1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Memory Leak??? Hijack analysis please!!

Discussion in 'Windows XP' started by mrb13, Sep 30, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. mrb13

    mrb13 Thread Starter

    Joined:
    Sep 30, 2003
    Messages:
    6
    System Data:
    Dell Laptop Lattitude 840
    Intel P4
    768 MB RAM
    1GB Page File
    Win 2000 SP4

    Primary apps used: Office, Outlook, Explorer, Cisco VPN dialer (remote access to office)

    Problem:
    For whatever reason, I'll be working fine and then out of the blue all apps will hang. I'll shut them down and when I try to bring them back up I'll get an insufficient resources error. After this error, I am not able to restart the computer because it tells me that I no longer have permissions to shutdown or restart this computer. At this point I have to power cycle the box. The only commonality with these events is that it seems to only occur when I am connected to the net. I was thinking memory leak or something.

    I stumbled accross this forum and wanted to know if someone could analyze my hijack output?

    Let me know and I'll post the hijack log.

    Thanks,
    Mr. B
     
  2. mrb13

    mrb13 Thread Starter

    Joined:
    Sep 30, 2003
    Messages:
    6
    I figured I would go ahead and post the hijack out put just in the old laptop crashes again:


    Logfile of HijackThis v1.97.2
    Scan saved at 11:26:21 AM, on 9/30/2003
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\Program Files\EMC VPN\VPN Client\cvpnd.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\LEXBCES.EXE
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\system32\LEXPPS.EXE
    C:\Program Files\Network ICE\BlackICE\blackd.exe
    C:\Program Files\Roxio\GoBack\GBPoll.exe
    C:\WINNT\System32\Hummbird\inetd32.exe
    C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    C:\EPOAgent\naimas32.exe
    C:\WINNT\System32\nvsvc32.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\System32\wins\DLLHOST.EXE
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\wins\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\system32\RUNDLL32.EXE
    C:\WINNT\system32\pctspk.exe
    C:\WINNT\System32\LXSUPMON.EXE
    C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
    C:\EPOAgent\naimag32.exe
    C:\WINNT\system32\rundll32.exe
    C:\Program Files\Roxio\GoBack\GBTray.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Bryant\software\HijackThis.exe

    O1 - Hosts: 216.132.202.12 sungod sungod.ctsinc.net
    O1 - Hosts: 216.132.202.13 quark quark.ctsinc.net
    O1 - Hosts: 216.132.202.15 thedoc thedoc.ctsinc.net
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet5_40.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
    O4 - HKLM\..\Run: [LXSUPMON] C:\WINNT\System32\LXSUPMON.EXE RUN
    O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
    O4 - HKLM\..\Run: [NaimAgent_UI] C:\EPOAgent\naimag32.exe
    O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: GoBack.lnk = C:\Program Files\Roxio\GoBack\GBTray.exe
    O4 - Global Startup: EMC VPN Client.lnk = C:\Program Files\EMC VPN\VPN Client\ipsecdialer.exe
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O10 - Hijacked Internet access by New.Net
    O10 - Hijacked Internet access by New.Net
    O10 - Hijacked Internet access by New.Net
    O10 - Hijacked Internet access by New.Net
    O10 - Hijacked Internet access by New.Net
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
    O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - https://sungod.ctsinc.net/iNotes.cab
    O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
    O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37714.3524537037
    O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  3. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Start by going into control panel and remove New.Net

    Then post a new log.
     
  4. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,202
    First Name:
    Derek
    apart from new.net I can't see anything obvious, but I have heard of several reports of similar problems with a SP4 system, many advice sticking with SP3 for the moment as SP4 apparantly has several bugs
     
  5. mrb13

    mrb13 Thread Starter

    Joined:
    Sep 30, 2003
    Messages:
    6
    New output after removal of New .Net:

    Logfile of HijackThis v1.97.2
    Scan saved at 12:23:55 PM, on 9/30/2003
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\Program Files\EMC VPN\VPN Client\cvpnd.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\LEXBCES.EXE
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\system32\LEXPPS.EXE
    C:\Program Files\Network ICE\BlackICE\blackd.exe
    C:\Program Files\Roxio\GoBack\GBPoll.exe
    C:\WINNT\System32\Hummbird\inetd32.exe
    C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    C:\EPOAgent\naimas32.exe
    C:\WINNT\System32\nvsvc32.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\System32\wins\DLLHOST.EXE
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\wins\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\system32\RUNDLL32.EXE
    C:\WINNT\system32\pctspk.exe
    C:\WINNT\System32\LXSUPMON.EXE
    C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
    C:\EPOAgent\naimag32.exe
    C:\Program Files\Roxio\GoBack\GBTray.exe
    C:\Bryant\software\HijackThis.exe

    O1 - Hosts: 216.132.202.12 sungod sungod.ctsinc.net
    O1 - Hosts: 216.132.202.13 quark quark.ctsinc.net
    O1 - Hosts: 216.132.202.15 thedoc thedoc.ctsinc.net
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
    O4 - HKLM\..\Run: [LXSUPMON] C:\WINNT\System32\LXSUPMON.EXE RUN
    O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
    O4 - HKLM\..\Run: [NaimAgent_UI] C:\EPOAgent\naimag32.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: GoBack.lnk = C:\Program Files\Roxio\GoBack\GBTray.exe
    O4 - Global Startup: EMC VPN Client.lnk = C:\Program Files\EMC VPN\VPN Client\ipsecdialer.exe
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
    O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - https://sungod.ctsinc.net/iNotes.cab
    O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
    O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37714.3524537037
    O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  6. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Is everything working ok now?
     
  7. mrb13

    mrb13 Thread Starter

    Joined:
    Sep 30, 2003
    Messages:
    6
    No.. as a matter of fact I just power cycled after being locked out again. For whatever reason my network connection is the first to lock and then I can't launch any other apps. Not even task manager will launch.
     
  8. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Have you checked to see if all of your mapped drives are working? If one isn't it can consume a lot of resources.

    Next suggestion take your Lexmark printer out of startup and launch it only when you need it.
     
  9. mrb13

    mrb13 Thread Starter

    Joined:
    Sep 30, 2003
    Messages:
    6
    No mapped drives..

    The printer is only available to me when I am at home anyway; how do I take the printer out of the startup sequence?

    Mr. B
     
  10. mrb13

    mrb13 Thread Starter

    Joined:
    Sep 30, 2003
    Messages:
    6
    Help...

    It is hapening more frequent now. The system boots; I fire up explorer; it runs fine for 10-30 minutes; then all of a sudden the network is disabled and any further attempt to launch any application is met with: insufficient resources blah blah. OR Insufficient number of TCP sockets are available.
     
  11. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/168556

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice