Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

status code 128

Started by imfeelinglucky , Aug 15 2005 02:12 AM

  • Please log in to reply

#1
imfeelinglucky
Posted 15 August 2005 - 02:12 AM

imfeelinglucky

    Member

  • Member
  • PipPip
  • 24 posts
Hello again!

The problem this time seems to be known:

"The system is shutting down. Please save all work in progress and log off. Any unsaved changes will be lost. This shutdown was initiated by NT AUTHORITY\SYSTEM.

The system process C:\WINNT\SYSTEM32\SERVICES.EXE terminated unexpectedly with status code 128. The system will shut down and restart. "


I have scanned the PC with McAfee, spybot and everything seems to be clean. I have seen the Microsoft article which says look at the registry...
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Lanmanserver\Shares

but no value is set!!


I dont know what else I sould check. Could it be the memory? It's a laptop.

/Ben

Ps. it happens randomly even in the safemode and even during the login session.
  • 0

Advertisements

#2
CJIS
Posted 15 August 2005 - 03:47 AM

CJIS

    Member

  • Member
  • PipPipPip
  • 474 posts
Ok do this:

1. Restart the computer in Safe mode: a. Restart the computer.
b. Press F8 when you receive the "Please select the operating system to start" message.
c. On the Windows Advanced Options menu, use the arrow keys to select Safe Mode, and then press ENTER.

2. Click Start, click Run, type regedit in the Open box, and then press ENTER.
3. click the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\Shares
4. Back up the registry key: a. On the Registry menu, click Export Registry File.
b. In the File name box, type Shares_RegKey, and then click Save.

This step saves the Shares registry key to the Shares_RegKey text file, which you can use to restore the key in the future. By default, the file is saved in the My Documents folder. For information about how to restore the key, search Regedit Help for the Import Registry Key topic.

5. Examine the list of values in the right pane of Registry Editor.

Notice that the Data column contains the paths to shared folders. For example, you may see a line similar to the following:
CSCFlags=0 MaxUses=4294967295 Path=E:\NS Permissions=0 Remark= Type=0
This refers to the E:\NS shared folder.
6. For each value, use Windows Explorer to make sure that the path displayed in the Data column represents an existing shared folder. Delete all values that do not correspond to shared folders.
7. Quit Registry Editor, and then restart the computer.

Edited by CJIS, 15 August 2005 - 03:48 AM.

  • 0

#3
darth_ash
Posted 15 August 2005 - 03:55 AM

darth_ash

    Member 1K

  • Member
  • PipPipPipPip
  • 1,382 posts
If the problem still continues after u followed CJIS's advise, then u can refer my post.
First we will have too disable auto-reboot on failure, follow the steps below:
Go to Start -> Control Panel -> System (Windows+Pause works, too)
Go to Advanced
Under the Startup and Recovery section, click Settings...
Under System Failure un-check "Automatically restart"


Now we will have to find out which Service is causing the problem, follow the steps below:
Start -> Run. Type: services.msc. Press <enter>.
Double-click on all the the serives one-by-one, which have StartupType as disabled. This opens the Properties Dialog for that service. Now, click on the Recovery tab. And if the the action fileds have Restart as an option, list that particualr service in ur next reply.

Edited by darth_ash, 15 August 2005 - 03:56 AM.

  • 0

#4
imfeelinglucky
Posted 15 August 2005 - 06:26 AM

imfeelinglucky

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
Thanks CJIS but perhaps i didn't make myself clear. I already followed microsoft's advise but there is no value set in the pointed path!

Anyway I undid the EasyCleaner's registy cleaning and the PC has been running for about 7 hours without any trouble.

darth_ash: I followed your advise and there are no services with specification you pointed out. I hope everything is back to normal(?)

Edited by imfeelinglucky, 15 August 2005 - 06:32 AM.

  • 0

#5
imfeelinglucky
Posted 15 August 2005 - 11:43 AM

imfeelinglucky

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
I was wrong! I am still experiencing the same problem! So far it has only happend when the PC is connected to the net!
As I said in the list there are three "disabled" services but non of the action fields have "Restart" as an option!
  • 0

#6
darth_ash
Posted 15 August 2005 - 12:17 PM

darth_ash

    Member 1K

  • Member
  • PipPipPipPip
  • 1,382 posts
Lets look for missing\corrupt System files
Follow the steps below:
Start->Run. Type cmd. Press Enter.
In the Command-Prompt Window, type sfc /SCANONCE. Press Enter.
Follow the instructions by the System File Checker.
(Note:The scan will done on next reboot, so u will be prompted for a reboot.)

Also, can u post a HijackThis log.
  • 0

#7
imfeelinglucky
Posted 17 August 2005 - 01:39 AM

imfeelinglucky

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
I did the "sfc/scanonce" and after the next reboot i was prompted for a windows 2000 CD and then it went on checking for about 15 minutes and ended without giving any messages!
There is something else I have noticed: restartings only happen when I set the TCP/IP to look for an IP Adrress automaticaly...and only when the network is active!

