Not sure what step to take next

[Averice]

Hi,

I'm running windows XP service pack 2, professional.
AMD Athlon 64 x2 dual core 4400+, 2.31 GHz, 2.00 GB ram
sata seagate barracuda 1tb, 2 equal partitions
thermaltake xaser 3, 480w
nvidia geforce 9600 gt oc

About 2 weeks ago my computer started freezing on video playback; streaming and games both. It quickly started to freeze randomly even when idle. Sometimes it will take 30 minutes, sometimes it will go for an entire day of idle and then freeze.

Problems besides the freezing:
1. Transferring files between partitions on my hard drive, or to a flash drive, will work normally, but as time goes on the slower it gets.
2. Attempting to view a large folders properties, 11gig, took around 20 seconds as the properties screen actually counted up from 0 how much space the folder was taking and counted how many files were in it.
3. My services.exe eats a ton of memory when windows loads, 50+ of my cpu, spiking up and down, and then when done it sits around 30k to 50k, occasionally taking 2 to 4% of my cpu randomly.
4. For a little while, whenever I watched a video, my page filing would climb climb climb, and then I would crash, but it doesn't do that anymore.
5. CPU will spike randomly 50-80% while the pc is idle.

What I've done:
1. I've run memtest86, no errors.
2. Chckdisk - no errors.
3. defragged the partition with windows on it, no errors, and amazingly didn't freeze until after it was done, took it about 9-12 hours.
4. malawarebytes - no viruses.
5. adawareantivirus - no viruses.
6. svchostanalyzer - nothing out of the ordinary.
7. taskmanager17 - nothing out of the ordinary.
8. booted noppix from a flash drive, had no idea what to do after that but it didn't crash.

Whenever the computer crashes it's explorer freezing/crashing. Doesn't matter if I'm attached to the net or not, still crashes, video playback greatly speeds up how soon it crashes.

I'm not sure what to do next. I don't really want to format my windows partition and reinstall, and I don't have any spare parts laying around to do hardware swap tests. My video card did get really hot about 6 months or so ago, but I cleaned the dust out and have kept the entire pc relatively dust free since and haven't had any issues until now.

Are there anymore software tests I can run before starting on the hardware?
Are there anymore hardware test I can run to try and narrow down the problem?
Does anyone know what might be the problem from past experiences?

The problem doesn't appear to be getting worse, it's just unusable for now. Any help is much appreciated, thanks.

 

[kimsland]

Try updating to SP3: http://www.microsoft.com/windows/products/windowsxp/sp3/default.mspx
Actually make sure that you complete all automatic Windows updates

Note: This forum is for users who suspect they have Malware installed
We ask all users to follow this guide first if they do:
UPDATED 8-step Viruses/Spyware/Malware Preliminary Removal Instructions

 

[Averice]

Thanks, I'll try both of those.

 

[Averice]

I followed the 8 step guide.

Though I used malawarebytes before avira free, since mbam was my default anti virus checker. I used it again during the appropriate step so I'm going to list it first, and the second time I used it during the steps it found nothing, so I'm not going to upload the second, clean, one.

Malwarebytes: mbam-log-2009-12-19 (15-49-23).txt

SuperAntiSpyware: SUPERAntiSpyware Scan Log - 12-18-2009 - 19-47-18.log

Hijackthis: hijackthis.log

I also ran Avira free in safe mode, and it found more stuff: AVSCAN-20091219-195459-1268FA66.LOG

It crashed halfway through the Avira test, as you might be able to tell from that log, or that might be the log where it didn't crash and I just stopped it and deleted the files when it detected them in case it wanted to crash again.

The second Avira I ran found more since it was able to finish: AVSCAN-20091210-205811-6A302307.LOG


Other Notes:
While attempting to use CCleaner in the second step, I was unable to finish the deletion of my Chrome history. I attempted this about four times, twice before and twice after a restart due to my PC freezing in the middle of the attempt. I also tried to access my Chrome history and it wouldn't load, which was unusual. I removed Chrome from my system and ran CCleaner again and it finished.

