Синий экран

[Евгений825]

Добрый день!


Компьютер сам перезагружаеться с последующим появлением синего экрана.

Вчера было так:
Сигнатура проблемы:
Имя события проблемы: BlueScreen
Версия ОС: 6.1.7601.2.1.0.768.11
Код языка: 1049

Дополнительные сведения об этой проблеме:
BCCode: d1
BCP1: 00000004
BCP2: 00000002
BCP3: 00000000
BCP4: 8802EAA1
OS Version: 6_1_7601
Service Pack: 1_0
Product: 768_1

Сегодня 2 часа назад компьтер вновь перезагрузился и не смог загрузить рабочий стол, вышел в безопасный режим с помощью программы AVZ, просканировал удалил 4 троянов,также есть дамп памяти сохраненный программой BlueScreenView.
DRIVER_IRQL_NOT_LESS_ERROR_EQUAL

7cfb8903479dd35699b4ebfc930a53f4.jpg
Операционка Windows7 начальная. Фаэрволл Outpost SecuritySuitе Pro7.5
Компьтер новый, месяц работы.

[Info_bot]

Уважаемый(ая) Евгений825, спасибо за обращение на наш форум!

Помощь при заражении комьютера на VirusInfo.Info оказывается абсолютно бесплатно. Хелперы, в самое ближайшее время, ответят на Ваш запрос. Для оказания помощи необходимо предоставить логи сканирования утилитами АВЗ и HiJackThis, подробнее можно прочитать в правилах оформления запроса о помощи.

Если наш сайт окажется полезен Вам и у Вас будет такая возможность - пожалуйста поддержите проект.

[Aleksandra]

Из папки С:\Windows\Minidump несколько последних по времени файлов запакуйте и приложите ...

- - - Добавлено - - -

1. Пофиксите в HijackThis:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://webalta.ru/search
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://webalta.ru/search
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://webalta.ru/search
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://webalta.ru/search

2. Выполните скрипт в AVZ:

Код:

begin
SetAVZPMStatus(false);
ExecuteStdScr(6);
RebootWindows(true);
end.

После выполнения скрипта компьютер перезагрузится!

3. Обновите базы AVZ и сделайте полный комплект логов по правилам.

[Евгений825]

1.Из папки С:\Windows\Minidump несколько последних по времени файлов запакуйте и приложите ...

1а. Пофиксите в HijackThis:

2. Выполните скрипт в AVZ:

Код:

begin
SetAVZPMStatus(false);
ExecuteStdScr(6);
RebootWindows(true);
end.

После выполнения скрипта компьютер перезагрузится!

3. Обновите базы AVZ и сделайте полный комплект логов по правилам.

1.С пометкой Crash файлы из минидампа.
1а. Пофиксил
2.Выполнил
3.И повторил процедуру

[Aleksandra]

Ничего плохого в логах не увидела. Проблема с вирусами не связана.

А где минидампы?

[Евгений825]

За архивировал и вложил.

[Aleksandra]

Microsoft (R) Windows Debugger Version 6.12.0002.633 X86
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\Users\Aleksa\Desktop\061513-47221-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: *** Invalid ***
************************************************** **************************
* Symbol loading may be unreliable without a symbol search path. *
* Use .symfix to have the debugger choose a symbol path. *
* After setting your symbol path, use .reload to refresh symbol locations. *
************************************************** **************************
Executable search path is:
************************************************** *******************
* Symbols can not be loaded because symbol path is not initialized. *
* *
* The Symbol Path can be set by: *
* using the _NT_SYMBOL_PATH environment variable. *
* using the -y <symbol_path> argument when starting the debugger. *
* using .sympath and .sympath+ *
************************************************** *******************
Unable to load image \SystemRoot\system32\ntkrnlpa.exe, Win32 error 0n2
*** WARNING: Unable to verify timestamp for ntkrnlpa.exe
*** ERROR: Module load completed but symbols could not be loaded for ntkrnlpa.exe
Windows 7 Kernel Version 7601 (Service Pack 1) MP (2 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Built by: 7601.18147.x86fre.win7sp1_gdr.130505-1534
Machine Name:
Kernel base = 0x82e41000 PsLoadedModuleList = 0x82f8a4d0
Debug session time: Sat Jun 15 21:35:14.905 2013 (UTC + 5:00)
System Uptime: 0 days 3:42:58.106
************************************************** *******************
* Symbols can not be loaded because symbol path is not initialized. *
* *
* The Symbol Path can be set by: *
* using the _NT_SYMBOL_PATH environment variable. *
* using the -y <symbol_path> argument when starting the debugger. *
* using .sympath and .sympath+ *
************************************************** *******************
Unable to load image \SystemRoot\system32\ntkrnlpa.exe, Win32 error 0n2
*** WARNING: Unable to verify timestamp for ntkrnlpa.exe
*** ERROR: Module load completed but symbols could not be loaded for ntkrnlpa.exe
Loading Kernel Symbols
.................................................. .............
.................................................. ..............
........................................
Loading User Symbols
Loading unloaded module list
.........
Unable to load image \SystemRoot\system32\drivers\ndis.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for ndis.sys
*** ERROR: Module load completed but symbols could not be loaded for ndis.sys
************************************************** *****************************
* *
* Bugcheck Analysis *
* *
************************************************** *****************************

Use !analyze -v to get detailed debugging information.

