PC reboots on its own.

[ceazer]

i have a p4 3.2. lately it has been rebooting on its own. when it restarts i get a window that says it cant find drvkej.dll, i cant find anything about this dll. then another window pops up and says that windows recovered from a serious error. when i tell it to send report it tells me that my video drive caused the reboot. i have updated the driver. that did not work so right now i have installed the driver put still have reboot problems and it still says video driver problem. and when i close the window out it pops up again. i cant get rid of it. i have run avg, have zonealarm. ad-aware,spy bot,Prevx1,windows defender, and maybe 1 or 2 other things. o and hjt. and i still have rebooting problems. some times every 5 min other time a day or so. so far nothing has worked. some help would be grateful.

thank you.

 

[MrNemo]

Random thoughts that you may have already tried, just to get them out of the way- I'd ignore all of the pop-ups and what not and get back to the basics for a minute. When I hear "random restars," I start thinking thermal overload, voltage issues, or hardware conflicts.

1. Check out your BIOS and see how hot your CPU is running, and make sure it is running at a normal operating temperature. Monitor it in the BIOS from start-up and see if it escalates without leveling off at a normal temp.
2. Check the fan speeds in the BIOS to make sure they are running at a normal speed.
3. Get a PSU tester and test your powersupply.
4. If you have integrated video, take out your VGA card and run the machine for a while without it to see if you get the errors. If you don't have problems, put the VGA card in, uninstall it from the device manager, restart and let windows find it, or cancel that and install the (latest) drivers from the executable if that is how it's done.
5. If it has been doing this since you've gotten it, make sure plug-n-play settings in the BIOS are correct, as well as the "automatic" IRQ settings.
6. Search google for any other comments that relate to your card and your motherboard, to see if there are any issues.
7. If all fails, pop the card in a different machine, if that is an option, and see if it has the same problem there, and then replace it under warranty or use it as a wall ornament if the problem arises.
8. Hell, I'd also throw a scandisk of your O/S drive in the mix, too.

I don't think your .dll dialogue box has anything to do with the restarts. As far as the .dll, post your HJT log somewhere and make sure the autostart that is attempting to load that DLL is gone (and not coming back).

Just one guy's opinion.


Shane Barber
Jacksonville, FL

 

[Goalie]

I'd like to see the HJT log as well. The DLL error is certainly suspect- when did this start? Have you looked in system restore to see if there are any restore points about the time this started, and if so if there's a comment there which would point to the culprit?

I'd also suggest getting a little more "forceful" with your video driver reinstall. Try removing the card completely from your device manager, let Windows reboot and redetect the card. Sometimes this can cause files to be reregistered that aren't in a simple "upgrade" install.

I assume you're using Windows XP? Is it pro or home?

Let's disable that annoying auto reboot so we can get meaningful errors from the restarts/blue screens: Right click on my computer, chose properties. Click Advanced Tab. In the advanced tab, under "Startup and Recovery" click the settings button. Under "System Failure" uncheck "Automatically restart". Click OK, then apply if you can, then ok again. Even if Windows doesn't prompt you to, go ahead and restart. Then, next time you get a blue screen, write down the relevant error messages (like "Stop 0XC0000005" and such numbers. More exact the copied information, the better.) This information will also help to point towards a cause, the only thing is now you'll have to restart it when it crashes instead it restarting on its own...

 

[ceazer]

first thank you 2 both of u.
second i built my PC myself a few years back. i don't have a p4 3.2. my bad, its a p4 2.4. i have no integrated video. i have a msi motherboard.? i have installed the video card and every time my PC reboots it finds it because i have not reinstalled it at this time. temp seems to be good. cant find max temp for CPU get. from what i understand p4s slow them selfs down when they start to get to hot. this problem started a week or 2 ago after i opened a file i downloaded. first i noticed that something was trying 2 email out like a hundred times but Norton would not let it go out.after i stopped that Norton was and is dead. i cant install it again. windows will not let me. so i took my hhd out made it a slave and ran it in another PC with Norton and found a few things that the others didn't find. i do have another vcard. both are geforce cards. i do have a hjt log. i have renamed the exe. i am new to this sit but i know the rules don't like hjt logs hosted so were would i post it at? i have yet to get a blue screen. my PC will just go blank and reboot like it was a fresh boot. but when i send the report to ms on the right hand side it does say stop 0x000000ea thread_stuck_in_device_driver (q293078). i have set the Hardware Acceleration slider to None, at one time at least with no results. and i don't have PCAnywhere. i cant think of anything Else at this time.

once again thank you for your time.

