W2k laptop acting strange

Discussion in 'adware, spyware & hijack cleaning' started by smithsonga, Mar 10, 2004.

Thread Status:
Not open for further replies.
  1. smithsonga

    smithsonga Registered Member

    Joined:
    Mar 10, 2004
    Posts:
    3
    laptop unstable and even restarting itself 2 times in last 2 days.

    I have run adaware and S&D

    here is log:

    Logfile of HijackThis v1.97.7
    Scan saved at 2:33:42 PM, on 3/10/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\ibmpmsvc.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\INSIGHT\TOOLS\aiclient.exe
    C:\WINNT\System32\Ati2evxx.exe
    C:\Program Files\Network ICE\BlackICE\blackd.exe
    C:\Program Files\NavNT\defwatch.exe
    C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartService.exe
    C:\Program Files\NavNT\rtvscan.exe
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
    C:\Program Files\Venturi2\Client\ventc.exe
    C:\Program Files\UMS\DMI\bin\Win32sl.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\MsgSys.EXE
    C:\WINNT\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\SymTray.exe
    C:\WINNT\system32\tp4serv.exe
    C:\WINNT\system32\PRPCUI.exe
    C:\Program Files\NavNT\vptray.exe
    C:\WINNT\system32\atiptaxx.exe
    C:\WINNT\LTSMMSG.exe
    C:\WINNT\system32\dla\tfswctrl.exe
    C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
    C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
    C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe
    C:\WINNT\AGRSMMSG.exe
    C:\Program Files\Support.com\bin\tgcmd.exe
    C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsmnt.exe
    C:\Program Files\Venturi2\Configurator\ventcfg.exe
    C:\WINNT\system32\ntvdm.exe
    C:\Program Files\Nortel Networks\Extranet_serv.exe
    C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
    C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
    C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Lotus\Sametime Client\Connect.exe
    C:\Program Files\Lotus\Sametime Client\activmon.srv
    C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
    C:\Program Files\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe
    C:\Program Files\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe
    C:\HJT\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://plastics.home.ge.com/MainPage
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by GE Plastics
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http-proxy.gep.ge.com:80
    N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html"); (C:\Documents and Settings\P021759\Application Data\Mozilla\Profiles\default\qk042qtd.slt\prefs.js)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\P021759\Application Data\Mozilla\Profiles\default\qk042qtd.slt\prefs.js)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1.1\SDHelper.dll
    O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\Program Files\Copernic Agent\CopernicAgentExt.dll
    O4 - HKLM\..\Run: [TrackPointSrv] "tp4serv.exe"
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [PRPCMonitor] "PRPCUI.exe"
    O4 - HKLM\..\Run: [dllInit ibmasstw.dll] "C:\Program Files\UMS\utils\DLLINIT.EXE" ibmasstw.dll
    O4 - HKLM\..\Run: [vptray] "C:\Program Files\NavNT\vptray.exe"
    O4 - HKLM\..\Run: [Sametime Connect] "C:\PROGRA~1\Lotus\SAMETI~1\Connect.exe"
    O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
    O4 - HKLM\..\Run: [LTSMMSG] "LTSMMSG.exe"
    O4 - HKLM\..\Run: [dla] "C:\WINNT\system32\dla\tfswctrl.exe"
    O4 - HKLM\..\Run: [TPTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
    O4 - HKLM\..\Run: [TPHOTKEY] "C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe"
    O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe"
    O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server
    O4 - HKLM\..\Run: [AGRSMMSG] "AGRSMMSG.exe"
    O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] "C:\Program Files\Common Files\Symantec Shared\Symtray.exe " SetReg
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [PCDRealtime] C:\WINNT\realtime.exe
    O4 - HKCU\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe"
    O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
    O4 - Global Startup: CleanSweep Smart Sweep-Internet Sweep.lnk = C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsmnt.exe
    O4 - Global Startup: Venturi 2.lnk = C:\Program Files\Venturi2\Configurator\ventcfg.exe
    O9 - Extra 'Tools' menuitem: Launch Copernic Agent (HKLM)
    O9 - Extra button: Copernic Agent (HKLM)
    O10 - Broken Internet access because of LSP provider 'vlsp.dll' missing
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O12 - Plugin for .zip: C:\PROGRA~1\PKWARE\PKZIPP\nppkzip.dll
    O15 - Trusted Zone: http://gein2.gep.ge.com
    O16 - DPF: Cendant Mobility - https://eras.cendantmobility.com/Cendant/RelEmp.cab
    O16 - DPF: PlaceWare Console: PWS-CC2K-4-2-0-0-A-m7t8o4 - http://pwn.ops.placeware.com/etc/pwf/gep/lib/cc-full.cab
    O16 - DPF: Sametime Meeting Applet - http://gepmeeting01c.ge.com/stsrc.nsf/c94ddb0fce3e84ec052567290071b210/$FILE/STMeetingApplet.cab
    O16 - DPF: Sametime Meeting Room Client ST25DEV7 - http://indiagecismeeting01c.ge.com/sametime/stmeetingroomclient/STMeetingRoomClient.cab
    O16 - DPF: Sametime Meeting Room Client ST25DEV9 - http://gepmeeting01.ge.com/sametime/stmeetingroomclient/STMeetingRoomClient.cab
    O16 - DPF: Sametime Meeting Room Client ST30EMS - http://gepmeeting01.ge.com/sametime/stmeetingroomclient/STMeetingRoomClient.cab
    O16 - DPF: WebIntelligence Applet - http://webiamericas.gep.ge.com/wi/classes/WIPanel264.cab
    O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - https://www-3.ibm.com/pc/support/access/sdccommon/download/tgctlins.cab
    O16 - DPF: {01516EAA-CC39-4477-9500-87CB12F72AFD} (Livelink Explorer Activator) - http://inet45.gep.ge.com:82/Livelinksupport/webexp/llexpld.cab
    O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://gepquickplace01.ge.com/qp2.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {24CEC0BF-C8BC-4BCB-B804-226326B319EF} (JNILoader Control) - http://gepmeeting01.ge.com/sametime/stmeetingroomclient/STJNILoader.cab
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20020713/qtinstall.info.apple.com/samantha/us/win/QuickTimeInstaller.exe
    O16 - DPF: {4BEE3896-4820-48D1-85EA-5A9A9ECD3D95} (OPUCatalog Class) - http://www.officeupdate.com/productupdates/content/opuc.cab
    O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
    O16 - DPF: {68EA624F-619A-11D6-99CF-006094235084} (IbmEgathDetectCtl Class) - https://www-3.ibm.com/pc/support/access/sdccommon/download/IbmEgathDetect.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-306.ibm.com/pc/support/IbmEgath.cab
    O16 - DPF: {956AC257-2D37-11D2-A434-00105A07281A} (AppShareUI) - http://gepmeeting01.ge.com/STConf.nsf/AB63FEF7BFC06856852566B4004F5495/$FILE/AppShare.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37868.2817013889
    O16 - DPF: {A4E84B61-1174-4309-87F0-E795A64158CC} (JNILoader Control) - http://gepmeeting01.ge.com/sametime/stmeetingroomclient/STJNILoader.cab
    O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.msn.com/components/ocx/exterior/Outside.cab
    O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - http://johndeere.view22.com/app/View22RTE.cab
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai.net/7/840/5805/v1503/www.contentwatch.com/audit/includes/ContentAuditControl.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {DC187740-46A9-11D5-A815-00B0D0428C0C} - http://www.pcpowerscan.com/download/setup/pcpowerscan.cab
    O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab
    O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://johndeere-cce.webex.com/client/latest/webex/ieatgpc.cab
    O16 - DPF: {E598AC61-4C6F-4F4D-877F-FAC49CA91FA3} (acpRunner Class) - file://C:\Program Files\Support.com\bin\IBMAccessSupport\common\install\AcpControl.cab
    O16 - DPF: {F9B3E1F4-3F66-11D3-AD61-0090275A7262} (ZABOClientControl Class) - http://webiamericas.gep.ge.com/wi/ActiveX/ZABOIEEN.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{3FFAEE33-FA15-4632-B111-4AB09978E7D2}: NameServer = 3.77.140.20,3.77.125.8
    O17 - HKLM\System\CCS\Services\Tcpip\..\{C1F4DA21-4EDA-40C2-A6F7-BF7BEBD8F2DE}: NameServer = 3.77.140.20,3.77.125.8 3.77.140.20,3.77.125.8 3.77.140.20,3.77.125.8 3.77.140.20,3.77.125.8
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = gep.ge.com,ge.com,e2k.ad.ge.com
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = gep.ge.com,ge.com,e2k.ad.ge.com
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = gep.ge.com,ge.com,e2k.ad.ge.com