BugCheck D1, {4, 2, 0, 88015aa1}

*** WARNING: Unable to verify timestamp for NETIO.SYS
*** ERROR: Module load completed but symbols could not be loaded for NETIO.SYS
***** Kernel symbols are WRONG. Please fix symbols to do analysis.

************************************************** ***********************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
************************************************** ***********************
************************************************** ***********************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
************************************************** ***********************
************************************************** ***********************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
************************************************** ***********************
Probably caused by : NETIO.SYS ( NETIO+6e6f )

Followup: MachineOwner
---------

0: kd> !analyze -v
************************************************** *****************************
* *
* Bugcheck Analysis *
* *
************************************************** *****************************

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 00000004, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000000, value 0 = read operation, 1 = write operation
Arg4: 88015aa1, address which referenced memory

Debugging Details:
------------------

***** Kernel symbols are WRONG. Please fix symbols to do analysis.

************************************************** ***********************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
************************************************** ***********************
************************************************** ***********************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
************************************************** ***********************
************************************************** ***********************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
************************************************** ***********************

ADDITIONAL_DEBUG_TEXT:
Use '!findthebuild' command to search for the target build information.
If the build information is available, run '!findthebuild -s ; .reload' to set symbol path and load symbols.

MODULE_NAME: NETIO

FAULTING_MODULE: 82e41000 nt

DEBUG_FLR_IMAGE_TIMESTAMP: 5034f1ea

READ_ADDRESS: unable to get nt!MmSpecialPoolStart
unable to get nt!MmSpecialPoolEnd
unable to get nt!MmPoolCodeStart
unable to get nt!MmPoolCodeEnd
00000004

CURRENT_IRQL: 0

FAULTING_IP:
ndis+4aa1
88015aa1 8b5b04 mov ebx,dword ptr [ebx+4]

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT

BUGCHECK_STR: 0xD1

LAST_CONTROL_TRANSFER: from 88015aa1 to 82e81b5f

STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
8078adb0 88015aa1 badb0d00 00000000 8560f498 nt+0x40b5f
8078ae98 880cee6f 00000000 85719500 85719c80 ndis+0x4aa1
8078aebc 880cf821 00000000 880cf76a 00000000 NETIO+0x6e6f
8078aed4 880f399a 00000000 00000000 00000000 NETIO+0x7821
8078aefc 880efba7 00000000 00000000 856623a0 NETIO+0x2b99a
8078af18 880efc56 8753fbc0 8644abb0 856623a0 NETIO+0x27ba7
8078af48 82eb8655 856623a0 8753fbc0 8644abb0 NETIO+0x27c56
8078afa4 82eb84b8 82f6bd20 85f25768 00000000 nt+0x77655
8078aff4 82eb7c7c 8bdfb8dc 00000000 00000000 nt+0x774b8
8078aff8 8bdfb8dc 00000000 00000000 00000000 nt+0x76c7c
82eb7c7c 00000000 00000000 00000000 00000000 0x8bdfb8dc


STACK_COMMAND: kb

FOLLOWUP_IP:
NETIO+6e6f
880cee6f ?? ???

SYMBOL_STACK_INDEX: 2

SYMBOL_NAME: NETIO+6e6f

FOLLOWUP_NAME: MachineOwner

IMAGE_NAME: NETIO.SYS

BUCKET_ID: WRONG_SYMBOLS

Followup: MachineOwner
---------

0: kd> lmvm NETIO
start end module name
880c8000 88106000 NETIO T (no symbols)
Loaded symbol image file: NETIO.SYS
Image path: \SystemRoot\system32\drivers\NETIO.SYS
Image name: NETIO.SYS
Timestamp: Wed Aug 22 19:51:22 2012 (5034F1EA)
CheckSum: 000429F6
ImageSize: 0003E000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4

Проблема с NETIO.SYS - драйвером TCP/IP стека. Обновите драйвер сетевой карты.

- - - Добавлено - - -

Желательно обновить драйвера для всего железа.

[Евгений825]

У меня там был вирус как то прицеплен, спасибо.