System crashes repeatedly.

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Azagnoth

Thread Starter
Joined
Feb 2, 2005
Messages
45
I need help with a windows xp problem. Everytime I restart the computer it crashes at least 4 times, thats normal.. but a little while ago it totally crashed, restarted, and then kept crashing over and over again.. nonstop. It's getting very agitating. Any help would be appreciated.
 
Joined
Sep 12, 2003
Messages
20,583
Azagnoth said:
I need help with a windows xp problem. Everytime I restart the computer it crashes at least 4 times, thats normal.. but a little while ago it totally crashed, restarted, and then kept crashing over and over again.. nonstop. It's getting very agitating. Any help would be appreciated.
Hi Azagnoth,

Assuming you are running WinXP:

Start->Control Panel->System->System Properties->Advanced->Startup and Recovery Settings -> Uncheck Automatically restart under System failure

This should allow you to capture any system failure messages on screen.

Record all of the information and report it back here.

-- Tom
 

Azagnoth

Thread Starter
Joined
Feb 2, 2005
Messages
45
Nothing came up.. I followed the instructions and restarted my computer.. and it crashed a few times and quit when one of my virus utilites came up.. but its done that before.
 
Joined
Dec 27, 2001
Messages
108
Does it work in Safe Mode?

The quick fix is to copy all your important data, formatt and reinstall the system. Sounds like either a virus or busted system file some place.
 
Joined
Sep 12, 2003
Messages
20,583
Azagnoth said:
Nothing came up.. I followed the instructions and restarted my computer.. and it crashed a few times and quit when one of my virus utilites came up.. but its done that before.
When you are presented with the option of getting into Safe Mode, have you tried the other option - Last know good configuration? Try this first - if it works, great, if not - answer the questions below and slim down your startup.

If you can get into Safe Mode, Start->Run->msconfig.exe
Click on the Startup tab, and uncheck everything
Upon next bootup, your startup programs will not be loaded.

What happens then?

What anti-virus software do you run? Have a firewall, e.g. ZoneAlarm Free?
What anti-spyware do you run? How old is your system? Is WinXP new? How long have you had this problem, i.e. has it just started? Which version of WinXP are you using?

-- Tom
 

Azagnoth

Thread Starter
Joined
Feb 2, 2005
Messages
45
I can get into regular windows.. and actually do stuff. I think I might have found what is wrong.. heres what it says on Virlt Explorer one of my virus/spyware programs. Its in the registry.

{6AC3806F-8B39-4746-9C38-6B01CB7331FF}
Infect of Trojan.Win32.Pursuit.A

and everytime it says that it cleans it.. so its coming back everytime I restart my computer somehow. Also none of my other registry progs detect it.
 
Joined
Sep 12, 2003
Messages
20,583
Azagnoth said:
I can get into regular windows.. and actually do stuff. I think I might have found what is wrong.. heres what it says on Virlt Explorer one of my virus/spyware programs. Its in the registry.

{6AC3806F-8B39-4746-9C38-6B01CB7331FF}
Infect of Trojan.Win32.Pursuit.A

and everytime it says that it cleans it.. so its coming back everytime I restart my computer somehow. Also none of my other registry progs detect it.
Azagnoth,
This is really an issue for the Security forum. Suggest you click on the red-bordered triangle at the top right-hand part of the thread message just to the right of the Post #. Ask the Moderator(s) to move your thread over to the Security forum where the experts in HiJackThis will be able to advise you all the better on this issue. Looks like a fairly recent trojan.

-- Tom
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
go to here and download 'Hijack This!' double click on the file and it will install to C:\program files\hijackthis and create an entry in the start menu and an optional shortcut on desktop.
Click on the entry in start menu or on the desktop to run HijackThis
Click the "Scan" button, when the scan is finished the scan button will become "Save Log" click that and save the log.
Go to where you saved the log and click on "Edit > Select All" then click on "Edit > Copy" then Paste the log back here in a reply.
It will possibly show issues deserving our attention, but most of what it lists will be harmless or even required,
so do NOT fix anything yet.
Someone here will be happy to help you analyze the results.
 

Azagnoth

Thread Starter
Joined
Feb 2, 2005
Messages
45
Yeah, I probably should have posted my log earlier. I already had that. Here it is..

