MALWARE! Sleepwalking: TBS/TPM ?

[hellosailor]

[updated, not solved]

Well, deleting the rogue Java installation didn't solve the problem. I'm still getting TBS error 516 followed by TPM 13 every night. It has changed from just past 4AM to just past 3AM now, but apparently the TBS/TPM set are having fun every night.
Which doesn't make sene unless SOMEthing is trying to perform some type of access (internally--because the network is physically unplugged at night now.)

Can't seem to find a rootkit scanner for Vista, although MSDefender is supposed to do some rootkit scanning, I'm forced to "trust nothing" while this keeps on happening.

Anyone see a hint to resolving this?



[original message]

The lines below are a direct report from the system log on this Vista Utimate-32 system. I've found the computer on and awake (waiting for credentials) a couple of times and this time decided it wasn't because I forgot to shut it down.

Apparently the events started at 4:00:02 AM when the built-in network controller tried to query the router for a DHCP update. Which I wouldn't expect to happen while the computer is asleep. Then the fun starts, the print spooler (empty) tries to reopen...all sorts of fun.

[UPDATED]

"wake on LAN" is disabled, FOR SURE, so the question is, what's going on? A bug in sleep mode? Or in Vista? that is letting machines wakes up when they should be sleeping?

Has anyone heard of a BIOS bug that allows a DHCP timeout to wake-on-lan even when they BIOS is set not to wake?

Nothing showed in the task scheduler, either, as either being scheduled or having run anywhere near that time.


====System Log excerpts=========

Level Date and Time Source Event ID Task Category
Information 11/16/2008 11:50:14 AM Service Control Manager 7036 None The Windows Image Acquisition (WIA) service entered the running state.

Information 11/16/2008 4:17:02 AM Service Control Manager 7036 None The WinHTTP Web Proxy Auto-Discovery Service service entered the stopped state.

Information 11/16/2008 4:10:33 AM Service Control Manager 7036 None The Windows Modules Installer service entered the stopped state.

Information 11/16/2008 4:02:02 AM Microsoft-Windows-Dhcp-Client 1103 None Your computer was successfully assigned an address from the network, and it can now connect to other computers.

Warning 11/16/2008 4:00:35 AM Microsoft-Windows-SpoolerWin32SPL 4 None The print spooler failed to reopen an existing printer connection because it could not read the configuration information from the registry key S-1-5-18\Printers\Connections. The print spooler could not open the registry key. This can occur if the registry key is corrupt or missing, or if the registry recently became unavailable.

Warning 11/16/2008 4:00:35 AM Microsoft-Windows-SpoolerWin32SPL 4 None The print spooler failed to reopen an existing printer connection because it could not read the configuration information from the registry key S-1-5-18\Printers\Connections. The print spooler could not open the registry key. This can occur if the registry key is corrupt or missing, or if the registry recently became unavailable.

Information 11/16/2008 4:00:33 AM Service Control Manager 7036 None The Windows Modules Installer service entered the running state.

Information 11/16/2008 4:00:33 AM Microsoft-Windows-DistributedCOM 10029 None "DCOM started the service TrustedInstaller with arguments """" in order to run the server:
{752073A1-23F2-4396-85F0-8FDB879ED0ED}"

Information 11/16/2008 4:00:32 AM Service Control Manager 7036 None The WinHTTP Web Proxy Auto-Discovery Service service entered the running state.

Information 11/16/2008 4:00:07 AM Microsoft-Windows-ResourcePublication 104 None The service is publishing to the network.

Information 11/16/2008 4:00:04 AM Microsoft-Windows-Power-Troubleshooter 1 None "The system has resumed from sleep.

Sleep Time: 11/16/2008 3:47:36 AM
Wake Time: 11/16/2008 9:00:02 AM

Wake Source: RTC"
Error 11/16/2008 4:00:03 AM Microsoft-Windows-TBS 516 None An error occurred while communicating with the TPM. The driver returned 0x8007045d.

Information 11/16/2008 4:00:02 AM Tcpip 4201 None The system detected that network adapter Local Area Connection was connected to the network, and has initiated normal operation.