 

[ceazer]

ox i got my first blue sreen today and this is what it said.
stop:0x0000008e(0xc0000005,0xf7f6e3d7,0xf70bfa20,0x00000000)

system32:lzx32.sys-address f7f6e3d7 base at f77f6c000

 

[Goalie]

lzx32.sys is a known spyware file. You really need to get ahold of an updated virus scanner and Spybot Search and Destroy (to start with) to start looking at this.

Mods: Please move this thread over to the security forum so we can start looking at HJT logs and such in the proper place.

 

[howard_hopkinso]

Hello and welcome to Techspot.

Your system is infected with the Rustock rootkit lzx32.sys.

Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.

If after reading the above, you wish to clean your system, do the following.

Go HERE and follow the instructions for removing the Rustock rootkit.

Then, go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

Post fresh HJT and AVG Antispyware logs as attachments into this thread, only after doing the above.

Regards Howard :wave: :wave:

This thread is for the use of ceazer only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[ceazer]

thanks for getting back to me. i do have ss&d and i have avg along with Ewido. i guess they are one in the same? plus some other stuff. i update and run them all the time. so i am updated on all of them. i have ran the on line scanner once before and will do so again along with the other tools. i will then post a hjt and avg post. i do use the Internet to pay one card. everything else is nothing but forums.

 

[ceazer]

OK i have ran all those programs removed a lot of stuff and on a reboot deleting lzx32.sys was successful. here are my latest hjt .

 

[Goalie]

Using HiJackThis, please remove the following:

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {B8F4E0C1-7075-0FD1-21F1-0445747A24C7} - (no file)
O2 - BHO: (no name) - {3FD6B99C-A275-46ea-8FD1-3D63986E51E4} - (no file)
O2 - BHO: (no name) - {865B749D-6E1A-4AE3-AF2F-17A56BDE3059} - (no file)
O2 - BHO: (no name) - {8D6B193B-162B-41FE-BC29-7FEC99A7A818} - (no file)
O2 - BHO: (no name) - {B8F4E0C1-7075-0FD1-21F1-0445747A24C7} - (no file)

Then, Click Start > Run > and type in:

services.msc

Click OK.

In the services window find COM+ Messages
Right click and choose "Properties". On the "General" tab under "Service
Status" click the "Stop" button to stop the service. Beside "Startup Type"
in the dropdown menu select "Disabled". Click Apply then OK. Exit the
Services utility.

Restart your machine, and you should be a good way further towards running better than you have. Run for a while after this, and let us know if you're still having any issues.

 

[ceazer]

will do. i ran all of this last night and i have not had any problems so far. but i will give it a few day a see.
also i forgot the avg log so here it is. thanks guys.

 

[howard_hopkinso]

Your system is still infected with some real nasties.

We need to temporarily disable Spybot search & Destroy`s tea time, as it may interfere with any fix we are trying to run.

Disable Spybot's TeaTimer. This is a two step process.
First:
- Right click Spybot in the System Tray (looks like a calendar with a padlock symbol)
- Choose Exit Spybot S&D Resident
Second:
- Open Spybot S&D
- Click Mode, check Advanced Mode
- Go To Left Panel, Click Tools, then also in left panel, click Resident
- If your firewall raises a question, say OK
- Uncheck the box labeled Resident Tea-Timer and OK any prompts.
- Use File, Exit to terminate Spybot
- Reboot your machine for the changes to take effect.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Click start/run and type services.msc into the run box and press the enter key.

When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

COM+ Messages
Microsoft authenticate service (MsaSvc)<Disable the service name or the name in brackets.