Logfile of HijackThis v1.97.7
Scan saved at 10:19:50 AM, on 7/18/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\2\wbload.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\GoGoData.com\GoGoData Toolbar\GoGoTray.exe
C:\PROGRA~1\GoGoData.com\GOGODA~1\ADBUST~1.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Winamp\winamp.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\SPYWAR~1\swdoctor.exe
C:\Documents and Settings\Daemon\Desktop\Brain\Applications\Active Applications\[App] HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://home.bellsouth.net/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3EB9C349-7473-48AC-A59B-42F31751974B} - C:\PROGRA~1\GoGoData.com\GOGODA~1\TOMAHA~1.DLL
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: (no name) - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: GoGoData AdBuster - {3EB9C349-7473-48AC-A59B-42F31751974B} - C:\PROGRA~1\GoGoData.com\GOGODA~1\TOMAHA~1.DLL
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\RunServices: [WinProfile] sndcfg16.exe
O4 - HKCU\..\Run: [GoGoTray.exe] C:\Program Files\GoGoData.com\GoGoData Toolbar\GoGoTray.exe
O9 - Extra button: Spyware Doctor (HKLM)
O9 - Extra 'Tools' menuitem: GoGoData AdBuster (HKLM)
O9 - Extra button: Microsoft AntiSpyware helper (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper (HKCU)
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1121658942625
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{08573B6F-B564-4BF4-8C6A-E9A9D9BE446C}: NameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{65929D38-C8D0-4B34-8958-7E2085EA14B6}: NameServer = 205.152.37.254 205.152.144.235
O17 - HKLM\System\CS1\Services\Tcpip\..\{08573B6F-B564-4BF4-8C6A-E9A9D9BE446C}: NameServer = 192.168.0.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{08573B6F-B564-4BF4-8C6A-E9A9D9BE446C}: NameServer = 192.168.0.1
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
that version odf HJT is way out of date we need 1.99.1

go to here and download 'Hijack This!' double click on the file and it will install to C:\program files\hijackthis and create an entry in the start menu and an optional shortcut on desktop.
Click on the entry in start menu or on the desktop to run HijackThis
Click the "Scan" button, when the scan is finished the scan button will become "Save Log" click that and save the log.
Go to where you saved the log and click on "Edit > Select All" then click on "Edit > Copy" then Paste the log back here in a reply.
It will possibly show issues deserving our attention, but most of what it lists will be harmless or even required,
so do NOT fix anything yet.
Someone here will be happy to help you analyze the results.
 

Azagnoth

Thread Starter
Joined
Feb 2, 2005
Messages
45
Logfile of HijackThis v1.99.1
Scan saved at 10:44:25 AM, on 7/18/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\2\wbload.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\GoGoData.com\GoGoData Toolbar\GoGoTray.exe
C:\PROGRA~1\GoGoData.com\GOGODA~1\ADBUST~1.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Winamp\winamp.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://home.bellsouth.net/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: GoGoData AdBuster - {3EB9C349-7473-48AC-A59B-42F31751974B} - C:\PROGRA~1\GoGoData.com\GOGODA~1\TOMAHA~1.DLL
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: GoGoData AdBuster - {3EB9C349-7473-48AC-A59B-42F31751974B} - C:\PROGRA~1\GoGoData.com\GOGODA~1\TOMAHA~1.DLL
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\RunServices: [WinProfile] sndcfg16.exe
O4 - HKCU\..\Run: [GoGoTray.exe] C:\Program Files\GoGoData.com\GoGoData Toolbar\GoGoTray.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: (no name) - {7B6E4BB4-8464-47CF-9A5B-F82F6B408A6E} - C:\PROGRA~1\GoGoData.com\GOGODA~1\TOMAHA~1.DLL
O9 - Extra 'Tools' menuitem: GoGoData AdBuster - {7B6E4BB4-8464-47CF-9A5B-F82F6B408A6E} - C:\PROGRA~1\GoGoData.com\GOGODA~1\TOMAHA~1.DLL
O9 - Extra button: Microsoft AntiSpyware helper - {1EA01408-0690-4B55-8CC5-91CFF9E86C27} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {1EA01408-0690-4B55-8CC5-91CFF9E86C27} - (no file) (HKCU)
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - C:\WINDOWS\System32\shdocvw.dll (HKCU)
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O15 - Trusted IP range: 67.19.185.246
O15 - Trusted IP range: 67.19.185.246 (HKLM)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1121658942625
O17 - HKLM\System\CCS\Services\Tcpip\..\{08573B6F-B564-4BF4-8C6A-E9A9D9BE446C}: NameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{65929D38-C8D0-4B34-8958-7E2085EA14B6}: NameServer = 205.152.37.254 205.152.144.235
O17 - HKLM\System\CS1\Services\Tcpip\..\{08573B6F-B564-4BF4-8C6A-E9A9D9BE446C}: NameServer = 192.168.0.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{08573B6F-B564-4BF4-8C6A-E9A9D9BE446C}: NameServer = 192.168.0.1
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: style2 - C:\WINDOWS\q378739437_disk.dll
O20 - Winlogon Notify: WB - C:\2\fastload.dll
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
download http://www.mvps.org/winhelp2002/DelDomains.inf and place it on desktop
right click the file and select install, that will reset the zone settings that have been altered