Here is the Hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 19:04:29, on 16.08.2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\tcpsvcs.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\SYSTEM32\THOTKEY.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\McAfee.com\Agent\McAgent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\WINNT\system32\s3hotkey.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Programme\BillP Studios\WinPatrol\winpatrol.exe
C:\WINNT\system32\taskmgr.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\McAfee.com\Agent\McAgent.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [WinPatrol] C:\Programme\BillP Studios\WinPatrol\winpatrol.exe
O4 - Global Startup: Adobe Reader - Schnellstart.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O16 - DPF: {1F831FA3-42FC-11D4-95A6-0080AD30DCE1} (InstaFred) - file://E:\autocad\InstFred.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1124190604151
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday-Steuerung) - file://E:\autocad\AcDcToday.ocx
O16 - DPF: {AE563724-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://E:\autocad\InstBanr.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview-Steuerung) - file://E:\autocad\AcPreview.ocx
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ADE
O17 - HKLM\System\CCS\Services\Tcpip\..\{AC5FF2FD-0F9F-4539-B2A3-A5D38DA11DD4}: NameServer = 162.198.0.9,162.198.0.8
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ADE
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ADE
O23 - Service: Verwaltungsdienst für die Verwaltung logischer Datenträger (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
  • 0

#8
stevethames
Posted 23 August 2005 - 08:22 AM

stevethames

    New Member

  • Member
  • Pip
  • 3 posts
Hey Lucky.
I've been experiencing this problem for several days, now. After reading through this post, I checked my registry entries and found that they are fine, like yours. I also checked the disabled services and their restart settings. No actions indicated restart, like yours. However, then I checked the rest of the services and found two that do indicate restart actions--Windows Management Instrumentation and Remote Registry Service.

WMI depends on RPC. As you may know, two years ago, there was an NT AUTHORITY shut down going around because of the W32.Blaster.Worm http://securityrespo...aster.worm.html. This was because of a security hole in RPC.

I have two connections between my system and the internet. Typically, I am connected to a firewall/gateway and this problem does not happen. However, my 2nd connection is wide open to the Internet which I need, at times, for doing VPN client connections. This is when I have the problem, just like you.

I'm sorry I don't have a solution, as yet. I hope this information helps. If I solve it, I'll let you know.
  • 0

#9
Seb.Albert
Posted 23 August 2005 - 11:40 AM

Seb.Albert

    New Member

  • Member
  • Pip
  • 7 posts
Sorry for jumping into an existing thread, but my problem is really exactly the same. I am running Win2000pro with exactly the same error message before rebooting (ok, my error message is in German, but that's no matter anyway :tazz:).

By the hint of the worm Blaster, I tried WinDump and maybe we can get some information out of that. Once I even saw my computer trying to contact one IP-Adress like a.b.c.1, then a.b.c.2, a.b.c.3 and so on, and that's really a typical worm behaviour, isn't it. I'm sorry I don't have this logged in a txt file. But anyway, I'd like to show my logfile. Furthermore, port 135 is known to be a weak point in Windows. 192.168.8.20 is my local machine.

As you may see, between 18:21 and 18:23 there was one of those mysterious reboots again. Maybe anyone of the nice geeks in here will find something in this network activity. By the way: I did not do anything and did not run any program besides WinDump when recording this log excerpt.

