Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Seeking Help Regarding Constant Computer Crashes


  • This topic is locked This topic is locked
6 replies to this topic

#1 BloodMiser

BloodMiser

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:42 PM

Posted 05 October 2006 - 04:08 PM

Greetings. I have the following problems with my Windows XP PC, and my friend referred me to this forum, indicating that you had been quite helpful in the past:

1) The computer crashes every 20-30 min after start-up
2) The explorer.exe file appears to consume 90-99% of the cpu cycles even when the machine is idle.
3) The computer runs quite slowly (particularly right before crashes)

I had problems similar to this on another machine, and the culprit turned out to be spyware/trojans, etc. I followed the steps indicated in your forum FAQ instructions (running Adaware, etc.). Adaware removed "searchbar" spy software, but my problems are still persistant. What follows is my HiJackThis log. If anyone has any recommendations or can help in any fashion, that would be much appreciated. Thanks in advance.

Logfile of HijackThis v1.99.1
Scan saved at 3:26:58 PM, on 10/5/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\PackethSvc.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\WINDOWS\system32\1.tmp
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
C:\Program Files\Microsoft Works\WksSb.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\COMPAQ\CPQINET\CPQInet.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Program Files\Netscape\Netscape 6\Netscp.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Documents and Settings\Jeff Karem\Local Settings\Temp\Temporary
Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://store.presario.net/scripts/redirect...c01&lc=0409
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://store.presario.net/scripts/redirect...c01&lc=0409
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://store.presario.net/scripts/redirect...c01&lc=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title =
Microsoft Internet Explorer provided by Compaq
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\1.tmp
F2 - REG:system.ini:
UserInit=C:\WINDOWS\System32\userinit.exe,C:\WINDOWS\system32\1.tmp
N3 - Netscape 7: user_pref("browser.startup.homepage",
"http://www.csuohio.edu"); (C:\Documents and Settings\Jeff
Karem\Application Data\Mozilla\Profiles\default\5w66lv54.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine",
"engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src");
(C:\Documents and Settings\Jeff Karem\Application
Data\Mozilla\Profiles\default\5w66lv54.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button
Support\StartEAK.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft
Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program
Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe
SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network
Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network
Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\kryjygo.exe
O4 - HKLM\..\Run: [Microsoft ® Windows Network Latency Controller]
C:\WINDOWS\system32\1.tmp
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program
Files\Netscape\Netscape 6\Netscp.exe" -turbo
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer
720\dlbcserv.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} -
C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links -
{c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -
C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Support - {A1C62740-93D5-4E72-A5B6-B668D58C5197} -
C:\Program Files\Internet Explorer\SIGNUP\Presario.htm (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF:
START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=3c01&lc=0409
O17 -
HKLM\System\CCS\Services\Tcpip\..\{1BBE5630-33CF-4313-B18A-F45133A5AD92}:
NameServer = 137.148.228.20 137.148.5.27
O17 -
HKLM\System\CS1\Services\Tcpip\..\{1BBE5630-33CF-4313-B18A-F45133A5AD92}:
NameServer = 137.148.228.20 137.148.5.27
O21 - SSODL: BEBHCHBD - {2F5D7295-11A3-3305-692A-760D06DC1DB8} -
C:\WINDOWS\System32\Ofmijnpk.dll
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program
Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: Hardware Clock Driver (hwclock) - Unknown owner -
C:\WINDOWS\System32\hwclock.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. -
C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network
Associates, Inc. - C:\Program Files\Network Associates\Common
Framework\FrameworkService.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common
Files\Network Associates\McShield\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network
Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Windows Network Latency Controller (nlc) - Unknown owner -
C:\WINDOWS\system32\1.tmp
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. -
C:\WINDOWS\System32\PackethSvc.exe

BC AdBot (Login to Remove)

 


#2 BloodMiser

BloodMiser
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:42 PM

Posted 05 October 2006 - 06:09 PM

I forgot to add this -- for some reason the file windows/system32/1.tmp has become associated with Microsoft Word. I don't know if that would affect anything. I also can't seem to remove this file association.