I then used Mozilla to download the other files necessary, but it ate up my memory at about 1Mb a second, growing over 350,000 and then crashing. Only firefox would crash though, not my entire PC, most of the time. I'm currently typing this on firefox, and it is working okay while doing this, but if I start to download anything or stream any video, the mem useage jumps from 65 K to 200 K and starts climbing rapidly. My system has had mozilla issues for a long time though, browser shutting down during streaming after one of their major updates, which is why I switched to Chrome in the first place. So I'm not sure if this is a mozilla problem or a virus problem, because it isn't exactly new.

My services.exe has lowered itself to 17 K mem useage, instead of the 40 - 60 K it was using previously while my system was idle. I'm going to restart after I submit this to see if it remains low next restart.

I did have a problem with Avira, it spammed me when I restarted last time as it tried to run a ton of tests all at once, giving me an error message saying that it had reached it's maximum of 4 simultaneous scans and couldn't start anymore.

Thanks for looking over the logs. Oh, and I updated to SP3 first and got all of the updates, did that first.

Edit: I restarted like I said I was going to, my services.exe was still low, Avira didn't spam me, so I tried running a program. It worked for about 30 minutes and then froze, so I restarted again, and this time my services.exe jumped up to 40 K. I then tried to post here but my PC crashed again while I was in the middle of doing that.

 

[kimsland]

Well it doesn't look too bad at all, but we'll do a few more steps just to be sure
Note: after these steps we will also cleanup, actually I'll post that as well Since you are quite good at doing everything

Before actually running the next tool:

1. Right click on Comodo firewall tray icon, and select Exit
2. Right click on Avira tray icon, and single click on: AntiVir Gaurd Enable (to disable it)

Combofix:

• Download Combofix to your desktop.
• Disable your Antivirus (as Combofix will remove any found malwares)
• Double click ComboFix & follow the prompts.
• A window will open with a warning.
• When the scan completes it will open a text window. Please attach that log back here (actually after doing all of the below too)

---------------------------------
Restart
---------------------------------


Un-install Combofix

• Click START then RUN
• Now type Combofix /uninstall in the runbox and click OK
• Any popup errors about Antivirus just ok or close

Note: 1 space after ComboFix in that uninstall command



Uninstall SUPERAntispyware
Start > Control Panel > Add/Remove Programs > SUPERAntispyware > Uninstall



Update Java and remove older Java versions
Run JavaRa
This will remove all your old Java stuff (that is not required)
It will also help you check for new Java updates Runtime updates
Or just go here and auto check: http://java.com/en/download/installed.jsp?detect=jre&try=1



Download and run TFC http://oldtimer.geekstogo.com/TFC.exe
Your computer may need to Restart



Clear & Reset System Restore's Cache
Go to Start >> Run - type or copy/paste control sysdm.cpl,,4 and then press Enter

• Tick on the checkbox - Turn off System Restore on all drives
• Click Apply

Turn it back 'On' by unticking the same checkbox & click Apply, and then OK


Restart, and let me know how its performing

 

[Averice]

Hey, thanks for the speedy reply!

I just finished running through the steps you gave me. I had a little trouble with Combofix, as it kept needing to restart my computer, I think 5 or 6 times in total, but it eventually finished.

Combofix: combofix log.txt

Everything else on the list ran smoothly.

As soon as I restarted after the TFC, COMODO had a pop up saying that one of my svchost.exe 's was attempting to contact information outside of my computer, or well, that an ip was trying to contact my svchost.

This happened again after I restarted after the final step. I blocked both of them temporarily, it seems to try to connect on startup.

I have an svchost.exe running at 35 K. I haven't been paying attention to those files so I'm not sure if that's new or not, I think it is.

My services.exe is low and around 4 K. The lowest it got during the process was 2 K a few times, but perhaps not everything was loaded. It's no longer spiking or taking up any CPU time though.

I'm going to try and use my pc normally, I'll post an update later. I'll check back later as well, I'm a little worried about that svchost, but I'll see what you say before getting the svchostanalyzer program again.