18:21:17.182757 IP 192.168.8.18.1098 > 212.162.1.196.80: R 1940934:1940934(0) win 0
18:21:19.956075 IP 84.130.4.132.3998 > 192.168.8.20.139: S 4218257524:4218257524(0) win 65535 <mss 1400,nop,nop,sackOK>
18:21:19.956160 IP 192.168.8.20.139 > 84.130.4.132.3998: S 2368896212:2368896212(0) ack 4218257525 win 16800 <mss 1460,nop,nop,sackOK>
18:21:20.027987 IP 84.130.4.132.3998 > 192.168.8.20.139: . ack 1 win 65535
18:21:20.031968 IP 84.130.4.132.4001 > 192.168.8.20.139: S 4218345186:4218345186(0) win 65535 <mss 1400,nop,nop,sackOK>
18:21:20.032018 IP 192.168.8.20.139 > 84.130.4.132.4001: S 516847275:516847275(0) ack 4218345187 win 16800 <mss 1460,nop,nop,sackOK>
18:21:20.100338 IP 84.130.4.132.4001 > 192.168.8.20.139: . ack 1 win 65535
18:21:20.108268 IP 84.130.4.132.4001 > 192.168.8.20.139: P 1:73(72) ack 1 win 65535
18:21:20.108324 IP 192.168.8.20.139 > 84.130.4.132.4001: FP 1:6(5) ack 73 win 16728
18:21:20.171955 IP 84.130.4.132.4001 > 192.168.8.20.139: . ack 7 win 65530
18:21:20.175521 IP 84.130.4.132.4001 > 192.168.8.20.139: F 73:73(0) ack 7 win 65530
18:21:20.175559 IP 192.168.8.20.139 > 84.130.4.132.4001: . ack 74 win 16728
18:21:21.173280 IP 84.130.4.132.4040 > 192.168.8.20.139: S 4219424611:4219424611(0) win 65535 <mss 1400,nop,nop,sackOK>
18:21:21.173358 IP 192.168.8.20.139 > 84.130.4.132.4040: S 139530875:139530875(0) ack 4219424612 win 16800 <mss 1460,nop,nop,sackOK>
18:21:21.239820 IP 84.130.4.132.4040 > 192.168.8.20.139: . ack 1 win 65535
18:21:21.247784 IP 84.130.4.132.4040 > 192.168.8.20.139: P 1:73(72) ack 1 win 65535
18:21:21.247840 IP 192.168.8.20.139 > 84.130.4.132.4040: FP 1:6(5) ack 73 win 16728
18:21:21.313249 IP 84.130.4.132.4040 > 192.168.8.20.139: . ack 7 win 65530
18:21:21.316820 IP 84.130.4.132.4040 > 192.168.8.20.139: F 73:73(0) ack 7 win 65530
18:21:21.316860 IP 192.168.8.20.139 > 84.130.4.132.4040: . ack 74 win 16728
18:21:22.272207 AT 255.89.1.6 > 0.0.6: at-#6 25
18:21:22.312757 IP 84.130.4.132.4127 > 192.168.8.20.445: S 4221366137:4221366137(0) win 65535 <mss 1400,nop,nop,sackOK>
18:21:22.312829 IP 192.168.8.20.445 > 84.130.4.132.4127: R 0:0(0) ack 4221366138 win 0
18:21:22.316701 IP 84.130.4.132.4132 > 192.168.8.20.139: S 4221411697:4221411697(0) win 65535 <mss 1400,nop,nop,sackOK>
18:21:22.316741 IP 192.168.8.20.139 > 84.130.4.132.4132: S 3197810612:3197810612(0) ack 4221411698 win 16800 <mss 1460,nop,nop,sackOK>
18:21:22.373099 AT 255.89.1.6 > 0.0.6: at-#6 25
18:21:22.396955 IP 84.130.4.132.4132 > 192.168.8.20.139: P 1:73(72) ack 1 win 65535
18:21:22.397050 IP 192.168.8.20.139 > 84.130.4.132.4132: FP 1:6(5) ack 73 win 16728
18:21:22.464208 IP 84.130.4.132.4132 > 192.168.8.20.139: . ack 7 win 65530
18:21:22.467768 IP 84.130.4.132.4132 > 192.168.8.20.139: F 73:73(0) ack 7 win 65530
18:21:22.467834 IP 192.168.8.20.139 > 84.130.4.132.4132: . ack 74 win 16728
18:21:22.471751 IP 84.130.4.132.4146 > 192.168.8.20.139: S 4221650164:4221650164(0) win 65535 <mss 1400,nop,nop,sackOK>
18:21:22.471807 IP 192.168.8.20.139 > 84.130.4.132.4146: S 2681156446:2681156446(0) ack 4221650165 win 16800 <mss 1460,nop,nop,sackOK>
18:21:22.473169 AT 255.89.1.6 > 0.0.6: at-#6 25
18:21:22.552007 IP 84.130.4.132.4146 > 192.168.8.20.139: P 1:73(72) ack 1 win 65535
18:21:22.552106 IP 192.168.8.20.139 > 84.130.4.132.4146: FP 1:6(5) ack 73 win 16728
18:21:22.573329 AT 255.89.1.6 > 0.0.6: at-#6 25
18:21:22.626771 IP 84.130.4.132.4146 > 192.168.8.20.139: . ack 7 win 65530
18:21:22.630724 IP 84.130.4.132.4146 > 192.168.8.20.139: F 73:73(0) ack 7 win 65530
18:21:22.630792 IP 192.168.8.20.139 > 84.130.4.132.4146: . ack 74 win 16728
18:21:22.636841 IP 84.130.4.132.137 > 192.168.8.20.137: UDP, length 50
18:21:22.636918 IP 192.168.8.20.137 > 84.130.4.132.137: UDP, length 157
18:21:22.673478 AT 255.89.1.6 > 0.0.6: at-#6 25
18:21:22.808736 IP 84.130.4.132.4127 > 192.168.8.20.445: S 4221366137:4221366137(0) win 65535 <mss 1400,nop,nop,sackOK>
18:21:22.808821 IP 192.168.8.20.445 > 84.130.4.132.4127: R 0:0(0) ack 1 win 0
18:21:23.209836 IP 84.130.4.132.4127 > 192.168.8.20.445: S 4221366137:4221366137(0) win 65535 <mss 1400,nop,nop,sackOK>
