Memory Leak??? Hijack analysis please!!

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

mrb13

Thread Starter
Joined
Sep 30, 2003
Messages
6
System Data:
Dell Laptop Lattitude 840
Intel P4
768 MB RAM
1GB Page File
Win 2000 SP4

Primary apps used: Office, Outlook, Explorer, Cisco VPN dialer (remote access to office)

Problem:
For whatever reason, I'll be working fine and then out of the blue all apps will hang. I'll shut them down and when I try to bring them back up I'll get an insufficient resources error. After this error, I am not able to restart the computer because it tells me that I no longer have permissions to shutdown or restart this computer. At this point I have to power cycle the box. The only commonality with these events is that it seems to only occur when I am connected to the net. I was thinking memory leak or something.

I stumbled accross this forum and wanted to know if someone could analyze my hijack output?

Let me know and I'll post the hijack log.

Thanks,
Mr. B
 

mrb13

Thread Starter
Joined
Sep 30, 2003
Messages
6
I figured I would go ahead and post the hijack out put just in the old laptop crashes again:


Logfile of HijackThis v1.97.2
Scan saved at 11:26:21 AM, on 9/30/2003
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\EMC VPN\VPN Client\cvpnd.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\Program Files\Network ICE\BlackICE\blackd.exe
C:\Program Files\Roxio\GoBack\GBPoll.exe
C:\WINNT\System32\Hummbird\inetd32.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\EPOAgent\naimas32.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\wins\DLLHOST.EXE
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\wins\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\RUNDLL32.EXE
C:\WINNT\system32\pctspk.exe
C:\WINNT\System32\LXSUPMON.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\EPOAgent\naimag32.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Roxio\GoBack\GBTray.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Bryant\software\HijackThis.exe

O1 - Hosts: 216.132.202.12 sungod sungod.ctsinc.net
O1 - Hosts: 216.132.202.13 quark quark.ctsinc.net
O1 - Hosts: 216.132.202.15 thedoc thedoc.ctsinc.net
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet5_40.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINNT\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [NaimAgent_UI] C:\EPOAgent\naimag32.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: GoBack.lnk = C:\Program Files\Roxio\GoBack\GBTray.exe
O4 - Global Startup: EMC VPN Client.lnk = C:\Program Files\EMC VPN\VPN Client\ipsecdialer.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: MoneySide (HKLM)
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - https://sungod.ctsinc.net/iNotes.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37714.3524537037
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
 

cybertech

Retired Moderator
Joined
Apr 16, 2002
Messages
72,115
Start by going into control panel and remove New.Net

Then post a new log.
 

dvk01

Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
First Name
Derek
apart from new.net I can't see anything obvious, but I have heard of several reports of similar problems with a SP4 system, many advice sticking with SP3 for the moment as SP4 apparantly has several bugs
 

mrb13

Thread Starter
Joined
Sep 30, 2003
Messages
6
New output after removal of New .Net:

Logfile of HijackThis v1.97.2
Scan saved at 12:23:55 PM, on 9/30/2003
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\EMC VPN\VPN Client\cvpnd.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\Program Files\Network ICE\BlackICE\blackd.exe
C:\Program Files\Roxio\GoBack\GBPoll.exe
C:\WINNT\System32\Hummbird\inetd32.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\EPOAgent\naimas32.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\wins\DLLHOST.EXE
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\wins\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\RUNDLL32.EXE
C:\WINNT\system32\pctspk.exe
C:\WINNT\System32\LXSUPMON.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\EPOAgent\naimag32.exe
C:\Program Files\Roxio\GoBack\GBTray.exe
C:\Bryant\software\HijackThis.exe

O1 - Hosts: 216.132.202.12 sungod sungod.ctsinc.net
O1 - Hosts: 216.132.202.13 quark quark.ctsinc.net
O1 - Hosts: 216.132.202.15 thedoc thedoc.ctsinc.net
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINNT\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [NaimAgent_UI] C:\EPOAgent\naimag32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: GoBack.lnk = C:\Program Files\Roxio\GoBack\GBTray.exe
O4 - Global Startup: EMC VPN Client.lnk = C:\Program Files\EMC VPN\VPN Client\ipsecdialer.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: MoneySide (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - https://sungod.ctsinc.net/iNotes.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37714.3524537037
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
 

mrb13

Thread Starter
Joined
Sep 30, 2003
Messages
6
No.. as a matter of fact I just power cycled after being locked out again. For whatever reason my network connection is the first to lock and then I can't launch any other apps. Not even task manager will launch.
 

cybertech

Retired Moderator
Joined
Apr 16, 2002
Messages
72,115
Have you checked to see if all of your mapped drives are working? If one isn't it can consume a lot of resources.

Next suggestion take your Lexmark printer out of startup and launch it only when you need it.
 

mrb13

Thread Starter
Joined
Sep 30, 2003
Messages
6
No mapped drives..

The printer is only available to me when I am at home anyway; how do I take the printer out of the startup sequence?

Mr. B
 

mrb13

Thread Starter
Joined
Sep 30, 2003
Messages
6
Help...

It is hapening more frequent now. The system boots; I fire up explorer; it runs fine for 10-30 minutes; then all of a sudden the network is disabled and any further attempt to launch any application is met with: insufficient resources blah blah. OR Insufficient number of TCP sockets are available.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top