    Thanks
    Jim
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi smithsonga,

    You have a lot of things running, but nothing that really jumps out to be malware.
    Can you give us the error reports or look if there is anything in the Event logs that might help us find the culprit?

    Regards,

    Pieter
     
  3. smithsonga

    smithsonga Registered Member

    Joined:
    Mar 10, 2004
    Posts:
    3
    Thanks Pieter....here are some common errors in my event log...but they all seem to be network based (having issues there too).

    I use a VPN to access work servers/email.

    Ok, I went into my event log and found these errors recurring:

    Error#5719 (this occured 3 times in one hour this morning)
    No Windows NT or Windows 2000 Domain Controller is available for domain GEPHTV. The following error occurred:
    There are currently no logon servers available to service the logon request. (GEPHTV is my work server...not local)

    Error#7011 (this occured 6 times in one hour this morning)
    Timeout (30000 milliseconds) waiting for a transaction response from the Dnscache service.

    Error #7031 (this occured 3 times in one hour this morning)
    The Extranet Access Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: No action. (extranet is my Nortel VPN client)

    I am also getting Warning #1007 regarding DHCP
    Your computer has automatically configured the IP address for the Network Card with network address 444553544200. The IP address being used is 169.254.241.150.

    I got one Warning #1006
    Your computer was unable to automatically configure the IP parameters for the Network Card with the network address 0020E08B7196. The following error occurred during configuration: The parameter is incorrect.

    I have an XP box and 98SE box on this network (not using VPN...personal machines) and they have recently been complaining about IP addresses conflicts. Not sure if that is related or how to solve.

    This is probably not relevant to this forum, but wanted to reply.
    Thanks
    Jim
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    That does sound like a Network Card or Network setup problem yes.

    Are you using one NIC for all the connections you mentioned?

    Regards,

    Pieter
     
  5. smithsonga

    smithsonga Registered Member

    Joined:
    Mar 10, 2004
    Posts:
    3
    I am using Motorola cable modem connected to Linksys wireless router. My laptop is using wireless, my two desktops are hardwired to the router.

    Not sure of the brand of Network cards in each box.

    Jim
     
Thread Status:
Not open for further replies.