18:21:23.209937 IP 192.168.8.20.445 > 84.130.4.132.4127: R 0:0(0) ack 1 win 0
18:21:27.772253 AT 255.89.1.6 > 0.0.6: at-#6 25
18:21:27.872543 AT 255.89.1.6 > 0.0.6: at-#6 25
18:21:27.972721 AT 255.89.1.6 > 0.0.6: at-#6 25
18:21:28.072877 AT 255.89.1.6 > 0.0.6: at-#6 25
18:21:28.173029 AT 255.89.1.6 > 0.0.6: at-#6 25
18:21:31.811964 IP 84.130.73.54.3748 > 192.168.8.20.445: S 2510698409:2510698409(0) win 32767 <mss 1400,nop,wscale 0,nop,nop,sackOK>
18:21:31.812043 IP 192.168.8.20.445 > 84.130.73.54.3748: R 0:0(0) ack 2510698410 win 0
18:21:32.416071 IP 84.130.73.54.3748 > 192.168.8.20.445: S 2510698409:2510698409(0) win 32767 <mss 1400,nop,wscale 0,nop,nop,sackOK>
18:21:32.416149 IP 192.168.8.20.445 > 84.130.73.54.3748: R 0:0(0) ack 1 win 0
18:21:32.429683 IP 84.130.221.246.1509 > 192.168.8.20.135: S 2180946005:2180946005(0) win 16384 <mss 1400,nop,nop,sackOK>
18:21:32.429747 IP 192.168.8.20.135 > 84.130.221.246.1509: S 2195374620:2195374620(0) ack 2180946006 win 16800 <mss 1460,nop,nop,sackOK>
18:21:32.522746 IP 84.130.221.246.1509 > 192.168.8.20.135: . ack 1 win 16800
18:21:32.527749 IP 84.130.221.246.1509 > 192.168.8.20.135: F 1:1(0) ack 1 win 16800
18:21:32.527811 IP 192.168.8.20.135 > 84.130.221.246.1509: . ack 2 win 16800
18:21:32.527944 IP 192.168.8.20.135 > 84.130.221.246.1509: F 1:1(0) ack 2 win 16800
18:21:32.535113 IP 84.130.221.246.1514 > 192.168.8.20.135: S 2181226231:2181226231(0) win 16384 <mss 1400,nop,nop,sackOK>
18:21:32.535164 IP 192.168.8.20.135 > 84.130.221.246.1514: S 3380649787:3380649787(0) ack 2181226232 win 16800 <mss 1460,nop,nop,sackOK>
18:21:32.617644 IP 84.130.221.246.1509 > 192.168.8.20.135: . ack 2 win 16800
18:21:32.625880 IP 84.130.221.246.1514 > 192.168.8.20.135: . ack 1 win 16800
18:21:32.637068 IP 84.130.221.246.1514 > 192.168.8.20.135: P 1:73(72) ack 1 win 16800
18:21:32.637399 IP 192.168.8.20.135 > 84.130.221.246.1514: P 1:61(60) ack 73 win 16728
18:21:32.716152 IP 84.130.221.246.1514 > 192.168.8.20.135: P 73:97(24) ack 61 win 16740
18:21:32.716362 IP 192.168.8.20.135 > 84.130.221.246.1514: P 61:365(304) ack 97 win 16704
18:21:32.832853 IP 84.130.221.246.1514 > 192.168.8.20.135: F 97:97(0) ack 365 win 16436
18:21:32.832909 IP 192.168.8.20.135 > 84.130.221.246.1514: . ack 98 win 16704
18:21:32.832999 IP 192.168.8.20.135 > 84.130.221.246.1514: F 365:365(0) ack 98 win 16704
18:21:32.840228 IP 84.130.221.246.1530 > 192.168.8.20.135: S 2182053396:2182053396(0) win 16384 <mss 1400,nop,nop,sackOK>
18:21:32.840286 IP 192.168.8.20.135 > 84.130.221.246.1530: S 3285983301:3285983301(0) ack 2182053397 win 16800 <mss 1460,nop,nop,sackOK>
18:21:32.925260 IP 84.130.221.246.1514 > 192.168.8.20.135: . ack 366 win 16436
18:21:32.933501 IP 84.130.221.246.1530 > 192.168.8.20.135: . ack 1 win 16800
18:21:32.944688 IP 84.130.221.246.1530 > 192.168.8.20.135: P 1:73(72) ack 1 win 16800
18:21:32.944798 IP 192.168.8.20.135 > 84.130.221.246.1530: P 1:61(60) ack 73 win 16728
18:21:32.959337 IP 84.130.73.54.3748 > 192.168.8.20.445: S 2510698409:2510698409(0) win 32767 <mss 1400,nop,wscale 0,nop,nop,sackOK>
18:21:32.959393 IP 192.168.8.20.445 > 84.130.73.54.3748: R 0:0(0) ack 1 win 0
18:21:33.117665 IP 84.130.221.246.1530 > 192.168.8.20.135: . 73:1473(1400) ack 61 win 16740
18:21:33.118169 IP 84.130.221.246.1530 > 192.168.8.20.135: P 1473:1537(64) ack 61 win 16740
18:21:33.118200 IP 192.168.8.20.135 > 84.130.221.246.1530: . ack 1537 win 16800
18:21:33.118309 IP 192.168.8.20.135 > 84.130.221.246.1530: P 61:101(40) ack 1537 win 16800
18:21:33.200993 IP 84.130.221.246.1530 > 192.168.8.20.135: F 1537:1537(0) ack 101 win 16700
18:21:33.201061 IP 192.168.8.20.135 > 84.130.221.246.1530: . ack 1538 win 16800
18:21:33.201159 IP 192.168.8.20.135 > 84.130.221.246.1530: F 101:101(0) ack 1538 win 16800
18:21:33.271625 AT 255.89.1.6 > 0.0.6: at-#6 25
18:21:33.280150 IP 84.130.221.246.1530 > 192.168.8.20.135: . ack 102 win 16700
18:21:33.372723 AT 255.89.1.6 > 0.0.6: at-#6 25
18:21:33.472764 AT 255.89.1.6 > 0.0.6: at-#6 25
18:21:33.572974 AT 255.89.1.6 > 0.0.6: at-#6 25
18:21:33.673123 AT 255.89.1.6 > 0.0.6: at-#6 25
