Not sure what step to take next

By Averice
Dec 17, 2009
  1. Hi,

    I'm running windows XP service pack 2, professional.
    AMD Athlon 64 x2 dual core 4400+, 2.31 GHz, 2.00 GB ram
    sata seagate barracuda 1tb, 2 equal partitions
    thermaltake xaser 3, 480w
    nvidia geforce 9600 gt oc

    About 2 weeks ago my computer started freezing on video playback; streaming and games both. It quickly started to freeze randomly even when idle. Sometimes it will take 30 minutes, sometimes it will go for an entire day of idle and then freeze.

    Problems besides the freezing:
    1. Transferring files between partitions on my hard drive, or to a flash drive, will work normally, but as time goes on the slower it gets.
    2. Attempting to view a large folders properties, 11gig, took around 20 seconds as the properties screen actually counted up from 0 how much space the folder was taking and counted how many files were in it.
    3. My services.exe eats a ton of memory when windows loads, 50+ of my cpu, spiking up and down, and then when done it sits around 30k to 50k, occasionally taking 2 to 4% of my cpu randomly.
    4. For a little while, whenever I watched a video, my page filing would climb climb climb, and then I would crash, but it doesn't do that anymore.
    5. CPU will spike randomly 50-80% while the pc is idle.

    What I've done:
    1. I've run memtest86, no errors.
    2. Chckdisk - no errors.
    3. defragged the partition with windows on it, no errors, and amazingly didn't freeze until after it was done, took it about 9-12 hours.
    4. malawarebytes - no viruses.
    5. adawareantivirus - no viruses.
    6. svchostanalyzer - nothing out of the ordinary.
    7. taskmanager17 - nothing out of the ordinary.
    8. booted noppix from a flash drive, had no idea what to do after that but it didn't crash.

    Whenever the computer crashes it's explorer freezing/crashing. Doesn't matter if I'm attached to the net or not, still crashes, video playback greatly speeds up how soon it crashes.

    I'm not sure what to do next. I don't really want to format my windows partition and reinstall, and I don't have any spare parts laying around to do hardware swap tests. My video card did get really hot about 6 months or so ago, but I cleaned the dust out and have kept the entire pc relatively dust free since and haven't had any issues until now.

    Are there anymore software tests I can run before starting on the hardware?
    Are there anymore hardware test I can run to try and narrow down the problem?
    Does anyone know what might be the problem from past experiences?

    The problem doesn't appear to be getting worse, it's just unusable for now. Any help is much appreciated, thanks.
  2. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

  3. Averice

    Averice TS Rookie Topic Starter

    Thanks, I'll try both of those.
  4. Averice

    Averice TS Rookie Topic Starter

    I followed the 8 step guide.

    Though I used malawarebytes before avira free, since mbam was my default anti virus checker. I used it again during the appropriate step so I'm going to list it first, and the second time I used it during the steps it found nothing, so I'm not going to upload the second, clean, one.

    Malwarebytes: mbam-log-2009-12-19 (15-49-23).txt

    SuperAntiSpyware: SUPERAntiSpyware Scan Log - 12-18-2009 - 19-47-18.log

    Hijackthis: hijackthis.log

    I also ran Avira free in safe mode, and it found more stuff: AVSCAN-20091219-195459-1268FA66.LOG

    It crashed halfway through the Avira test, as you might be able to tell from that log, or that might be the log where it didn't crash and I just stopped it and deleted the files when it detected them in case it wanted to crash again.

    The second Avira I ran found more since it was able to finish: AVSCAN-20091210-205811-6A302307.LOG

    Other Notes:
    While attempting to use CCleaner in the second step, I was unable to finish the deletion of my Chrome history. I attempted this about four times, twice before and twice after a restart due to my PC freezing in the middle of the attempt. I also tried to access my Chrome history and it wouldn't load, which was unusual. I removed Chrome from my system and ran CCleaner again and it finished.