Thanks

#3 BloodMiser

BloodMiser
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:42 PM

Posted 06 October 2006 - 05:28 PM

To update, I've been finding that the crashes are occurring more and more frequently when I boot up. Would this potentially be related to overheating? I have no clue at all. I really think that 1.tmp is a problem here, though I am no computer expert.

#4 jamielaw

jamielaw

    Malware Ass-Kicker!


  • Members
  • 878 posts
  • OFFLINE
  •  
  • Local time:06:42 PM

Posted 07 October 2006 - 09:56 AM

Welcome BloodMiser! :thumbsup:

I will be helping you under the guidance of one of our expert coaches.

Please give me a little time to get back to you with instructions.

Thanks
Jamie
My Website!

"The ultimate measure of a man is not where he stands in moments of comfort and convenience, but where he stands at times of challenge and controversy." - Martin Luther King, Jr.

Posted Image

#5 jamielaw

jamielaw

    Malware Ass-Kicker!


  • Members
  • 878 posts
  • OFFLINE
  •  
  • Local time:06:42 PM

Posted 08 October 2006 - 12:22 PM

Hey BloodMiser

These constant crashes are caused by malware installed on your system.

Backdoor Functionality:

I'm afraid I have unpleasant news for you. You have a Very Dangerous infection on this machine.

It allows outsiders COMPLETE access to every keystroke, account, and password you use while on this machine, and complete access to any other data present...
IF this computer has been used for any kind of important data, my best recommendation is to disconnect from the Internet, re-format the entire drive and re-install your Operating system and Applications.

We can likely clean the infected files off the computer, and if you wish we will attempt to do so, but we cannot be sure that the infection didn't do something to your system to reduce the system security. In that instance, even after removal of the infection, you could be subject to another attack or takeover as soon as you re-connect to the Internet.

The Decision Whether to ReFormat or Not should be based on:
  • The use of the computer - this is the primary factor in the decision whether to re-format and re-install, or just disinfect.
  • The variety of malware - this influences the decision on whether to re-format and re-install, or just disinfect. IN THIS CASE we have Win32.Korgo.AB and W32/Hwbot-A.
If the Computer has been used for any important data, you are strongly advised to do the following, immediately:
  • Disconnect the infected computer from the internet and from any networked computers until the computer can be cleaned.
  • Back up all important data on the machine. Do not back up any Applications (programs). Those should be re-installed from the original source CDs or websites.
  • If you have ever used this computer for shopping, banking, or any transactions relating to your financial well being:
    Call all of your banks, credit card companies, and financial institutions, informing them that you may be a victim of identity theft, and to put a watch on your accounts or change all your account numbers.
  • From a clean computer, change ALL your online passwords -- for ISP login, email, banks, financial accounts, PayPal, eBay, online companies, and any online forums or groups you belong to.
  • DO NOT change passwords or do any transactions while using the infected computer because the attacker will get the new password and transaction information.
  • Take any other steps you think appropriate for an attempted identity theft.
While you are deciding whether to re-format and re-install, a useful link is here: http://www.dslreports.com/faq/10063

Please let me know what you decide.
My Website!

"The ultimate measure of a man is not where he stands in moments of comfort and convenience, but where he stands at times of challenge and controversy." - Martin Luther King, Jr.

Posted Image

#6 jamielaw

jamielaw

    Malware Ass-Kicker!


  • Members
  • 878 posts
  • OFFLINE
  •  
  • Local time:06:42 PM

Posted 17 October 2006 - 02:29 PM

Are you still monitoring this thread?
My Website!

"The ultimate measure of a man is not where he stands in moments of comfort and convenience, but where he stands at times of challenge and controversy." - Martin Luther King, Jr.

Posted Image

#7 jamielaw

jamielaw

    Malware Ass-Kicker!


  • Members
  • 878 posts
  • OFFLINE
  •  
  • Local time:06:42 PM

Posted 29 October 2006 - 06:04 PM

Due to the lack of feedback, this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

My Website!

"The ultimate measure of a man is not where he stands in moments of comfort and convenience, but where he stands at times of challenge and controversy." - Martin Luther King, Jr.

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users