18:21:33.804149 IP 84.157.185.9.2199 > 192.168.8.20.135: P 1:73(72) ack 1 win 16800
18:21:33.804358 IP 192.168.8.20.135 > 84.157.185.9.2199: P 1:61(60) ack 73 win 16728
18:21:34.569377 IP 84.157.185.9.2199 > 192.168.8.20.135: P 73:97(24) ack 61 win 16740
18:21:34.569611 IP 192.168.8.20.135 > 84.157.185.9.2199: P 61:365(304) ack 97 win 16704
18:21:35.437765 IP 84.157.185.9.2199 > 192.168.8.20.135: F 97:97(0) ack 365 win 16436
18:21:35.437855 IP 192.168.8.20.135 > 84.157.185.9.2199: . ack 98 win 16704
18:21:35.437965 IP 192.168.8.20.135 > 84.157.185.9.2199: F 365:365(0) ack 98 win 16704
18:21:35.445125 IP 84.157.185.9.1733 > 192.168.8.20.135: S 3846000724:3846000724(0) win 16384 <mss 1400,nop,nop,sackOK>
18:21:35.445188 IP 192.168.8.20.135 > 84.157.185.9.1733: S 2642763299:2642763299(0) ack 3846000725 win 16800 <mss 1460,nop,nop,sackOK>
18:21:36.211975 IP 84.157.185.9.2199 > 192.168.8.20.135: . ack 366 win 16436
18:21:36.233101 IP 84.157.185.9.1733 > 192.168.8.20.135: . ack 1 win 16800
18:21:38.771691 AT 255.89.1.6 > 0.0.6: at-#6 25
18:21:38.871971 AT 255.89.1.6 > 0.0.6: at-#6 25
18:21:38.972101 AT 255.89.1.6 > 0.0.6: at-#6 25
18:21:39.072265 AT 255.89.1.6 > 0.0.6: at-#6 25
18:21:39.172472 AT 255.89.1.6 > 0.0.6: at-#6 25
18:21:39.310402 IP 84.157.185.9.1733 > 192.168.8.20.135: P 1:73(72) ack 1 win 16800
18:21:39.310545 IP 192.168.8.20.135 > 84.157.185.9.173318:23:01.960819 AT 255.89.1.6 > 0.0.6: at-#6 25
18:23:02.061967 AT 255.89.1.6 > 0.0.6: at-#6 25
18:23:02.159441 AT 255.89.1.6 > 0.0.6: at-#6 25
18:23:02.258302 IP 192.168.8.20.1027 > 24.187.63.192.18067: S 3950593894:3950593894(0) win 16384 <mss 1460,nop,nop,sackOK>
18:23:02.259585 AT 255.89.1.6 > 0.0.6: at-#6 25
18:23:02.359763 AT 255.89.1.6 > 0.0.6: at-#6 25
18:23:07.180121 IP 192.168.8.20.135 > 84.130.91.99.2483: FP 2435934091:2435934131(40) ack 524684603 win 16592
18:23:07.460858 AT 255.89.1.6 > 0.0.6: at-#6 25
18:23:07.561147 AT 255.89.1.6 > 0.0.6: at-#6 25
18:23:07.658771 AT 255.89.1.6 > 0.0.6: at-#6 25
18:23:07.708696 IP 84.130.91.99.2483 > 192.168.8.20.135: R 524684603:524684603(0) win 0
18:23:07.758923 AT 255.89.1.6 > 0.0.6: at-#6 25
18:23:07.859078 AT 255.89.1.6 > 0.0.6: at-#6 25
18:23:12.960426 AT 255.89.1.6 > 0.0.6: at-#6 25
18:23:13.061239 AT 255.89.1.6 > 0.0.6: at-#6 25
18:23:13.158756 AT 255.89.1.6 > 0.0.6: at-#6 25
18:23:13.258970 AT 255.89.1.6 > 0.0.6: at-#6 25
18:23:13.359120 AT 255.89.1.6 > 0.0.6: at-#6 25
18:23:14.884428 IP 84.130.4.132.4813 > 192.168.8.20.80: S 83489577:83489577(0) win 65535 <mss 1400,nop,nop,sackOK>
18:23:14.884504 IP 192.168.8.20.80 > 84.130.4.132.4813: R 0:0(0) ack 83489578 win 0
18:23:15.448449 IP 84.130.4.132.4813 > 192.168.8.20.80: S 83489577:83489577(0) win 65535 <mss 1400,nop,nop,sackOK>
18:23:15.448509 IP 192.168.8.20.80 > 84.130.4.132.4813: R 0:0(0) ack 1 win 0
18:23:15.950151 IP 84.130.4.132.4813 > 192.168.8.20.80: S 83489577:83489577(0) win 65535 <mss 1400,nop,nop,sackOK>
18:23:15.950211 IP 192.168.8.20.80 > 84.130.4.132.4813: R 0:0(0) ack 1 win 0
18:23:16.223515 IP 61.152.158.157.33561 > 192.168.8.20.1026: UDP, length 346
18:23:16.223569 IP 192.168.8.20 > 61.152.158.157: ICMP 192.168.8.20 udp port 1026 unreachable, length 36
18:23:16.226749 IP 61.152.158.157.33561 > 192.168.8.20.1029: UDP, length 346
18:23:16.226766 IP 192.168.8.20 > 61.152.158.157: ICMP 192.168.8.20 udp port 1029 unreachable, length 36
18:23:16.235962 IP 84.130.4.132.3998 > 192.168.8.20.139: F 4218257525:4218257525(0) ack 2368896213 win 65535
18:23:16.235994 IP 192.168.8.20.139 > 84.130.4.132.3998: R 2368896213:2368896213(0) win 0
18:23:16.559515 00:c0:02:a0:c8:21 > 03:00:00:00:00:01 sap f0 ui/C
18:23:16.559826 IP 192.168.8.21.138 > 255.255.255.255.138: UDP, length 201
18:23:18.458663 AT 255.89.1.6 > 0.0.6: at-#6 25
18:23:18.558949 AT 255.89.1.6 > 0.0.6: at-#6 25
18:23:18.659075 AT 255.89.1.6 > 0.0.6: at-#6 25
18:23:18.759230 AT 255.89.1.6 > 0.0.6: at-#6 25
18:23:18.859441 AT 255.89.1.6 > 0.0.6: at-#6 25
18:23:23.960503 AT 255.89.1.6 > 0.0.6: at-#6 25
18:23:24.061649 AT 255.89.1.6 > 0.0.6: at-#6 25
18:23:24.159132 AT 255.89.1.6 > 0.0.6: at-#6 25
18:23:24.259278 AT 255.89.1.6 > 0.0.6: at-#6 25