    I then used Mozilla to download the other files necessary, but it ate up my memory at about 1Mb a second, growing over 350,000 and then crashing. Only firefox would crash though, not my entire PC, most of the time. I'm currently typing this on firefox, and it is working okay while doing this, but if I start to download anything or stream any video, the mem useage jumps from 65 K to 200 K and starts climbing rapidly. My system has had mozilla issues for a long time though, browser shutting down during streaming after one of their major updates, which is why I switched to Chrome in the first place. So I'm not sure if this is a mozilla problem or a virus problem, because it isn't exactly new.

    My services.exe has lowered itself to 17 K mem useage, instead of the 40 - 60 K it was using previously while my system was idle. I'm going to restart after I submit this to see if it remains low next restart.

    I did have a problem with Avira, it spammed me when I restarted last time as it tried to run a ton of tests all at once, giving me an error message saying that it had reached it's maximum of 4 simultaneous scans and couldn't start anymore.

    Thanks for looking over the logs. Oh, and I updated to SP3 first and got all of the updates, did that first.

    Edit: I restarted like I said I was going to, my services.exe was still low, Avira didn't spam me, so I tried running a program. It worked for about 30 minutes and then froze, so I restarted again, and this time my services.exe jumped up to 40 K. I then tried to post here but my PC crashed again while I was in the middle of doing that.

    Attached Files:

  5. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Well it doesn't look too bad at all, but we'll do a few more steps just to be sure
    Note: after these steps we will also cleanup, actually I'll post that as well ;) Since you are quite good at doing everything

    Before actually running the next tool:
    1. Right click on Comodo firewall tray icon, and select Exit
    2. Right click on Avira tray icon, and single click on: AntiVir Gaurd Enable (to disable it)

    • Download [​IMG]Combofix to your desktop.
    • Disable your Antivirus (as Combofix will remove any found malwares)
    • Double click ComboFix & follow the prompts.
    • A window will open with a warning.
    • When the scan completes it will open a text window. Please attach that log back here (actually after doing all of the below too)


    Un-install Combofix
    • Click START then RUN
    • Now type Combofix /uninstall in the runbox and click OK
    • Any popup errors about Antivirus just ok or close
    Note: 1 space after ComboFix in that uninstall command

    Uninstall SUPERAntispyware
    Start > Control Panel > Add/Remove Programs > SUPERAntispyware > Uninstall

    Update Java and remove older Java versions
    Run JavaRa
    This will remove all your old Java stuff (that is not required)
    It will also help you check for new Java updates Runtime updates
    Or just go here and auto check:

    Download and run TFC
    Your computer may need to Restart

    Clear & Reset System Restore's Cache
    Go to Start >> Run - type or copy/paste control sysdm.cpl,,4 and then press Enter
    • Tick on the checkbox - Turn off System Restore on all drives
    • Click Apply
    Turn it back 'On' by unticking the same checkbox & click Apply, and then OK

    Restart, and let me know how its performing
  6. Averice

    Averice TS Rookie Topic Starter

    Hey, thanks for the speedy reply!

    I just finished running through the steps you gave me. I had a little trouble with Combofix, as it kept needing to restart my computer, I think 5 or 6 times in total, but it eventually finished.

    Combofix: combofix log.txt

    Everything else on the list ran smoothly.

    As soon as I restarted after the TFC, COMODO had a pop up saying that one of my svchost.exe 's was attempting to contact information outside of my computer, or well, that an ip was trying to contact my svchost.

    This happened again after I restarted after the final step. I blocked both of them temporarily, it seems to try to connect on startup.

    I have an svchost.exe running at 35 K. I haven't been paying attention to those files so I'm not sure if that's new or not, I think it is.

    My services.exe is low and around 4 K. The lowest it got during the process was 2 K a few times, but perhaps not everything was loaded. It's no longer spiking or taking up any CPU time though.