Information 11/16/2008 4:00:02 AM Tcpip 4201 None The system detected that network adapter Local Area Connection was connected to the network, and has initiated normal operation.

Information 11/16/2008 4:00:02 AM Service Control Manager 7036 None The Pml Driver HPZ12 service entered the running state.

Warning 11/16/2008 4:00:02 AM Microsoft-Windows-Dhcp-Client 1003 None "Your computer was not able to renew its address from the network (from the DHCP Server) for the Network Card with network address 001E3784AB3A. The following error occurred:
The operation was canceled by the user.. Your computer will continue to try and obtain an address on its own from the network address (DHCP) server."

[K0LO]

...Information 11/16/2008 4:00:04 AM Microsoft-Windows-Power-Troubleshooter 1 None "The system has resumed from sleep.

Sleep Time: 11/16/2008 3:47:36 AM
Wake Time: 11/16/2008 9:00:02 AM

Wake Source: RTC"

I think this is the key. Some event had been scheduled to occur at this time, so the wake source was the Real-Time Clock. The DHCP message probably happened because the DHCP request was sent out before the network had finished coming up.

I see one of my Vista PCs doing this about once every six months - out of the blue it will just come awake (by the RTC) for no apparent reason. But it goes back to sleep after the user inactivity timer expires two minutes later. I haven't yet found the source of the RTC event. The other machine has never done this, and it's identical hardware.

Do you have any software that runs its own scheduler; for example, PerfectDisk, etc.?

[hellosailor]

Thanks, mark, that is what I was eyeing. These days EVERYTHING wants to phone home, but I try to make sure that's disabled without adult supervision.

Would examining the RTC entries in the task scheduler point more specifically? I didn't think I missed anything in there, but there must be fingerprints from something, somewhere.

[K0LO]

..Would examining the RTC entries in the task scheduler point more specifically? I didn't think I missed anything in there, but there must be fingerprints from something, somewhere.

That IS the question that I've been unable to answer. For example, my work machine just did that on Saturday; it woke up at 12:45 PM and went back to sleep at 12:47 PM. It hasn't done this for months. In examining the System Event log I can't find any specific task that was run. In looking through the events in the Task Scheduler Library (besides user-created events there are a lot of Microsoft-created events) I can't find any that ran at that specific time. So I'm still looking for the specific cause.

Since this occurs very infrequently (months), I probably haven't looked as hard as I should for the reason. And since only one machine (out of two with identical hardware) does this I suspect it is software-related (an app or its settings) but so far the reason is elusive.

[hellosailor]

I'm rashly accusing one of the usual suspects like RealPlayer (the first Ghoulwear but my Treo wants it(, or Adobe Update (which runs even when you tell it not to) and I'd suspect AVG as well, but I banished that from here. Or so I think.

I supposed I'd need to run a packet sniffer to and see what traffic is trying to sneeking out--and then charge them with felony computer tampering. Might be time to engage the logs in the router.

So far I've already caught the Skype folks guilty of computer tampering. Once it is installed, it binds into MSIE7 and runs Skype every time it find a phone number--even if the install option to do so have been IDselected and the mods to remove it have been run.

I wonder if there's a future to be made in charging criminal coders....

[Harryc]

Have you considered the possibility of your laptop having a trojan horse onboard that is attempting to get to the net? Some of these can be date/time specific, seemingly at random.

[hellosailor]

I always consider trojans but take steps to stop them:

1- Hardware firewall in NAT.
2-Softwire firewall in Vista
3-Vista Defender for active scans.
4-Manual runs of other product from time to time
5-Extremely high security settings in MSIE7.
and
6-I try to practice safe hex.

It could be a trojan==it could just as likely be cosmic rays triggered randoms bits in the chips. (A sea level computer is likely to be hit by ionizing radiation 4x per year.)

[Atar]

I found description of the event 516 from TBS here: http://www.eventidwiki.com/index.php?ti ... 516%2C_TBS.

The solution for this (from KB950330[http://support.microsoft.com/kb/950330]) is to ignore the messages, or update the bios.

You must read this KB to understand the problem.