 

[Bobbye]

kimsland, is Combofix back up?

 

[kimsland]

Yes

And I'll be offline for awhile, I'm thinking about a year, if not forever
I don't like being looked as bad by the staff, even though the members who ask for help seem to be quite perfectly ok with me

Please delete this message

I've had enough

 

[Bobbye]

freezing on video playback; streaming and games both. It quickly started to freeze randomly even when idle. Sometimes it will take 30 minutes, sometimes it will go for an entire day of idle and then freeze.

Most of what you describe is in the area of 'system' and not virus and malware removal. As you probably know, you are describing a typical memory-OR-heat problem. You attempted to handle both of those but did not resolve the problems.

There is also evidence that you had a Rootkit infection in the MBR because those entries are now in System Restore points. They're off the system and the restore points are dropped at the and of cleaning.

But I notices there was a Trojan infection with the AUDIOSURF\LOADER.EXE
. If I read the description clearly, this appears to be a torrent download to bypass downloading Steam.

Please do the following:

Uninstall ComboFix.exe And all Backups of the files it deleted

• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  
  

Then Download SDFix HERE and save it to your Desktop.

• Double click SDFix.exe and it will extract the files to %systemdrive%
  (Drive that contains the Windows Directory, typically C:\SDFix)
  
  Boot into Safe Mode
• Restart your computer and start pressing the F8 key on your keyboard.
• Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.
  
  Run SDFix
• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
• Attach Report.txt back here

Follow with Run Eset NOD32 Online AntiVirus Scanner HERE

Note: You will need to use Internet Explorer for this scan.

• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the Active X control to install
• Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
• Click Start
• Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
• Click Scan
• Wait for the scan to finish
• Re-enable your Antivirus software.
• A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

Please attach SDFix report and Eset log to next reply. Depending on what they show, I may refer you to the Windows OS forum for continued help.

 

[Averice]

Hey,

I'm no longer freezing or anything during use. My system is back up to the speed it was before the problems started happening. I have removed audio surf, and yeah it was being used to nosteam. I hate steam.

I do have some hardware interaction problems. My seagate and my motherboard don't get along perfectly I believe, and there's two issues really. I always have to start the computer twice if it has been turned off for more than 20 seconds, or else I get a boot disk error. I read somewhere that this was a common problem because the hard drive had to finish getting though it's start cycle, but it couldn't until the boot request had already passed... something about it needing to warm up. Not a major issue. The second issue is sometimes windows will load a black screen. Monitor won't go into sleep mode, it will just be a black screen, everything is still running as if I could see it. Neither of these issues are really bothering me, all drivers are up to date.

So I'm not really worried about my hardware anymore, thankfully. My biggest reason for coming here was because I couldn't diagnose if I had a software or hardware problem, I'm glad it was software.

Just giving you a quick update with this post, I'll try to complete the steps you outlined later tonight. I had already removed combofix. Right now my main concern is the svchost, beyond that I'm going smooth as far as I can tell.

Thanks Kim for your help, and thanks Bobbye for following up.

 

[Averice]

Hey again. I clicked on your link for SDFix and it took me to another thread. I went down to the 2nd post and clicked on it there, mozilla wouldn't let me download the file, it kept saying that the page didn't exist. IE did though. So I downloaded it, avira got all angsty, but then I ran into a problem.

I can't use F8 to get into safe mode. I previously used superantispyware's boot program to get me there, I guess I could download it again.

Just making sure I'm supposed to use the SDFix from the andymanchesta website, and if there's a different way to access safe mode.

 

[Bobbye]

Well thing got a bit muddle here in the change of shift. Did you ever run the Eset Online Scanner? IF not, please do that. I'd like to finish up with malware issues and then refer you to one of the other forums more appropriate for the system issue. Please do the following and leave the logs in next reply:

Run Eset NOD32 Online AntiVirus Scanner HERE

Note: You will need to use Internet Explorer for this scan.

• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the Active X control to install
• Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
• Click Start
• Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
• Click Scan
• Wait for the scan to finish
• Re-enable your Antivirus software.
• A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

Rescan with Hijackthis- leave new log.

