Machine freezes or boots by itself
Hello friends and savants from Short Media,here I am again, now searching for your always patient help. I need tips into solving a new prob that has been affecting my machine since I killed W32.HLLW.gaobot.gen with your help. It seems to be clean, as I have Norton updated and it gives no sign of infection. I have Spywareblaster as the default protection and it seems to work fine because AdAware does not locate any items to delete when I run it (just to double-check). Same with Spybot.
Now I am running Folding@Home, too, and I do not know if this can be the starter for the issues that plague me: the machine frequently freezes completely (does not accept Ctrl+Alt+Del) and I have to boot again. Or it just boots by itself.
I just cannot figure what could that be by myself. Can you please analyze my HJT log below and see if there is anything wrong? Thanks for your time, guys.
Logfile of HijackThis v1.99.1
Scan saved at 13:27:28, on 10/4/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccSetMgr.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\DRIVERS\dcfssvc.exe
C:\WINNT\System32\svchost.exe
C:\Arquivos de programas\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\Arquivos de programas\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\SymTray.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccApp.exe
C:\Arquivos de programas\iTunes\iTunesHelper.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Arquivos de programas\iPod\bin\iPodService.exe
C:\Arquivos de programas\QuickTime\qttask.exe
C:\Arquivos de programas\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINNT\system32\rundll32.exe
C:\Arquivos de programas\Anti-BO\Anti-bo.exe
C:\Arquivos de programas\Folding@Home\winfah.exe
C:\Arquivos de programas\Folding@Home\FahCore_82.exe
C:\Arquivos de programas\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cjub.com.br/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = &http://home.microsoft.com/intl/br/access/allinone.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Arquivos de programas\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Arquivos de programas\Ipswitch\WS_FTP Home\wsbho2k0.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\arquivos de programas\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Arquivos de programas\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Arquivos de programas\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Arquivos de programas\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Arquivos de programas\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\arquivos de programas\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Arquivos de programas\Arquivos comuns\Symantec Shared\Symtray.exe SetReg
O4 - HKLM\..\Run: [ccApp] "C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [hpppta] C:\Arquivos de programas\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hpppta.exe /ICON
O4 - HKLM\..\Run: [iTunesHelper] C:\Arquivos de programas\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Arquivos de programas\Arquivos comuns\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\ARQUIV~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Arquivos de programas\Arquivos comuns\Symantec Shared\Symtrdr.exe
O4 - Startup: Folding@Home 5.03.lnk = C:\Arquivos de programas\Folding@Home\winfah.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Arquivos de programas\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Anti-BO v1.5b.lnk = C:\Arquivos de programas\Anti-BO\Anti-bo.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://C:\Arquivos de programas\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Arquivos de programas\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Arquivos de programas\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Arquivos de programas\Google\GoogleToolbar1.dll/cmsimilar.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Arquivos de programas\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Arquivos de programas\Hello\PicasaCapture.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = criacaso.lannet
O17 - HKLM\System\CCS\Services\Tcpip\..\{8CE77209-DEC0-4CE4-A947-DF1BBB80F818}: NameServer = 200.244.149.23,200.244.149.26
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = criacaso.lannet
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = criacaso.lannet
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccSetMgr.exe
O23 - Service: dcfssvc (Dcfssvc) - Eastman Kodak Company - C:\WINNT\system32\DRIVERS\dcfssvc.exe
O23 - Service: Serviço administrativo do gerenciador de disco lógico (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Arquivos de programas\iPod\bin\iPodService.exe
O23 - Service: Serviço de proteção automática do Norton AntiVirus (navapsvc) - Symantec Corporation - C:\Arquivos de programas\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Arquivos de programas\Norton SystemWorks\Norton Antivirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\ARQUIV~1\ARQUIV~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\Security Center\SymWSC.exe
0
Comments
Yesterday I got a message regarding C:\WINNT\System32\lsass.exe just before the shutdown.
I checked Windows Explorer and found these entries, all apparently originals from Microsoft:
lsass.exe C:\WINNT\$NtUninstallKB835732$ 36KB 19/6/2003
lsass.exe C:\WINNT\ServicePackFiles\i386 36KB 19/6/2003
LSASS.EXE C:\WINNT\system32 36KB 23/3/2004
lsass.exe C:\WINNT\system32\dllcache 36KB 23/3/2004
Thanks for any tips you can provide.
Run this virus scan and post back here any files that it did not remove.
http://www.pandasoftware.com/activescan/com/activescan_principal.htm
While scanning it with Panda, the machine crashed once. After the automatic reboot, I went back to Panda´s page and it rolled till the end but nothing showed up.
One point to think about: I noticed that when Folding@Home is not running - I have been disabling it sometimes just to test - the boot intervals are spaced by some 10 minutes or more. I do not understand why, unless the machine would be suffering from the Sasser worm.
I read in Neuber's Security Task Manager, at http://www.neuber.com/taskmanager/process/lsass.exe.html so many different aspects and characteristics of Sasser and its use of different hideaways that I must ask you, as an expert, if these anti-virus tools I have been using (Norton, TrendMicro and today per your suggestion, Panda) would be, ordinarily able to detect it or should I try a specific tool?
I have thought even about high temperature being the cause for the boots but tonight the AC was on for more than 30 mins, room around 19.C and even so the crashes ocurred, thus eliminating this possibility.
Thanks for any further suggestions. See ya!
I think just like you, but was willing to check with someone with more knowledge. Yesterday night I stripped the comp and there were 4 fans, all running clear and to my surprise, almost no dust!!!
I left it on - only folding for F@H - and this morning it was already frozen. I got a tip to use the console version instead of the graphical one. Will do it tonite and if necessary, disturb you guys once more, lol.
Thanks for the comments and time.
I would use Memtest to test your RAM out. Guide here:
http://www.short-media.com/review.php?r=276
Give that a shot and let us know what it says.
Dexter...
Hello, Dexter.
Thanks for the tipping. Some doubts:
I did exactly as directed. I dl Memtest, made the floppy. Then booted from it, the test ran for approx. 8 hours (is that right?) and found no errors till then. But I somehow got the impression that it was looping... so I exited manually.
Are the tests so long? I do not know if it reached some end, because there is no written report (I could not find one).
Machine is still acting weird sometimes. It freezes on Nero, on Word, almost any pgms. A small rectangle appears telling me: "xxxx.exe (where xxx is any pgm) has generated an error. windows will close now. a log is being created" and the machine boots to that white screen of "active windows desktop error".
Perhaps you could indicate another part of this forum where I would find similar sufferers.
Thanks for the patience.