We help IT Professionals succeed at work.

What's the best way to troubleshoot an XP system that freezes randomly?

Ultrus
Ultrus asked
on
I deserve this as I didn't keep my AVG (free edition) anti-virus up-to-date recently, but would greatly appreciate your feedback on this:

My XP computer caught a 'trojan downloader' virus according to my AVG software. :( I found this out after burning the avg tools boot CD on my Mac and loading to the PC. I was able to update and run the software after boot, where it then located and removed the virus.

Now after I boot, my system freezes nearly instantly after 5-10 minutes of running. I don't see any CPU or used memory buildup before it freezes with the system monitor. It just gets hard to move windows all the sudden, then I can't select them while still being able to move the mouse. Then the mouse stops, and I get a beep from the tower if I click the mouse the first time after that. After that, nothing, just a still screen with everything I had open.

Chaos started when I was doing a search for video game tutorials using Google Chrome. I clicked on what looked like a youtube play button, but nothing happened so I kept clicking it (am I an idiot or what?). Then this popup window showed up that looked like virus scanning software, pretending to do a system scan. It was very pretty and well designed. It was not a browser popup window, but was actually running on my computer, with an icon in the task bar. It wanted me to purchase the software to 'remove viruses'. At this point I knew it was a virus. I tried ctrl+alt+del and that window kept closing right away, so I shut off my computer immediately.

Not knowing too much about this, I restarted in safe mode, then used system recovery to go back a week (dumb newb panic move probably). I shut off the computer, and looked up an AVG solution to boot from, doing a scan and clean as described above. After restart I started having the freezing issue right away.

Now, how do I proceed? Is there another boot solution that you would recommend to attempt system fixes? I'm guessing my registry could be messed up somehow, but I'm not the expert in this area at all. Any thoughts?

Thanks much,

Chris

System Stuff:
Dell XPS (heavy as hell)
4GB RAM (I think)
Dual core processor of some sort and speed
100GB, and 300GB hard drives
Windows XP Professional (service pack 3)
Comment
Watch Question

Commented:
Three things.  First, you might want to try looking in your event log  (Start, Run, type 'eventvwr' and press enter.)  Check the System and Application event logs for errors around the times you've had your machine freeze, and post them here.

Second, if you're able to do so, install Hijackthis (http://test.trendsecure.com/portal/en-US/tools/security_tools/hijackthis) and generate a log and post that here too.

Third, this sounds like an issue I had recently with a failing wireless card.  If you have a WiFi card, and the stuff above is fruitless, you might want to try removing the card and letting the machine run or doing light work on it for 20 minutes or so to see if you freeze with the card out.

Author

Commented:
durgon,
Thanks for the quick response. Attached are the more recent event logs during crash times. While having the internet disconnected, I'm not having any issues!... so far.

I'll continue to install Hijeckthis and will follow up.

Much appreciated,
recenEventLogs.txt

Author

Commented:
Here's the hijckthis file. I failed to mention in the last post that I don't have a WiFi card. However without an internet connection, it's still running without a hitch... glitch. I'll try some more usual stuff without the Internet for now and see what happens.
hijackthis.log

Author

Commented:
Ah, just had a crash. No internet still. Here's an updated set of files, better formatted on the windows event log.
application.txt
system.txt
hijackthis.log
It sounds like your bug gradually eats all of your available memory and it freezes when it has run out.

Run HiJackThis or use regedit to check the HKCU and HKLM/Software/Microsoft/Windows/Currentversion/Run folders for anything that shouldn't be there and delete. Use whatever you find there to delete it's associated file.

Go to c:\\windows/system32\ and sort by creation date. Look anywhere near the top to find and delete any suspicious files but BE CAREFUL not to touch the legit ones.

Also clear out you browser caches and temp folders.

***As some of these will infect running processes and put themselves back or block taskmgr, regedit, etc. you may have to use Safe Mode or something like BartPE.

Good Luck!!!

-J
Commented:
If still unresolved, and if you are quite convinced that the machine is infected, suggest you try running Combofix (from your question you may well be very familiar with this 'scanner').
Download ComboFix from here, and save to your Desktop >
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Before using ComboFix please disable any realtime Anti-virus, Anti-spyware, Shields, etc. that you may have running.
Also it may be necessary to rename ComboFix.exe (to Combo-Fix.exe for example), before saving it to your desktop.  If you have difficulties downloading it, try downloading to another machine, then into a USB memory stick or CD.  Rename it and carry to the infected machine, then try this key combination to reach a Run box>
Windows Logo+R: Run dialog box

Double click "combofix.exe" and follow the prompts.
When it's finished it will have produced a Logfile, probably at C:\ComboFix.txt.
You could post that log in a reply to us.
Please do not mouseclick Combofix's window while it is running, because it may stall.  It is absolutely normal for you to see a blue screen with flashing cursor, and this can last for up to 25 mins.
ComboFix should be run in normal mode.

Should you need it>   A guide and tutorial on using ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Commented:
An alternative to ComboFix is Malwarebytes, & you can download & update it from here:
http://www.malwarebytes.org/mbam.php
When updated, reboot into Safe Mode by depressing F8 and run a scan.

Tutorial available, if you require >
http://www.bleepingcomputer.com/forums/lofiversion/index.php/t169669.html

If you cannot run mbam, try downloading a new mbam and rename it *before* saving it to your desktop, then try again.   Or save to your 2nd PC, & try again.

If the situation has deteriorated & you're unable to re-boot, another option is to burn the ubcd4win (similar to BartPE, mentioned above):

"How to Burn with Nero Burning ROM":
http://www.ubcd4win.com/burn.htm

Commented:
To conclude ....once you have restored using the ubcd4win CD you can scan for the Trojan &/or any other infection.
Top Expert 2013

Commented:
i have 2 options for you :
1- run the Kaspersky rescue cd to do a scan for malware : http://www.tinydl.com/software/45023-kaspersky-boot-rescue-disk-2010.html
2-connect your disk to a working, protected PC and scan from there, with the suggested tools above !

Author

Commented:
Team,
Thanks for the additional feedback. I won't be around today to troubleshoot, but will definitely resume this evening. More updates soon!

Best regards,

Commented:
C:\Program Files\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe

C:\Program Files\Sentinel Web\Webser\WebServer.exe

O4 - Global Startup: Monitor Apache Servers.lnk = C:\Program Files\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe

O23 - Service: Apache2.2 - Apache Software Foundation - C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe

O23 - Service: wampapache - Apache Software Foundation - c:\wamp\bin\apache\apache2.2.11\bin\httpd.exe

These are server services.  Is your machine supposed to be running a webserver?  Because it is.

Author

Commented:
Yep. I'm a web designer/developer. :)

Currently, my system won't last 5 minutes running Windows and won't boot in safe mode now, so I can't run most of the tools mentioned, nor do I have another pc to build ubcd4win with.
 
I went and grabbed an ubuntu live CD from the book store and am uploading important files to my on-line storage now (and typing this while I wait!). So data-wise, I should be OK to just wipe the computer if needed. Do you feel starting fresh would be the most time effective solution?
Commented:
My other suggestion was going to be to get a BartPE image and boot your computer using that, then try to run some fixes.  But without previous knowledge of BartPE it might take a while for you to learn to navigate it, also you'd have to have access to another machine to burn a copy and it takes some configuration.  Speaking in terms of time-effectiveness a wipe may be the best option.

You might want to look into BartPE in the future though, it's a self-contained OS on CD or DVD that you can customize and then use to repair a PC.

Author

Commented:
That works for me. Thanks for the feedback! :)