 

[Averice]

Hey,

never ran it before, did just now though.

I unchecked the Remove found threats option, but there wasn't a Scan unwanted applications option. I did check the box to scan archives though.

Eset: eset log.txt

Hijackthis: hijackthis.log

 

[Bobbye]

Almost there!

Please reopen HijackThis to 'do system scan only.' Check each of the following entries if present:

(If you have set IE to open with a blank page, leave the first entry. If you have not, check for HJT removal.
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files\Viewpoint\Common\ViewpointService.exe (file missing)

Close all Windows except HJT and click on "Fix Checked."

Boot into Safe Mode

• Restart your computer and start pressing the F8 key on your keyboard.
• Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

Please disable and stop these Services:
To do that: Start> Run> type in services.msc> double click on each service> change the Startup type for each to Disabled> Stop the Service> Close:
nProtect (may show as npggsvc)
Viewpoint Manager

Close Services.

Now its time to delete the service. Follow these steps.

1) Start> Run>type in CMD> enter>
2) Type the following command, substituting the name of the service found above for the term servicename, and press Enter.

sc delete servicename

for example: sc delete Viewpoint Manager

3) If the deletion was successful, you'll see the following response:

[SC] DeleteService SUCCESS

4) Type Exit to close the command prompt

Remove all of the tools we used and the files and folders they created

• DownloadOTCleanIt by OldTimer
• Save it to your Desktop.
• Double click OTCleanIt.exe.
• Click the CleanUp! button.
• If you are prompted to Reboot during the cleanup, select Yes.

The tool will delete itself once it finishes.

If you are prompted to Reboot during the cleanup, select Yes.

You should now set a new Restore Point to prevent infection from any previous Restore Points. The easiest and safest way to do this is:

• Go to Start > All Programs > Accessories > System Tools and click "System Restore".
• Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the Restore Point a name then click "Create". The new Restore Point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
• Go to "Disk Cleanup" which can be found by going to Start > All Programs > Accessories > System Tools.
• Click "OK" to select the partition or drive you desire.
• Click the "More Options" Tab.
• Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

More details and screenshots for Disk Cleanup in Windows Vista can be found here.

You should now switch over to the Windows OS forum for the system problems.
Please let me know if I can be of help in the future.

 

[Averice]

Hey, I tried to do what you listed but ran into a problem.

I ran hijackthis and removed the two programs. I then rebooted into safe mode.

I ran services.msc and found both of them. Nguard was listed as "manual" and viewpoint was listed as "disabled" already. But I went and turned nguard to disabled.

I then ran cmd prompt and attempted to delete them, but I got a error: OpenService FAILED 1060: The specified service does not exist as an installed service. I got the same error for both of them.

 

[Bobbye]

The name of the Service is nProtect (may show as npggsvc) not nGuard. Please go back and put nGuard on Manual. It might need to get bumped up to Automatic, but Manual will do for now.

Reboot the computer.

Please run Notepad and copy the following text into a new file:

sc config npggsvc start= disabled
sc stop npggsvc
sc delete npggsvc

• Save the file to the desktop as remove.bat and make sure the "Save as type" field says "All files".
• Locate remove.bat on the Desktop and double-click on it to run it.
• A DOS box will open and close, that is normal.
• If any errors errors encountered please post.
• When done you can delete the remove.bat file.

Don't worry about Viewpoint for now- let's get this done.

 

[fazamd]

Hello kimsland

Try updating to SP3: http://www.microsoft.com/windows/products/windowsxp/sp3/default.mspx
Actually make sure that you complete all automatic Windows updates

Note: This forum is for users who suspect they have Malware installed
We ask all users to follow this guide first if they do:
UPDATED 8-step Viruses/Spyware/Malware Preliminary Removal Instructions

I know that this has been discused before so many times but i just need to know if the latitude d630 service tag ending 595b could be unlock the cmos with the paper clip procedure, or it is necesarly to do by generated password from dell or third party software. thanks in advance and sorry for insist.