reward for anyone who can help me diagnose my computer's random crashes

[SWScorch]

About a few months ago, my computer started hanging on me. This is how it always happens: I would leave my computer for a while, come back, and everything would have gone to hell. AIM would be signed off with the following error:

Unknown error. Try again Later.
Error category 4.
Error code 1

and would be unable to reconnect. AVG Resident shield would be turned off, as well as Email Scanner, Shell Extension DLL, and the Virus Vault would say it was full with 0 files for 0 bytes, with a size limit of 0 bytes .

No programs will load at all. Clicking icons does nothing, and the Programs folder in Start Menu is empty. When I try to open task manager I get the following error:

The application failed to initialize properly (0Xc0000017) Click OK to terminate the program.

If I try to open Motherboard Monitor, which has a system tray icon, it says "Out of system resources."

If I try to reboot, it tells me I don't have sufficient priveledges to shut off the computer, and I have to reboot it hard.

Judging by these symptoms, I'm guessing some program is using up all the system resources. However, I'm at college right now and can't do a lot of troubleshooting. I just reformatted the computer over winter break, thinking that would fix this problem, but it didn't. I believe that the computer did not start doing this until after I installed XP sp2. Also, in the past, mixer.exe has consumed lots of system resources and would need to be shut down, as it would be taking 400MB of memory. I have a Turtle Beach Santa Cruz with the latest drivers.

I also thought me related to the fact that I set my monitor to shut down after 15 minutes around the same time this started happening, but changing it back had no effect. So, I'm left to wonder, is it SP2 doing this, or could it possibly a hardware problem? It never does this when I'm actually using the computer; everytime it crashes, it's after it's been idle for a few hours. Anyone have a similar problem?

 

[Codewiz]

Are you letting your computer go into standby or hibernation mode? If so disable that and see if that fixes anything.

 

[Reckoner]

How many processes are running, CPU Utilization, and Memory being used at the moment? How big is your page file? Also, how much total RAM do you have?

 

[SWScorch]

My computer does not go into hibernation or standby. I have 512Megs of ram, and have 31 running processes and have around 200MB free right now, with Firefox, AIM Winamp and Thunderbird running. Here are some screenshots:

http://www.fox302.com/index.pl?s=vf&use...orch&category=stuff&file=processes.jpg
http://www.fox302.com/index.pl?s=vf&use...corch&category=stuff&file=pagefile.JPG

 

[daveybrat]

It almost sounds like someone is hacking into your computer which is why it's telling you that you don't have sufficient privileges to turn off your own pc. I suggest unplugging the ethernet cable from your computer and then leave the computer run for a couple hours and see if the same thing happens.

 

[SWScorch]

Hmmm, I'd rather just think sp2 is being stupid on me But I am on the college network so I guess anything is possible. Maybe I should download ZoneAlarm again.

 

[Ahughs007]

It does sound like a serious issue...

I would run a check for trojans with Avast Antivirus, I believe it has an option to scan your computer BEFORE you go into windows... doing this bypasses any viruses that would require a 32bit mode, and prevent them from replicating.

also, after this happens, you should write down the time that it happened, and reboot. Then go into your control panel>Administrative Tools> Event viewer... then go to Securty Logs, Application Logs, and System Logs, and look for any errors\violations\Unauthorized Logons that happened on or around the time it locks up.

 

[mechBgon]

Originally posted by: SWScorch
Hmmm, I'd rather just think sp2 is being stupid on me But I am on the college network so I guess anything is possible. Maybe I should download ZoneAlarm again.

I've been watching the malware scene. Malware writeups frequently include the fact that the malware will edit your Registry directly to turn off your Windows Firewall, AND disable the "hey-your-firewall's-down" balloon thingie too. So your system could be a real mess.

My solution to serious compromise is to back up the data you need, then vaporize the Windows installation, unplug from the network, and stay that way until your Windows installation is installed, secured, firewalled, patched, and has at least baseline antivirus installed, before you ever let the network touch it. I'd recommend a little router to provide a perimeter firewall too.

If you don't want to Drop The Bomb On It?, I can suggest plenty of ways you can try to fight back, if you have lots of time on your hands for that kind of approach.

 

[SWScorch]

Hey mech, how's it going? You still hang out in the cases and cooling forum?

I know Windows Firewall is disabled because I did so myself. I am pretty darn paranoid about what goes onto and into my computer, so I have very few non-essential programs, run AdAware, SpyBoy, MS Anti-Spyware, AVG, TrendMicro Housecall, etc etc, about once a week, and of course use Firefox and Thunderbird. So I'm reasonably certain that I don't have any malware or trojans or anything, although I really should have a firewall, both software and hardware.

Also, I just reformatted the computer two months ago, when I was back home, and it's been displaying these symtoms since before that. So, a reformat didn't wipe it out, which is why I think it may be sp2's fault. Still, I will try running it for a bit unplugged from the network and run some more scans.

 

[mechBgon]

Let me get this straight:

1) you have no firewall

2) you're on a college network

:shocked:


Guess we know where your security problem is now

Blow it away. Get a router if you don't like software firewalls. Netgear RP614 is the one I'm most familiar with and can help with some configuration aspects. I have a page aimed at people bringing new Windows installations online safely: http://www.omnicast.net/~tmcfadden/guides/build/resources.html I'd suggest looking at the first part and also the ongoing prevention stuff below it.