18:23:24.359426 AT 255.89.1.6 > 0.0.6: at-#6 25
18:23:29.460558 AT 255.89.1.6 > 0.0.6: at-#6 25
18:23:29.560852 AT 255.89.1.6 > 0.0.6: at-#6 25
18:23:29.658465 AT 255.89.1.6 > 0.0.6: at-#6 25
18:23:29.758624 AT 255.89.1.6 > 0.0.6: at-#6 25
18:23:29.858771 AT 255.89.1.6 > 0.0.6: at-#6 25
18:23:34.960127 AT 255.89.1.6 > 0.0.6: at-#6 25
18:23:35.060938 AT 255.89.1.6 > 0.0.6: at-#6 25
18:23:35.158458 AT 255.89.1.6 > 0.0.6: at-#6 25
18:23:35.258676 AT 255.89.1.6 > 0.0.6: at-#6 25
18:23:35.358825 AT 255.89.1.6 > 0.0.6: at-#6 25
18:23:40.460160 AT 255.89.1.6 > 0.0.6: at-#6 25
18:23:40.560446 AT 255.89.1.6 > 0.0.6: at-#6 25
18:23:40.660570 AT 255.89.1.6 > 0.0.6: at-#6 25
18:23:40.760726 AT 255.89.1.6 > 0.0.6: at-#6 25
18:23:40.858375 AT 255.89.1.6 > 0.0.6: at-#6 25
18:23:45.959472 AT 255.89.1.6 > 0.0.6: at-#6 25
18:23:46.060621 AT 255.89.1.6 > 0.0.6: at-#6 25
18:23:46.160657 AT 255.89.1.6 > 0.0.6: at-#6 25
18:23:46.258249 AT 255.89.1.6 > 0.0.6: at-#6 25
18:23:46.358398 AT 255.89.1.6 > 0.0.6: at-#6 25
18:23:46.559068 00:c0:02:a0:c8:21 > 03:00:00:00:00:01 sap f0 ui/C
18:23:46.559387 IP 192.168.8.21.138 > 255.255.255.255.138: UDP, length 201
18:23:51.460214 AT 255.89.1.6 > 0.0.6: at-#6 25
18:23:51.560497 AT 255.89.1.6 > 0.0.6: at-#6 25
18:23:51.660688 AT 255.89.1.6 > 0.0.6: at-#6 25
18:23:51.758283 AT 255.89.1.6 > 0.0.6: at-#6 25
18:23:51.858434 AT 255.89.1.6 > 0.0.6: at-#6 25
18:23:56.959779 AT 255.89.1.6 > 0.0.6: at-#6 25
18:23:57.060587 AT 255.89.1.6 > 0.0.6: at-#6 25
18:23:57.158111 AT 255.89.1.6 > 0.0.6: at-#6 25
18:23:57.258322 AT 255.89.1.6 > 0.0.6: at-#6 25
18:23:57.358471 AT 255.89.1.6 > 0.0.6: at-#6 25
18:24:02.459818 AT 255.89.1.6 > 0.0.6: at-#6 25
18:24:02.560104 AT 255.89.1.6 > 0.0.6: at-#6 25
18:24:02.660233 AT 255.89.1.6 > 0.0.6: at-#6 25
18:24:02.760387 AT 255.89.1.6 > 0.0.6: at-#6 25
18:24:02.858039 AT 255.89.1.6 > 0.0.6: at-#6 25
18:24:07.959106 AT 255.89.1.6 > 0.0.6: at-#6 25
18:24:08.060252 AT 255.89.1.6 > 0.0.6: at-#6 25
18:24:08.160285 AT 255.89.1.6 > 0.0.6: at-#6 25
18:24:08.260445 AT 255.89.1.6 > 0.0.6: at-#6 25
18:24:08.358028 AT 255.89.1.6 > 0.0.6: at-#6 25
18:24:13.459157 AT 255.89.1.6 > 0.0.6: at-#6 25
18:24:13.559441 AT 255.89.1.6 > 0.0.6: at-#6 25
18:24:13.659627 AT 255.89.1.6 > 0.0.6: at-#6 25
18:24:13.759782 AT 255.89.1.6 > 0.0.6: at-#6 25
18:24:13.859935 AT 255.89.1.6 > 0.0.6: at-#6 25
18:24:16.560260 00:c0:02:a0:c8:21 > 03:00:00:00:00:01 sap f0 ui/C
18:24:16.560571 IP 192.168.8.21.138 > 255.255.255.255.138: UDP, length 201
18:24:18.959453 AT 255.89.1.6 > 0.0.6: at-#6 25
18:24:19.060265 AT 255.89.1.6 > 0.0.6: at-#6 25
18:24:19.160347 AT 255.89.1.6 > 0.0.6: at-#6 25
18:24:19.258001 AT 255.89.1.6 > 0.0.6: at-#6 25
18:24:19.358150 AT 255.89.1.6 > 0.0.6: at-#6 25
18:24:24.459502 AT 255.89.1.6 > 0.0.6: at-#6 25
18:24:24.559787 AT 255.89.1.6 > 0.0.6: at-#6 25
18:24:24.659910 AT 255.89.1.6 > 0.0.6: at-#6 25
18:24:24.760073 AT 255.89.1.6 > 0.0.6: at-#6 25
18:24:24.860280 AT 255.89.1.6 > 0.0.6: at-#6 25
18:24:29.958791 AT 255.89.1.6 > 0.0.6: at-#6 25
18:24:30.059934 AT 255.89.1.6 > 0.0.6: at-#6 25
18:24:30.159969 AT 255.89.1.6 > 0.0.6: at-#6 25
18:24:30.260125 AT 255.89.1.6 > 0.0.6: at-#6 25
18:24:30.357718 AT 255.89.1.6 > 0.0.6: at-#6 25
18:24:35.189967 IP 84.130.241.63.4202 > 192.168.8.20.445: S 2651319647:2651319647(0) win 32767 <mss 1400,nop,wscale 0,nop,nop,sackOK>
18:24:35.190084 IP 192.168.8.20.445 > 84.130.241.63.4202: S 2200533360:2200533360(0) ack 2651319648 win 16800 <mss 1460,nop,wscale 0,nop,nop,sackOK>
18:24:35.433796 IP 84.130.241.63.4202 > 192.168.8.20.445: . ack 1 win 32767
18:24:35.438780 IP 84.130.241.63.4202 > 192.168.8.20.445: F 1:1(0) ack 1 win 32767
18:24:35.438840 IP 192.168.8.20.445 > 84.130.241.63.4202: F 1:1(0) ack 2 win 16800
18:24:35.458831 AT 255.89.1.6 > 0.0.6: at-#6 25
18:24:35.559124 AT 255.89.1.6 > 0.0.6: at-#6 25
18:24:35.595265 IP 84.130.241.63.4202 > 192.168.8.20.445: . ack 2 win 32767
18:24:35.659316 AT 255.89.1.6 > 0.0.6: at-#6 25
18:24:35.748973 IP 84.130.241.63.4246 > 192.168.8.20.135: S 2653174759:2653174759(0) win 32767 <mss 1400,nop,wscale 0,nop,nop,sackOK>
