Yinstall trouble! HELP PLS! - Page 5

Dom_B · 01-Nov-2006, 05:56 PM **#61**

Event Type: Error
Event Source: Application Hang
Event Category: (101)
Event ID: 1002
Date: 10/25/2006
Time: 8:51:28 PM
User: N/A
Computer: ACER-B6I3JPUHGS
Description:
Hanging application wmplayer.exe, version 10.0.0.3646, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 48 61 6e 67 ion Hang
0010: 20 20 77 6d 70 6c 61 79 wmplay
0018: 65 72 2e 65 78 65 20 31 er.exe 1
0020: 30 2e 30 2e 30 2e 33 36 0.0.0.36
0028: 34 36 20 69 6e 20 68 75 46 in hu
0030: 6e 67 61 70 70 20 30 2e ngapp 0.
0038: 30 2e 30 2e 30 20 61 74 0.0.0 at
0040: 20 6f 66 66 73 65 74 20 offset
0048: 30 30 30 30 30 30 30 30 00000000

Dom_B · 01-Nov-2006, 05:57 PM **#62**

Event Type: Error
Event Source: crypt32
Event Category: None
Event ID: 11
Date: 10/18/2006
Time: 11:26:41 AM
User: N/A
Computer: ACER-B6I3JPUHGS
Description:
Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

**Cookiegal** · 01-Nov-2006, 06:54 PM **#63**

Nothing more recent than those?

Dom_B · 01-Nov-2006, 06:56 PM **#64**

Event Type: Error
Event Source: System Error
Event Category: (102)
Event ID: 1003
Date: 11/01/2006
Time: 10:51:29 PM
User: N/A
Computer: ACER-B6I3JPUHGS
Description:
Error code 1000008e, parameter1 c0000005, parameter2 f43c0d59, parameter3 f424ea20, parameter4 00000000.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 53 79 73 74 65 6d 20 45 System E
0008: 72 72 6f 72 20 20 45 72 rror Er
0010: 72 6f 72 20 63 6f 64 65 ror code
0018: 20 31 30 30 30 30 30 38 1000008
0020: 65 20 20 50 61 72 61 6d e Param
0028: 65 74 65 72 73 20 63 30 eters c0
0030: 30 30 30 30 30 35 2c 20 000005,
0038: 66 34 33 63 30 64 35 39 f43c0d59
0040: 2c 20 66 34 32 34 65 61 , f424ea
0048: 32 30 2c 20 30 30 30 30 20, 0000
0050: 30 30 30 30 0000

**Cookiegal** · 01-Nov-2006, 07:34 PM **#65**

That looks like it could be RAM related. How much RAM do you have?

I'd like to check for a rootkit as well.

Download GMER from http://www.gmer.net

Save it somewhere safe & unzip it to desktop

Double click the gmer.exe to run it and select the rootkit tab, press scan and when it has finished press save and copy the log back here please.

Dom_B · 02-Nov-2006, 05:38 AM **#66**

I have 256 RAM, I'll do the scan now

Dom_B · 04-Nov-2006, 03:11 PM **#67**

GMER 1.0.12.11867 - http://www.gmer.net
Rootkit scan 2006-11-04 19:06:15
Windows 5.1.2600 Service Pack 2

---- System - GMER 1.0.12 ----

SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwOpenProcess
SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwTerminateProcess

SYSENTER ? F4341390

---- Kernel code sections - GMER 1.0.12 ----

.text ntoskrnl.exe!Kei386EoiHelper + 1248 804DF53C 3 Bytes
.text ntoskrnl.exe!_abnormal_termination + 564 804E2890 4 Bytes
.text ntoskrnl.exe!_abnormal_termination + 1104 804E2AAC 4 Bytes
.text tcpip.sys!IPTransmit + 4284 F42B4CFA 6 Bytes
.text tcpip.sys!IPTransmit + 10256 F42B644E 6 Bytes
.text tcpip.sys!ARPRcv + 20589 F42BB4E0 6 Bytes
.text wanarp.sys FAD853FD 7 Bytes

---- Devices - GMER 1.0.12 ----

Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [FB11485A] avgtdi.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [FB11485A] avgtdi.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [FB11485A] avgtdi.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [FB11485A] avgtdi.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_INTERNAL_DEVICE_CONTROL [FB11485A] avgtdi.sys

---- Services - GMER 1.0.12 ----

Service C:\WINDOWS\system32\lzx32.sys (*** hidden *** ) [SYSTEM] pe386 <-- ROOTKIT !!!