    I'm going to try and use my pc normally, I'll post an update later. I'll check back later as well, I'm a little worried about that svchost, but I'll see what you say before getting the svchostanalyzer program again.
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    kimsland, is Combofix back up?
  8. kimsland

    kimsland Ex-TechSpotter Posts: 14,524


    And I'll be offline for awhile, I'm thinking about a year, if not forever
    I don't like being looked as bad by the staff, even though the members who ask for help seem to be quite perfectly ok with me

    Please delete this message

    I've had enough
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Most of what you describe is in the area of 'system' and not virus and malware removal. As you probably know, you are describing a typical memory-OR-heat problem. You attempted to handle both of those but did not resolve the problems.

    There is also evidence that you had a Rootkit infection in the MBR because those entries are now in System Restore points. They're off the system and the restore points are dropped at the and of cleaning.

    But I notices there was a Trojan infection with the AUDIOSURF\LOADER.EXE
    . If I read the description clearly, this appears to be a torrent download to bypass downloading Steam.

    Please do the following:

    Uninstall ComboFix.exe And all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

    Then Download SDFix HERE and save it to your Desktop.
    • Double click SDFix.exe and it will extract the files to %systemdrive%
      (Drive that contains the Windows Directory, typically C:\SDFix)

      Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

      Run SDFix
    • Open the extracted SDFix folder and double click RunThis.bat to start the script.
    • Type Y to begin the cleanup process.
    • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
    • Press any Key and it will restart the PC.
    • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
    • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    • Attach Report.txt back here
    Follow with Run Eset NOD32 Online AntiVirus Scanner HERE

    Note: You will need to use Internet Explorer for this scan.
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the Active X control to install
    • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    • Click Start
    • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    • Click Scan
    • Wait for the scan to finish
    • Re-enable your Antivirus software.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    Please attach SDFix report and Eset log to next reply. Depending on what they show, I may refer you to the Windows OS forum for continued help.
  10. Averice

    Averice TS Rookie Topic Starter


    I'm no longer freezing or anything during use. My system is back up to the speed it was before the problems started happening. I have removed audio surf, and yeah it was being used to nosteam. I hate steam.

    I do have some hardware interaction problems. My seagate and my motherboard don't get along perfectly I believe, and there's two issues really. I always have to start the computer twice if it has been turned off for more than 20 seconds, or else I get a boot disk error. I read somewhere that this was a common problem because the hard drive had to finish getting though it's start cycle, but it couldn't until the boot request had already passed... something about it needing to warm up. Not a major issue. The second issue is sometimes windows will load a black screen. Monitor won't go into sleep mode, it will just be a black screen, everything is still running as if I could see it. Neither of these issues are really bothering me, all drivers are up to date.

    So I'm not really worried about my hardware anymore, thankfully. My biggest reason for coming here was because I couldn't diagnose if I had a software or hardware problem, I'm glad it was software.

    Just giving you a quick update with this post, I'll try to complete the steps you outlined later tonight. I had already removed combofix. Right now my main concern is the svchost, beyond that I'm going smooth as far as I can tell.

    Thanks Kim for your help, and thanks Bobbye for following up.
  11. Averice

    Averice TS Rookie Topic Starter

    Hey again. I clicked on your link for SDFix and it took me to another thread. I went down to the 2nd post and clicked on it there, mozilla wouldn't let me download the file, it kept saying that the page didn't exist. IE did though. So I downloaded it, avira got all angsty, but then I ran into a problem.

    I can't use F8 to get into safe mode. I previously used superantispyware's boot program to get me there, I guess I could download it again.