18:24:35.749050 IP 192.168.8.20.135 > 84.130.241.63.4246: S 2900586369:2900586369(0) ack 2653174760 win 16800 <mss 1460,nop,wscale 0,nop,nop,sackOK>
18:24:35.759465 AT 255.89.1.6 > 0.0.6: at-#6 25
18:24:35.859618 AT 255.89.1.6 > 0.0.6: at-#6 25
18:24:35.929410 IP 84.130.241.63.4246 > 192.168.8.20.135: . ack 1 win 32767
18:24:35.940564 IP 84.130.241.63.4246 > 192.168.8.20.135: P 1:73(72) ack 1 win 32767
18:24:35.940916 IP 192.168.8.20.135 > 84.130.241.63.4246: P 1:61(60) ack 73 win 16728
18:24:36.242407 IP 84.130.241.63.4246 > 192.168.8.20.135: P 73:97(24) ack 61 win 32707
18:24:36.242661 IP 192.168.8.20.135 > 84.130.241.63.4246: P 61:365(304) ack 97 win 16704
18:24:36.586517 IP 84.130.241.63.4246 > 192.168.8.20.135: F 97:97(0) ack 365 win 32403
18:24:36.586584 IP 192.168.8.20.135 > 84.130.241.63.4246: . ack 98 win 16704
18:24:36.586684 IP 192.168.8.20.135 > 84.130.241.63.4246: F 365:365(0) ack 98 win 16704
18:24:36.593823 IP 84.130.241.63.4292 > 192.168.8.20.135: S 2655188939:2655188939(0) win 32767 <mss 1400,nop,wscale 0,nop,nop,sackOK>
18:24:36.593876 IP 192.168.8.20.135 > 84.130.241.63.4292: S 1113776666:1113776666(0) ack 2655188940 win 16800 <mss 1460,nop,wscale 0,nop,nop,sackOK>
18:24:36.859414 IP 84.130.241.63.4246 > 192.168.8.20.135: . ack 366 win 32403
18:24:36.885896 IP 84.130.241.63.4292 > 192.168.8.20.135: . ack 1 win 32767
18:24:36.897430 IP 84.130.241.63.4292 > 192.168.8.20.135: P 1:73(72) ack 1 win 32767
18:24:36.897527 IP 192.168.8.20.135 > 84.130.241.63.4292: P 1:61(60) ack 73 win 16728
18:24:37.082541 IP 84.130.241.63.4292 > 192.168.8.20.135: P 73:97(24) ack 61 win 32707
18:24:37.082734 IP 192.168.8.20.135 > 84.130.241.63.4292: P 61:365(304) ack 97 win 16704
18:24:37.285926 IP 84.130.241.63.4292 > 192.168.8.20.135: F 97:97(0) ack 365 win 32403
18:24:37.286001 IP 192.168.8.20.135 > 84.130.241.63.4292: . ack 98 win 16704
18:24:37.286107 IP 192.168.8.20.135 > 84.130.241.63.4292: F 365:365(0) ack 98 win 16704
18:24:37.293228 IP 84.130.241.63.4353 > 192.168.8.20.135: S 2657570058:2657570058(0) win 32767 <mss 1400,nop,wscale 0,nop,nop,sackOK>
18:24:37.293285 IP 192.168.8.20.135 > 84.130.241.63.4353: S 2867205910:2867205910(0) ack 2657570059 win 16800 <mss 1460,nop,wscale 0,nop,nop,sackOK>
18:24:37.474277 IP 84.130.241.63.4292 > 192.168.8.20.135: . ack 366 win 32403
18:24:37.479651 IP 84.130.241.63.4353 > 192.168.8.20.135: . ack 1 win 32767
18:24:37.490834 IP 84.130.241.63.4353 > 192.168.8.20.135: P 1:73(72) ack 1 win 32767
18:24:37.490939 IP 192.168.8.20.135 > 84.130.241.63.4353: P 1:61(60) ack 73 win 16728
18:24:37.604303 IP 84.130.241.63.4353 > 192.168.8.20.135: P 73:97(24) ack 61 win 32707
18:24:37.604492 IP 192.168.8.20.135 > 84.130.241.63.4353: P 61:365(304) ack 97 win 16704
18:24:37.723245 IP 84.130.241.63.4353 > 192.168.8.20.135: F 97:97(0) ack 365 win 32403
18:24:37.723310 IP 192.168.8.20.135 > 84.130.241.63.4353: . ack 98 win 16704
18:24:37.723408 IP 192.168.8.20.135 > 84.130.241.63.4353: F 365:365(0) ack 98 win 16704
18:24:37.730544 IP 84.130.241.63.4393 > 192.168.8.20.135: S 2658721579:2658721579(0) win 32767 <mss 1400,nop,wscale 0,nop,nop,sackOK>
18:24:37.730599 IP 192.168.8.20.135 > 84.130.241.63.4393: S 263473781:263473781(0) ack 2658721580 win 16800 <mss 1460,nop,wscale 0,nop,nop,sackOK>
18:24:37.813405 IP 84.130.241.63.4353 > 192.168.8.20.135: . ack 366 win 32403
18:24:37.824133 IP 84.130.241.63.4393 > 192.168.8.20.135: . ack 1 win 32767
18:24:37.835321 IP 84.130.241.63.4393 > 192.168.8.20.135: P 1:73(72) ack 1 win 32767
18:24:37.835424 IP 192.168.8.20.135 > 84.130.241.63.4393: P 1:61(60) ack 73 win 16728
18:24:37.972824 IP 84.130.241.63.4393 > 192.168.8.20.135: P 73:97(24) ack 61 win 32707
18:24:37.973032 IP 192.168.8.20.135 > 84.130.241.63.4393: P 61:365(304) ack 97 win 16704
18:24:38.091648 IP 84.130.241.63.4393 > 192.168.8.20.135: F 97:97(0) ack 365 win 32403
18:24:38.091703 IP 192.168.8.20.135 > 84.130.241.63.4393: . ack 98 win 16704
18:24:38.091793 IP 192.168.8.20.135 > 84.130.241.63.4393: F 365:365(0) ack 98 win 16704
18:24:38.179036 IP 84.130.241.63.4393 > 192.168.8.20.135: . ack 366 win 32403