Download AdAware SE 1.06 from http://www.lavasoft.com and install it if you haven't already got it. If you have it, then make sure it is updated and configured as described later in this post

Download pocket killbox from http://www.thespykiller.co.uk/files/killbox.exe & put it on the desktop where you can find it easily

Reboot into safe mode by following instructions here: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406

Run hijackthis, put a tick in the box beside these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

O4 - HKLM\..\RunServices: [WinProfile] sndcfg16.exe

O9 - Extra button: Microsoft AntiSpyware helper - {1EA01408-0690-4B55-8CC5-91CFF9E86C27} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {1EA01408-0690-4B55-8CC5-91CFF9E86C27} - (no file) (HKCU)

O15 - Trusted IP range: 67.19.185.246
O15 - Trusted IP range: 67.19.185.246 (HKLM)

O20 - Winlogon Notify: style2 - C:\WINDOWS\q378739437_disk.dll

now Start killbox paste the first file listed below into the full pathname and file to delete box

The file name will appear in the window and if the file exists it will appear in blue under that window then select delete on reboot press the red X button, say yes to the prompt and NO to reboot now then repeat for each file in turn


C:\WINDOWS\q378739437_disk.dll
C:\WINDOWS\system32\sndcfg16.exe

Then on killbox top bar press tools/delete temp files and follow those prompts and say yes to everything

then as some of the folders you need to delete may be hidden do this:
Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

then go to C:\windows\temp and select EVERYTHING and delete it all and then do the same for C:\temp if it exists

1) Open Control Panel
2) Click on Internet Options
3) On the General Tab, in the middle of the screen, click on Delete Files
4) You may also want to check the box "Delete all offline content"
5) Click on OK and wait for the hourglass icon to stop after it deletes the temporary internet files
6) You can now click on Delete Cookies and click OK to delete cookies that websites have placed on your hard drive

then Reboot

once you have rebooted

Run ADAWARE

Before you scan with AdAware, check for updates of the reference file by using the "webupdate".
the current ref file should read at least SE1R51 21.06.2005 or a higher number/later date

Set up the Configurations as follows:

General Button
Safety:
Check (Green) all three.

Click on "Proceed"

Please deselect "Search for negligible risk entries", as negligible risk entries (MRU's) are not considered to be a threat.

Click on "Scan Now"

Run the scanner using the Full Scan (Perform full system scan) mode.

When scan is finished, mark everything for removal and get rid of it. (Right-click the window and choose"select all" from the drop down menu) then press next and then say yes to the prompt, do you want to remove all these entries.


Reboot &

Download and install the Micro$oft antispyware BETA from http://www.microsoft.com/athome/security/spyware/software/default.mspx and let it fix anything it finds

First press file and check for updates and then run it

Recent tests suggest that a combination of Adaware & M$AS removes approx 80% of spywares/Adwares, much higher than any other combination

Run an online antivirus check from at least one and preferably 2 of the following sites

http://www.kaspersky.com/beta?product=161744315 ( with this one as it's abeta product, they ask for a name & email, just put any email in and any name and company it isn't checked on and they have just used the standard beta page as a doorway to it )
http://security.symantec.com/default.asp?
http://housecall.trendmicro.com/
http://www.pandasoftware.com/activescan/
http://www.ravantivirus.com/scan/
http://www3.ca.com/virusinfo/
http://www.bitdefender.com/scan/licence.php
http://www.commandondemand.com/eval/index.cfm
http://www.freedom.net/viruscenter/onlineviruscheck.html
http://info.ahnlab.com/english/
http://www.pcpitstop.com/pcpitstop/AntiVirusCntr.asp

reboot again and let us know how it is

post a fresh HJT log
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
The other big thing is:
I don't see any running antivirus, that is a bit like standing in downtown Baghdad stark naked with a bulls eye on your chest waving an American Flag. Definitely not recommended

Download and install & run an antivirus immediately

lists here
http://www.wilders.org/anti_viruses.htm

one free one that many users of this forum use successfully is
AVG from http://free.grisoft.com/freeweb.php/doc/1/
 

Azagnoth

Thread Starter
Joined
Feb 2, 2005
Messages
45
Problem solved.. thank you all for giving the subject great attention and detail.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top