    Just making sure I'm supposed to use the SDFix from the andymanchesta website, and if there's a different way to access safe mode.
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Well thing got a bit muddle here in the change of shift. Did you ever run the Eset Online Scanner? IF not, please do that. I'd like to finish up with malware issues and then refer you to one of the other forums more appropriate for the system issue. Please do the following and leave the logs in next reply:

    Run Eset NOD32 Online AntiVirus Scanner HERE

    Note: You will need to use Internet Explorer for this scan.
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the Active X control to install
    • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    • Click Start
    • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    • Click Scan
    • Wait for the scan to finish
    • Re-enable your Antivirus software.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

    Rescan with Hijackthis- leave new log.
  13. Averice

    Averice TS Rookie Topic Starter


    never ran it before, did just now though.

    I unchecked the Remove found threats option, but there wasn't a Scan unwanted applications option. I did check the box to scan archives though.

    Eset: eset log.txt

    Hijackthis: hijackthis.log
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Almost there!

    Please reopen HijackThis to 'do system scan only.' Check each of the following entries if present:

    (If you have set IE to open with a blank page, leave the first entry. If you have not, check for HJT removal.
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
    O23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files\Viewpoint\Common\ViewpointService.exe (file missing)

    Close all Windows except HJT and click on "Fix Checked."

    Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

    Please disable and stop these Services:
    To do that: Start> Run> type in services.msc> double click on each service> change the Startup type for each to Disabled> Stop the Service> Close:
    nProtect (may show as npggsvc)
    Viewpoint Manager

    Close Services.

    Now its time to delete the service. Follow these steps.

    1) Start> Run>type in CMD> enter>
    2) Type the following command, substituting the name of the service found above for the term servicename, and press Enter.

    sc delete servicename

    for example: sc delete Viewpoint Manager

    3) If the deletion was successful, you'll see the following response:

    [SC] DeleteService SUCCESS

    4) Type Exit to close the command prompt

    Remove all of the tools we used and the files and folders they created
    • DownloadOTCleanIt by OldTimer
    • Save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    The tool will delete itself once it finishes.

    If you are prompted to Reboot during the cleanup, select Yes.

    You should now set a new Restore Point to prevent infection from any previous Restore Points. The easiest and safest way to do this is:
    • Go to Start > All Programs > Accessories > System Tools and click "System Restore".
    • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the Restore Point a name then click "Create". The new Restore Point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
    • Go to "Disk Cleanup" which can be found by going to Start > All Programs > Accessories > System Tools.
    • Click "OK" to select the partition or drive you desire.
    • Click the "More Options" Tab.
    • Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

    More details and screenshots for Disk Cleanup in Windows Vista can be found here.

    You should now switch over to the Windows OS forum for the system problems.
    Please let me know if I can be of help in the future.
  15. Averice

    Averice TS Rookie Topic Starter

    Hey, I tried to do what you listed but ran into a problem.

    I ran hijackthis and removed the two programs. I then rebooted into safe mode.

    I ran services.msc and found both of them. Nguard was listed as "manual" and viewpoint was listed as "disabled" already. But I went and turned nguard to disabled.

    I then ran cmd prompt and attempted to delete them, but I got a error: OpenService FAILED 1060: The specified service does not exist as an installed service. I got the same error for both of them.
  16. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    The name of the Service is nProtect (may show as npggsvc) not nGuard. Please go back and put nGuard on Manual. It might need to get bumped up to Automatic, but Manual will do for now.

    Reboot the computer.

    Please run Notepad and copy the following text into a new file:

    sc config npggsvc start= disabled
    sc stop npggsvc
    sc delete npggsvc
    • Save the file to the desktop as remove.bat and make sure the "Save as type" field says "All files".
    • Locate remove.bat on the Desktop and double-click on it to run it.
    • A DOS box will open and close, that is normal.
    • If any errors errors encountered please post.
    • When done you can delete the remove.bat file.

    Don't worry about Viewpoint for now- let's get this done.
  17. fazamd

    fazamd TS Rookie

    Hello kimsland

    I know that this has been discused before so many times but i just need to know if the latitude d630 service tag ending 595b could be unlock the cmos with the paper clip procedure, or it is necesarly to do by generated password from dell or third party software. thanks in advance and sorry for insist.
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...