---- Registry - GMER 1.0.12 ----

Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@Type 1
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@Start 1
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@ErrorControl 0
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@ImagePath \??\C:\WINDOWS\system32\lzx32.sys
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@DisplayName Win23 lzx files loader
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@Group Base
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@ExtParam 0x8C 0x68 0x29 0x93 ...
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@Checked 1
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@Type 1
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@Start 1
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@ErrorControl 0
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@ImagePath \??\C:\WINDOWS\system32\lzx32.sys
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@DisplayName Win23 lzx files loader
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@Group Base
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@ExtParam 0x8C 0x68 0x29 0x93 ...
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@Checked 1
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386\Security
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@Type 1
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@Start 1
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@ErrorControl 0
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@ImagePath \??\C:\WINDOWS\system32\lzx32.sys
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@DisplayName Win23 lzx files loader
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@Group Base
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@ExtParam 0x8C 0x68 0x29 0x93 ...
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@Checked 1
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386\Enum
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@Type 1
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@Start 1
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@ErrorControl 0
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@ImagePath \??\C:\WINDOWS\system32\lzx32.sys
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@DisplayName Win23 lzx files loader
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@Group Base
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@ExtParam 0x8C 0x68 0x29 0x93 ...
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@Checked 1
Reg

Dom_B · 04-Nov-2006, 03:11 PM **#68**

That is as far as the scan got before the computer restarted. Guessing its something to do with lze32 file.

**Cookiegal** · 04-Nov-2006, 03:30 PM **#69**

Download rustbfix.exe from here and save it to your desktop.

Double click on rustbfix.exe. If a Rustock.b infection is found, you will be asked to reboot your computer. The reboot will probably take quite a while and perhaps two reboots will be needed but this will happen automatically so please be patient and allow the process to complete.

After the reboot, two log files will open (%root%\avenger.txt & %root%\rustbfix\pelog.txt). Post the content of these log files along with a new HijackThis log please.

Dom_B · 04-Nov-2006, 03:39 PM **#70**

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\euogtwbm

*******************

Script file located at: \??\C:\WINDOWS\system32\oigbdled.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Driver PE386 unloaded successfully.
Program C:\Rustbfix\2run.bat successfully set up to run once on reboot.

Completed script processing.

*******************

Finished! Terminate.

Dom_B · 04-Nov-2006, 03:40 PM **#71**

************************* Rustock.b-fix -- By ejvindh *************************
11/04/2006 19:32:24.00

******************* Pre-run Status of system *******************

Rootkit driver PE386 is found. Starting the unload-procedure....
Examine the Avenger-logfile in order to assess the success of the unload-procedure

Rustock.b-ADS attached to the System32-folder:
No streams found.

******************* Post-run Status of system *******************

Rustock.b-driver on the system: NONE!

Rustock.b-ADS attached to the System32-folder:
No streams found.

******************************* End of Logfile ********************************

Dom_B · 04-Nov-2006, 03:50 PM **#72**

Logfile of HijackThis v1.99.1
Scan saved at 7:50:17 PM, on 11/04/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\eManager\anbmServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAAE.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\msgr.exe
C:\Program Files\PacificPoker\Utils\Poker.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tiscali.co.uk/broadband
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [EPSON Stylus D68 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAAE.EXE /P23 "EPSON Stylus D68 Series" /O6 "USB002" /M "Stylus D68"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O14 - IERESET.INF: START_PAGE_URL=http://www.tiscali.co.uk/broadband
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.co.uk/scan8/oscan8.cab
O16 - DPF: {E055C02E-6258-40FF-80A7-3BDA52FACAD7} - http://activex.matcash.com/speedtest2.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{38BD9D07-A9C6-459B-A578-D6F18B687C52}: NameServer = 80.225.255.58 80.225.255.50
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

**Cookiegal** · 04-Nov-2006, 03:52 PM **#73**

May I see a new GMER scan please.

Tag Cloud
access acer asus bios bsod computer crash desktop driver drivers error ethernet excel freeze gaming hard drive hardware hdmi internet laptop malware memory modem monitor motherboard network printer problem ram registry router security slow software sound toshiba trojan ubuntu 11.10 uninstall usb video virus vista wifi windows windows 7 windows 7 32 bit windows 7 64 bit windows xp wireless

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

Search
Search for:

Find the solution to yourcomputer problem!

Find the solution to your
computer problem!