With kind regards,
Sebastian Albert from Germany
  • 0

#10
imfeelinglucky
Posted 23 August 2005 - 12:32 PM

imfeelinglucky

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
Thanks Steve,
I am confused! WMI and RRS indicate restart "service" not the PC!
I have two connections just like you one with firewall and the other with an open connection and I have problem with the open internet connection.

What would happen if you chose "take no action" when there is a fault in WMI?
Does the whole thing mean that the PC is infected?
Why a personal firewall can't prevent the PC from restarting?

Sebastian: I think i have seen my PC trying to access strange IP addresses too!
  • 0

Advertisements

#11
stevethames
Posted 23 August 2005 - 08:01 PM

stevethames

    New Member

  • Member
  • Pip
  • 3 posts
Hey Guys.

Lucky, I agree, the Restart Service action should not cause a system restart but the earlier posters seemed to think so so I checked. Its certainly worth a try to turn off that action and see if the problem recurs but I would be concerned, if the problem is a Blaster type worm, what would it do to your machine if it did not reboot? I just got home and have not had a chance to look at Sebastian's WinDump but I will, now.

Also, you're quite right, Lucky, a system firewall should block this problem if it is a worm of some kind. Did you try simply closing all holes in the firewall? I don't have a firewall on my Win/2000 box so I can't test that. If you do, post the results.

Good Luck.
  • 0

#12
imfeelinglucky
Posted 24 August 2005 - 01:12 AM

imfeelinglucky

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
Hi,
I actually set the WMI to Take No Action on First Failure which just
delayed the restarting process. I agree it might be too risky to set
on take no action at all.
I have also tried closing all zonelabs holes except IE, mcinfo, ping and
netstat but it didn't changed anything or perhaps I should have closed
IE too(?)
Anyway I think I am giving up on the whole old OS and probably will
reinstall it ...but can't be sure it wont happen again.
  • 0

#13
imfeelinglucky
Posted 24 August 2005 - 02:43 PM

imfeelinglucky

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
darth_ash:
Having tried to repair Windows by running the setup cd now I found the one Startuptype disabled service which indicates restart in case of failure (restart the service): that is Misrosoft SSL!

What now?
  • 0

#14
darth_ash
Posted 24 August 2005 - 02:54 PM

darth_ash

    Member 1K

  • Member
  • PipPipPipPip
  • 1,382 posts
Change its StartupType to Manual.

Microsoft SSL service is required when log-in to website like hotmail or any other site that uses SSL. Because it was previously disabled, your PC must have done the Failure Action, when you must have gone to these websites.

Edited by darth_ash, 24 August 2005 - 02:55 PM.

  • 0

#15
imfeelinglucky
Posted 28 August 2005 - 05:47 AM

imfeelinglucky

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
Thanks Darth_ash,

Now lsass terminates unexpectedly even before login! And by the way SSL was infected...I give up.
  • 0
Back to Windows XP, 2000, 2003, NT · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Retired Forums
  3. Windows XP, 2000, 2003, NT

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP