BLUE SCREEN of death and then restart after XP splash screen

[ManDeJapan]

hello fellow anandtechers,

I am having a serious issue with my computer. First let my show my configuration:

cpu:AMD Athlon 1400MHz w/AYHJA stepping
mobo:Epox 8k7a
512mb ddr memory
Geforce FX 5200 128MB DDR video card
Antec SX1040B Case w/pp412x PS (400watt)
HD1(master): Western Digital 160GB 7200rpm, 8mb cache
HD2(slave): Western Digital 40GB 7200rpm
Secondary(master): Yamaha CRW2100EZ 16x10x40 CD-R
Secondary(slave): Pioneer 106s Slot Load 16x DVD
Windows XP Pro operating system (with service pack 2 I think)

A few months ago I was having some major problems with my computer and when I got a new video card all of my problems went away. I had tried many other things before that, but finally I figured it was the video card because while booting up my monitor would show some weird things...sometimes windows would hang up, etc, etc. Anyway, for a month or more maybe I didn't have any problems. Then I think what happened first, is that one day my computer just randomly shut down when I was in the middle of sending an email or something. It restarted and booted up and had no problems. Then another time when I came home and wanted to start up my computer, I hit the start button, and after the windows splash screen, I would get a quick glimpse of the blue screen of death and the computer would restart on its own.

It would do this several times, like it's trying to warm up or something, and at first it would work after the 2nd try...then later it got worse and worse, where it would take 3 or 4 or 5 times to do this crazy restarting (charging up) and then for it to work. And then usually once it was on, I didn't have any problems.

Just today though, it was in a continual cycle of restarting, and it won't go past the windows splash screen. Right after the windows splash screen it has a blue screen of death and then restarts, and it keeps on doing this.

Before one message that I used to get on the start up screen is "Secondary IDE Channel. No 80 conductor cable installed". So, I changed the 40 conductor cable for my cd-r and dvd drive to a 80 conductor cable. Now I don't get that message, but the computer still won't start.

I have had this computer for about 4 years now and have upgraded parts occasionally. I have no idea what the problem is. Do you think it could be the power supply? Or the CMOS battery? I can go to walmart and by a new battery tomorrow, but I wonder if that has anything to do with the problem.

If any of you have any advice, tips, or help, I would greatly appreciate it, because this has wasted a lot of my time already. Thanks in advance.

Mike D.

 

[daniel49]

try going into safe mode if you can get there and look for problems..may not let you get there but hit f8 when your trying to boot till you get to the menu.

 

[ManDeJapan]

I daniel49. Thanks for the advice. I tried safe mode earlier and just tried it again. My computer won't go into safe mode...instead it just reboots again when trying to go into safe mode. I also tried taking unplugging the slave drive, and the cd-r drive, and the dvd drive, and the network card...just to see if I could put with any of those unplugged and that didn't work either.

Have any other suggestions?

(by the way I like your signature quote

 

[GoatHerderEd]

I would say re-install

 

[mariosoft034]

I had a problem like yours a year ago after a system update. In my case the problem was the primary hard disk, a 3,2 Gb Samsung. I tried with another HD and it booted fine.

I cannot say that this is your problem exactly, but it may be a clue, even more considering that your problem became worse and worse, just like some kind of mechanical degradation in your HD.

I don't think the problem is the CMOS battery, in that case the bios would load defaults and the machine should boot. Try to clear the CMOS anyway.

You may also want to check the ram. If you have 2 modules, try to use one at a time to see if the other one is faulty. Also check the dram timings in the bios to see if they are OK.

Your last resort is to assemble your PC from scratch and try to use as less components as you can until you see what the problem is. Try to find some spare parts from a friend to test with (a memory module, a bootable hard disk and a power supply are the most important ones).

Do what you can and let us know of any improvements or if you are still stuck.

 

[Slikkster]

Ok, here's what I would suggest:

Leave the case cover off (to enhance cooling) and try booting.

No good?

Boot with the XP CD. It will give you an option to go into Repair (which is NOT a repair install, but rather the Recovery Console. Start the Recovery Console. You will probably need to input an administrator password when prompted.

When Recovery Console is finally started, you'll be at a command prompt.

Type (without the quotation marks) "chkdsk c: /p"

It will run a check on your hard drive. This assumes your Windows install is on Drive C:.
When it finishes, do a chkdsk on every other hard drive.

Now, when it's done with all chkdsk's, type this:
(no quotes, of course)

"copy c:\boot.ini c:\pagefile.sys"

It will tell you that it copied the file successfully.

Then, type:

"del c:\pagefile.sys" (again, I'm assuming your pagefile.sys pagefile is normally on your C: drive. If not, do the steps above but change the parameters to match your setup.
Boot.ini will almost always be on your C: drive. But you might have setup your pagefile on a different drive. If so, you need to adjust. Let's say your pagefile is on your D: drive. You would do "copy c:\boot.ini d:\pagefile.sys" followed by "del d:\pagefile.sys". Get it?

It will tell you it deleted pagefile.sys

The reason you copy boot.ini to pagefile.sys is that your regular pagefile.sys cannot be seen/manipulated via recovery console. If you copy boot.ini to pagefile.sys then delete pagefile.sys, XP will create a new pagfile.sys pagefile when you reboot.

Now that you've done the chkdsk's and deleting of pagefile.sys, type:

"exit"

XP will reboot. While it's rebooting, remove the XP cd from the CD Drive.

See if it reboots ok.

Report back and I'll give you more things to try if need be.

 

[ManDeJapan]

Thanks for all of your help guys. I am working on this now. I haven't had the chance to look at this problem during the week, but I am going through Slikkster's directions right now. So far after I did what Slikkster said (the chkdsk, delete pagefile.sys), this is what happened:

1st boot: windows splash screen, then stalled at a black screen

2nd boot: worked fine so I went to restart to see if it would work fine again

3rd boot: it booted up fine again but after I was in windows I decided to plug my ethernet cable in so I can access the net. When I did that, a Symantec Firewall Alert came up saying

"Attempt to connect to local computer using the Bla Trojan Horse detected"

"A cpu with the IP Address 192.168.0.2 attempted to connect to your computer using Default Block Bla Trojan Horse."

So I did the live update for symantec antivirus and right now I am running a scan on the hard drives.

I found this info on the bla trojan horse:

http://securityresponse.symantec.com/avcenter/venc/data/backdoor.bla.trojan.html

It might be that this trojan is/was the culprit of all of my problems. I hope this will fix it for good, but I will report back with more details.

Thanks again for all of the help everyone.

 

[ManDeJapan]

So far the virus scanner found the two files below:

Download.Trojan
MHTMLRedir.Exploit

And I deleted them. I still need to scan the other hard drive. I hope this fixed the problem. I also decided to start using firefox again since internet explorer seems to be the target of a lot of viruses/trojans.

I will keep you guys updated. Thanks a lot for all of the help.

 

[ManDeJapan]

That's very odd. So if I let my computer run I have no problems. If I shut it off at night and then try to restart it in the morning it has the same problem. It resets itself when trying to restart (even before the windows splash screen comes up), and the 2nd time it's trying to start up it goes to the splash screen and then right after that a blue screen of death comes up and it restarts itself and then it keeps doing that. Then if I do Slikkster suggests with the boot.ini, and chkdsk, etc, and the restart it works.

I guess I will go buy a new CMOS battery, and then if that doesn't fix the problem, take the whole computer apart and install the parts one by one to see if it is a hardware issue.

Do you guys have any other suggestions or is this what I should do?

Thanks,
Mike D.

 

[Slikkster]

http://securityresponse.symantec.com/avcenter/venc/data/backdoor.bla.trojan.html

Pay attention to the bottom of the article about Removal, and also the Editing the Registry paragraphs.

 

[mariosoft034]

I think you are doing right. Your problem is VERY ODD, the only extra thing i can sugest is a clean installation of WinXP (try it in your second hard disk). If it works the problem was merely of software, then backup your files and format then reinstall WinXP in your primary HD. If it keeps doing the same, reinstall ALL hardware.

Keep us updated

 

[Creston]

I'm seeing the "windows dies after splash screen" issue quite a lot at work, and it's usually a corrupt windows install. If you've had this machine for four years, and never once reinstalled, there's probably four years worth of junk in your Registry (No offense to you btw, most of that stuff is left there by apps).

I Re-Ghost about every month, and will reinstall every six months, just to keep these kinds of issues at bay.

Alternatively, it could be bad sectors on your drive. Did you run the chkdsk like mentioned before in a post?

Creston

 

[Slikkster]

MandeJapan, sounds like you didn't do ALL of the steps in the Symantec page. You need to either edit the registry or use a program that can access the registry in the startup areas. In other words, you're apparently not doing a complete job in removing this thing.

Here's what the Symantec page says. Note that it corresponds to all the problems the OP is having:

------------------------Start of Symantec Blurb-------------------------------------------------

When Backdoor.Bla is executed, it does the following:

It creates a new file in the \Windows\System folder. This file runs in the background until you attempt to shut down or restart the computer.
When you command Windows to restart or shut down, the dropped file adds a value (which may vary from the examples that follow) such as

System

or

IO System Debug

to the registry key

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

This causes the file to run when Windows starts.

NOTE: In most cases, you will be unable to restart Windows due to the large number of illegal operations performed by the Trojan. The infected computer usually displays the blue warning screens generated by Microsoft Windows.

-------------------------End of Symantec Blurb------------------------------------------------

See the bold above? That's exactly what he's experiencing. So, for that reason, it appears to me that he hasn't gotten the job done in removing this trojan. It seems to be still running from startup. Suggestion:

Get HijackThis and copy/paste the results. That will show whether you still have this thing on your system (this trojan).

HijackThis: http://www.merijn.org/files/hijackthis.zip

Run the program (click the "Scan and create LogFile" button). When it's done, it will open up Notepad with the results of its scan. Copy and paste the results here.

 

[ManDeJapan]

I have hijackthis. I just ran it. This is what I got:

Logfile of HijackThis v1.97.7
Scan saved at 10:56:05 PM, on 4/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\PROGRA~1\NORTON~1\WinFax\WFXSWTCH.exe
C:\WINDOWS\system32\wfxsnt40.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Google\Gmail Notifier\G001-1.0.24.0\gnotify.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\eFax Messenger 3.4\J2GDllCmd.exe
C:\Program Files\eFax Messenger 3.4\J2GTray.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Michael David\Desktop\hijackthis\HijackThis.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\NORTON~1\WinFax\WFXSWTCH.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\G001-1.0.24.0\gnotify.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: eFax Live Menu 3.4.lnk = C:\Program Files\eFax Messenger 3.4\J2GDllCmd.exe
O4 - Startup: eFax Tray Menu 3.4.lnk = C:\Program Files\eFax Messenger 3.4\J2GTray.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AOL Instant Messenger (SM) (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {0000000A-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/...3a86-4b59-bb19-f5bd11b40367/wmavax.CAB
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/...7E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/11c77350f4071dbc4723/netzip/RdxIE601.cab
O16 - DPF: {A8658086-E6AC-4957-BC8E-8D54A7E8A790} (GDIChk Object) - http://www.microsoft.com/security/controls/GDI/0/GDIChk.CAB
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://download.yahoo.com/dl/mail/autocomplete.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab

See anything that looks suspicious or needs to be deleted? I'm not sure which ones to delete.

Thanks,
Mike D.

 

[ManDeJapan]

Actually. I just ran it again with newest version of HijackThis. The one I ran it with earlier was a little older version. The new version caught more items:

Logfile of HijackThis v1.99.1
Scan saved at 10:59:22 PM, on 4/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\PROGRA~1\NORTON~1\WinFax\WFXSWTCH.exe
C:\WINDOWS\system32\wfxsnt40.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Google\Gmail Notifier\G001-1.0.24.0\gnotify.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\eFax Messenger 3.4\J2GDllCmd.exe
C:\Program Files\eFax Messenger 3.4\J2GTray.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Michael David\Desktop\hijackthis\HijackThis.exe
C:\Documents and Settings\Michael David\Desktop\hijackthis2\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\NORTON~1\WinFax\WFXSWTCH.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\G001-1.0.24.0\gnotify.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: eFax Live Menu 3.4.lnk = C:\Program Files\eFax Messenger 3.4\J2GDllCmd.exe
O4 - Startup: eFax Tray Menu 3.4.lnk = C:\Program Files\eFax Messenger 3.4\J2GTray.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AOL Instant Messenger (SM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/11c77350f4071dbc4723/netzip/RdxIE601.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab
O18 - Filter: text/html - {4F7681E5-6CAF-478D-9CB8-4CA593BEE7FB} - (no file)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe

 

[ManDeJapan]

Hmm...if fixing the registry doesn't fix the problem, I think I'm going to go for the clean install this weekend. That will take a while though.

 

[Slikkster]

Sorry for the delay in responding...

I don't see anything that jumps out at me in your Hijackthis log. Everything looks legit.
You sure do have a lot of Symantec stuff running...

Here's what I would do before a total reinstall:



When you have the pc up and running, do this:

Put your XP CD in the CDROM. Exit out of the XP install screen when it comes up.

Click Start

Click Run

Type in the box (without quotes) "sfc /scannow" (space between sfc and /scannow).

Click OK

The System File Checker will come up and will check all your system files to make sure they are the correct versions. This application does take into account any service packs and/or hotfixes, so don't worry about it copying older versions of system files. It knows where to find the service pack/hotfixes on your drive.

Once the SFC app is done, it will just disappear from your screen. It will not tell you what it replaced. Reboot afterwards. See if it helps.

 

[ManDeJapan]

Thanks Slikkster. I will do what you suggested. The thing that I find really weird is when I first do the chkdsk, etc, etc, and the computer boots up...it's fine. And when I do a restart, it restarts....and I can do that several times. But then when I turn my computer off for a while and try to start it up, it starts having problems again. Does this help in solving the mystery in anwyay?

What is the point of the CMOS battery? I haven't replaced that yet.

 

[CheapBastardo]

the CMOS battery retains ur BIOS information. If u remove the battery, ur BIOS will reset to its default and you gotta change the time and date.

 

[ManDeJapan]

Ok. I tried to do the sfc /scannow thing last night. For some reason it wouldn't run through all the way....I tried several times, but it didn't work, so I finally decided to do a clean install of windows xp pro.

1) I hooked up a slave hard drive, and copied all of my important files over.

2) I then did a windows xp pro install with NTFS formatting on the hard drive. By the way I have my main 160gb hard drive partitioned into two drives...one part is 30gb and I use it for all of my programs so this is the drive that I installed xp on again. The other partition I call DATA and I use that to store all of my files.

3) After XP was installed successfully, and I was on my desktop, I did a format hard drive from "my computer" on the DATA partition. I let that happen overnight because it was taking a while.

4) When I got up this morning it said that the "format was complete" so I started to install Norton Antivirus...in the middle of the AV installation, the blue screen of death came up and the computer shut down and tried to restart. On its restart, right before the windows splash screen an error message came up:

Windows could not start because the following file is missing or corrupt: <Windows root>\system32\hal.dll
Please re-install a copy of the above file.

5) So I booted from the XP cd, and went into the repair mode. I ran a chkdsk and that found one or more errors. I then exited the recovery/repair console and the computer then booted it up fine.

6) So I then installed the AV software with no problems, did all of the windows updates like installing the Service Pack 2, etc, etc. I had to restart of course several times when installing things, and had no problems restarting.

7) After I installed a few things and everything looked fine...I did a few restarts, and the computer started fine.

8) I then turned off my computer for about an hour, and came back to turn it on, and guess what? The same problem occurred again. After the windows splash screen the blue screen of death came up, and the computer restarted....then while it was trying to restart the 2nd time, it came to the windows splash screen and froze at it.

9) So I did the chkdsk, copy c\boot.ini, del pagefile.sys thing, and restarted my computer.

10) I decided to try and run the sfc /scannow thing again, and this time it ran through it completely. I then did a restart and it started fine again.

11) Now I am going to turn off my computer for maybe a half an hour or so and try to restart, and see what happens. I will report back today.

Does anyone thing it may be a problem with the harddrive? Or some other hardware? I'm not sure what to do. Usually a fresh install of windows can fix the problem, but in this case it didn't. If any of you have any suggestions or guidance I would greatly appreciate them.

Thanks,
Mike D.

 

[ManDeJapan]

Well...I just rebooted and got the blue screen of death again. It's very odd...if I restart the computer right away, it's fine. But if I wait for 30 minutes or so and try to restart, it starts having the problem again.

Anyone have any suggestions?

 

[Slikkster]

Take a close look at your motherboard. You want to inspect all of your capacitors on the board. The capacitors are the tall cylinder-looking things. The comptuer industry has had a number of issues with manufacturers of capacitors over the past few years.

You will be looking for physical signs of problems. The tops of all of these should be flat. Any sign of bulging indicates a bad capacitor. Look for any that have leakage (brown crusty stuff or white powdery stuff anywhere on the capacitor. Look closely at the bottom of these closest to where they meet with the motherboard for leakage.

Look for caps that aren't perfectly cylindrical; that are bulging anywhere.

If you want to see some screenshots of bad capacitors, go here:

http://www.badcaps.net/ident/

Click on any and all of the 4 pictures there to enlarge them so you can see better what to look for. Use a magnifying glass on your own motherboard to get a good look.

 

[ManDeJapan]

Hi Slikkster,

My capacitors do have these signs and symptoms that you described and that I saw in the pictures. Some of them have brown crusty stuff or white powdery stuff forming on the top of them, almost like rust, and I've noticed this before in the past, and I sort of just scratched it off with my fingers...a lot of them are bulging a little on the top as well.

Does this mean I basically need to get a new motherboard?

 

[Slikkster]

It means either of two things:

You need a new board.

Or

You need to replace all the capacitors on the board with new and better ones.

In my opinion, given the cost to have someone do this for you --the guy from badcaps.net will charge around $50-- I would not go that route. You can get a new Nforce2 board from Newegg.com for about $60 with more advanced features. Here's one similar to what I have (I have an Epox 8RDA3+ that runs very well):

http://www.newegg.com/app/ViewProductDesc.asp?description=13-123-234&depa=0

If, on the other hand, you want to go out and buy high quality replacement caps for your board and have someone install them cheap, you can do that, too. But like I said above, I wouldn't bother considering what you can get a new board for these days. You just want to make sure the new one is compatible with your old CPU (unless you want to upgrade that, too) to keep your costs down.

 

[ManDeJapan]

Yeah, I went ahead and ordered some stuff from tigerdirect last night.

Abit KV7-V Via MotherBoard with AMD Athlon XP 2900+ Processor and 512MB PC3200 DDR Memory (MCM-KV7V-2900A) 1 $199.99 $199.9

PNY 512MB PC3200 DDR 400MHz Memory (P56-3906) 1 $49.97 $49.97

Masscool Ultra Quiet / Socket A / AMD Athlon XP up to 3400+ / Ball Bearing/Blue LED / CPU Cooling Fan (S457-1051) 1 $12.99 $12.99

I'm supposed to get $100 back in rebates too and there was about $15 for shipping. So total, comes out to about $178 for the new MoBo, Processor, 1gb of DDR Memory, and the cpu fan. I checked compatibility with my video card, and power supply, etc, and all of this should work. I know that Tiger Direct is known sometime for not paying out their rebates but I personally have never had any problems with them, and they have a new rebate guarantee.

I hope that Abit MoBo is reliable/stable, and that I don't have any memory compatibility issues with one stick of 512mb Ultra memory and one of 512mb PNY memory.

Thanks for all of the help everybody. I really, really appreciate it.

Mike D.