF2}"
-> {HKLM...CLSID} = "AVK9ContextMenue"
\InProcServer32\(Default) = "C:\Program Files\AntiVirenKit
2006\ShellExt.dll" [empty string]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program
Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program
Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
AVK9CM\(Default) = "{CAF4C320-32F5-11D3-A222-004095200FF2}"
-> {HKLM...CLSID} = "AVK9ContextMenue"
\InProcServer32\(Default) = "C:\Program Files\AntiVirenKit
2006\ShellExt.dll" [empty string]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program
Files\WinRAR\rarext.dll" [null data]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


Enabled Scheduled Tasks:
------------------------

"Norton SystemWorks One Button Checkup" -> launches: "C:\Program Files\Norton
SystemWorks\OBC.exe /CUSTOM /SCHEDULE" ["Symantec Corporation"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\
{++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\
{++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Explorer Bars

Dormant Explorer Bars in "View, Explorer Bar"

[dantetg]

===LOG kontynuacja===
Toolbars, Explorer Bars, Extensions:
------------------------------------

Explorer Bars

Dormant Explorer Bars in "View, Explorer Bar" menu

HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) =
"&Research"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL" [MS]


All Non-Disabled Services (Display Name, Service Name, Path {Service DLL}):
---------------------------------------------------------------------------

ASP.NET State Service, aspnet_state,
"C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe" [file not found]
Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI
Technologies Inc."]
AVK Service, AVKService, "C:\Program Files\AntiVirenKit 2006\AVKService.exe"
[empty string]
AVKProxy, AVKProxy, ""C:\Program Files\Common Files\G
DATA\AVKProxy\AVKProxy.exe"" ["G DATA Software AG"]
HTTP SSL, HTTPFilter, "C:\WINDOWS\System32\svchost.exe -k HTTPFilter"
{"C:\WINDOWS\System32\w3ssl.dll" [MS]}
Karta wydajności WMI, WmiApSrv, "C:\WINDOWS\System32\wbem\wmiapsrv.exe" [MS]
Microsoft Office Diagnostics Service, odserv, ""C:\Program Files\Common
Files\Microsoft Shared\OFFICE12\ODSERV.EXE"" [MS]
Norton Unerase Protection, NProtectService, "C:\Program Files\Norton
SystemWorks\Norton Utilities\NPROTECT.EXE" ["Symantec Corporation"]
Office Source Engine, ose, ""C:\Program Files\Common Files\Microsoft
Shared\Source Engine\OSE.EXE"" [MS]
Pomoc i obsługa techniczna, helpsvc, "C:\WINDOWS\System32\svchost.exe -k
netsvcs" {"%WINDIR%\PCHealth\HelpCtr\Binaries\pchsvc.dll" [file not found]}
StarWind iSCSI Service, StarWindService, "C:\Program Files\Alcohol Soft\Alcohol
120\StarWind\StarWindService.exe" ["Rocket Division Software"]
Strażnik AVK, AVKWCtl, "C:\Program Files\AntiVirenKit 2006\AVKWCtl.exe" [empty
string]
Sunbelt Kerio Personal Firewall 4, KPF4, ""C:\Program Files\Sunbelt
Software\Personal Firewall\kpf4ss.exe"" ["Sunbelt Software"]
Usługa administracyjna Menedżera dysków logicznych, dmadmin,
"C:\WINDOWS\System32\dmadmin.exe /com" ["Microsoft Corp., Veritas Software"]
Usługa dostarczania sieci, xmlprov, "C:\WINDOWS\System32\svchost.exe -k netsvcs"
{"C:\WINDOWS\System32\xmlprov.dll" [MS]}
Usługa numeru seryjnego multimediów przenośnych, WmdmPmSN,
"C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\system32\MsPMSNSv.dll"
[MS]}
Usługa Windows Media Connect, WMConnectCDS, "C:\Program Files\Windows Media
Connect 2\wmccds.exe" [MS]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
hpzlnt04\Driver = "hpzlnt04.dll" ["HP"]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 29 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 13 seconds.
--------

[Gość: Kolobos]

Widze, ze masz powaznie zepsuty system, a wiec nie ma co sie bawic.
Zrob naprawe systemu przy pomocy plyty instalacyjnej, zachowasz wszystkie
programy i ustawienia, jedynie WU sie skasuje i bedzie trzeba sciagnac.

[Gość: Dante]

Ale powiedz mi 1 rzecz...prosze,jesli mozesz.
Nie pamietam gdzie, ale gdzies w systemie robilo sie zeby
nie bylo automatycznych aktualizacji.
Zauwazylem ze przy normalnym starcie windowsa wlasnie w
systrayu najpierw jest zolty wykrzyknik ze sa nowe update'y
a za chwile znika (chce je zainstalowac w tle) i wtedy
wyskakuje ten blad STOP.
Jakby to wylaczyc to system jeszcze troche
by pozyl. Co ty na to?

[kolobos]

Panel Sterowania -> Aktualizacje automatyczne?

[Gość: Dante]

oki, wylaczylem i system jest stabilny. Nie wywala bledu.
Tak czy owak czeka mnie format, ale przynajmniej na spokojnie backupa jeszcze
zrobie :)
thx