Close the services window.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

msasvc.exe
svchosts.exe<Not to be confused with svchost.exe

Close task manager.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

R3 - URLSearchHook: (no name) - {B8F4E0C1-7075-0FD1-21F1-0445747A24C7} - (no file)

O2 - BHO: (no name) - {3FD6B99C-A275-46ea-8FD1-3D63986E51E4} - (no file)

O2 - BHO: (no name) - {865B749D-6E1A-4AE3-AF2F-17A56BDE3059} - (no file)

O2 - BHO: (no name) - {8D6B193B-162B-41FE-BC29-7FEC99A7A818} - (no file)

O2 - BHO: (no name) - {B8F4E0C1-7075-0FD1-21F1-0445747A24C7} - (no file)

O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0000272 (file missing)

O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe (file missing)

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

C:\WINDOWS\system32\msasvc.exe
C:\WINDOWS\system32\svchosts.exe<Not to be confused with svchost.exe.

Reboot into normal mode and rehide your protected OS files.

Post a fresh HJT log.

Regards Howard

This thread is for the use of ceazer only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[ceazer]

did everything you said to do. ddid not find C:\WINDOWS\system32\msasvc.exe
C:\WINDOWS\system32\svchosts.exe
svchosts.exe was not in task manger.
and here is the new hjt log

 

[howard_hopkinso]

For some reason the Microsoft authenticate service (MsaSvc) is still running. This is nasty and needs to be got rid of.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Click start/run and type services.msc into the run box and press the enter key.

When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

Microsoft authenticate service

Close the services window.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

msasvc.exe

Close task manager.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe (file missing)

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

C:\WINDOWS\system32\msasvc.exe

Reboot into normal mode and rehide your protected OS files.

Post a fresh HJT log.

Regards Howard

This thread is for the use of ceazer only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[ceazer]

i have done everything and still cant get rid of (MsaSvc). there is no process running with that name and i cant find any file, hidden or not with that name.

 

[howard_hopkinso]

Post a fresh HJT log.

Regards Howard

This thread is for the use of ceazer only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[ceazer]

sorry thought i did heres a new one i just did.

 

[howard_hopkinso]

I don`t know why that file keeps reappearing.

Run HJT and click on the config button, followed by the misc tools button. Click the Delete an NT service button. Type in the following. Microsoft authenticate service and click ok. Follow the onscreen prompts.

Once your computer has restarted, post a fresh HJT log.

Regards Howard

This thread is for the use of ceazer only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Goalie]

Howard, you've been doing more of this than I recently, but two thoughts for you- 1. Registry permissions might be holding that service in place (regedt32), and 2. Is it possible that we have a bad DLL or HTM tied to those extra menus/context buttons? Just things to look at if normal steps continue to fail.

 

[ceazer]

i did what you said and hjt said that
"Microsoft authenticate service was not found in the registry. so i clicked ok and nothing happened so i rebooted it myself and its still coming up.
i just want to thank you guys for the help agian. my pc was stopped rebooting itself.

 

[howard_hopkinso]

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Now go to this location and tell me if you can find this file.

C:\WINDOWS\system32\msasvc.exe

If the file isn`t there, do the following. Temporarily uninstall AVG Antispyware and Prevx1. The reason I want you to do this, is because if the file isn`t there, I think one of the above programmes is preventing the entry in HJT from being fixed.

Have HJT fix this entry, then reboot your system.

O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe (file missing)

Let me know the outcome please.

Regards Howard

This thread is for the use of ceazer only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[ceazer]

went to my system32 file cant find it. i ran 2 searchs for it 1 i searched just for the file name and the second one was anywhere in a file. the only places i can find it is in txt files and when i run services.msc.

 

[howard_hopkinso]

This is weird, I`ve got rid of that file loads of times on various members computers and have never had a problem until now. Disable the service and let me know what happens. Do this from normal mode.

Regards Howard

Edit: Uninstall Windows defender as well.

 

[ceazer]

OK disabled it and it does not come up in hjt. set it to automatic and it reappears. here hjt log with it disabled.

 

[howard_hopkinso]

Thank god for that. I was beginning to think we`d never get rid of the bugger lol. Your HJT log is now clean.

You can now reinstall your antispyware programmes if you like. However, I don`t recommend you have AVG Antispyware/Prevx1 and Windows defender all running at the same time. Apart from the fact it`s not necessary, it`ll slow your system down and might even cause conflicts.

Regards Howard

This thread is for the use of ceazer only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.