When you set up Windows, give the hidden Administrator account a strong password to prevent no-brainer exploitations of it down the line like I talk about, you don't want your system's administrative shares to be wide-open like they probably are right now. When you make your own Admin-class account, whatever you name it, give it a strong password too. A strong password might be SWScorch@AT.

I'm a proponent of using Limited accounts for surfing and IM'ing, btw. Limited-class accounts can't write to the Windows directory or its subdirectories, can't modify the important parts of the Registry, and can't install software. Super way to "fasten your seatbelt," I'd say it's better than all the antispyware software put together in fact. Something to think about

 

[Ken90630]

Originally posted by: mechBgon
Let me get this straight:

1) you have no firewall

2) you're on a college network

:shocked:

I was gonna say the exact same thing, but mech beat me to it! :laugh:

All the AVG, Spybot, Ad-Aware, etc., apps in the world won't do anything against stateful packets and other malware that run rampant on college networks. Serious malware blows right past those things and does its stuff without breaking a sweat, and a lot of it will disable those security programs to keep you from running them and identifying/removing the malware. Once it's in, it's in -- and all you'll likely be able to do is wipe the HD and start with a fresh install of Windows (again). Right now your computer is about as equipped to keep malware out as a submarine with screen doors would be at keeping water out. (No offense. )

Get Zone Alarm or Norton Firewall, PLUS a hardware firewall in the form of a router or something, then blow away your current Windows installation and do everything mech suggests. That's my suggestion, anyway.

 

[SWScorch]

While I understand the gravity of the situation, I still am not convinced that has anything to do with my issues. I think this because I only just recently disabled Windows Firewall (maybe 2 weeks ago) in order to play an online game, and until that point, the firewall was running.

 

[mechBgon]

Originally posted by: SWScorch
While I understand the gravity of the situation, I still am not convinced that has anything to do with my issues. I think this because I only just recently disabled Windows Firewall (maybe 2 weeks ago) in order to play an online game, and until that point, the firewall was running.

Big picture: your Windows installation needs redone. So go get a router, stick the college on the WAN side of it, and get Windows reinstalled.

Try a 30-day trialware of Kaspersky antivirus, it's far better against Trojans than AVG and seems to be the best thing available at the moment. Don't install any questionable software. Personally, I wouldn't use IM programs except from a Limited account either, no sense running that stuff as an Administrator.


edit: btw if you think there's a hardware issue mixed into all this, by all means post detailed specs too

 

[amdskip]

Doesn't your school provide something like symantec corporate for free? Ours does and it absolutely works awesome.

 

[Ken90630]

This can be very hard to try & resolve over Anandtech.com's forums (although we're really trying to help you ).

I'm by no means an all-knowing expert on in-depth Windows probs, or complex security issues for that matter, but I do think that the probs you're describing are very unlikely to have been caused by SP2. Research it all you want, and I think you'll come to the same conclusion.

It also doesn't really sound like a hardware issue, but wise men know to never say never when it comes to computers.

My money's still on a malware infection. If your computer was ever on the college network or any other DSL or broadband network for even a couple minutes without a firewall, it could have been infected by a stateful packet of malware. And, believe it or not, some stateful packets can even get by a software firewall. You also might have gotten some malware by unknowingly allowing an infected e-mail or instant message to get in (even though your SP2 firewall was up). Instant messaging is particularly perilous these days. The bad guys like to use it to do their dirty work. :|

Best of luck to you. I hope you figure this out. Let us know if/when you do.

 

[dbuttcheek69]

thats exactly what i was thinking
definitely an infection
definitely

 

[mechBgon]

Or just a point-blank hack, no malware required. I can go through the hard drive of any computer on our biz network here using Internet Explorer to connect to \\computername\C$ since they don't run firewalls (and I know a valid username/password combo, of course, being a sysadmin). Anything I can do using Windows Explorer while at their computer, I can do remotely too. I could also modify their Registry remotely, add and delete user accounts remotely... And our antivirus software never lets out a peep about it, because it's fair play. A firewall, either a router or software, would stop me cold, however.

 

[SWScorch]

Looks like I'll be formatting again over spring break (won't be too much of a hassle as all my data is on a separate drive), but if that doesn't solve this problem, you guys will have me to answer to!

 

[Ken90630]

Or just a point-blank hack, no malware required.

Yeah, that's always a possibility too. I hadn't thought of someone on his college network singling him out and targeting his machine to get in. Maybe someone is just messing with him and his computer just out of mischief. The fact that his AVG Resident shield gets turned off though, as well as his e-mail scanner, and he can't even launch Task Manager (which could reveal malware processes running), still makes me suspicious of a well-crafted piece of malware designed to disable the very things that would catch it. Or at least someone who really knows their way around a Windows Registry and how to wreak havoc with it. :Q

Then again, I also wonder what the point would be in completely disabling someone's computer like that. It would be unusable by the hacker as well, so what's the point? It's not like the bad guy(s) could hijack his machine and use it as a spam or pron server or something if it won't even work. Maybe it is someone just messing with Scorch's computer just out of meanness, with no other motive. :roll:

Looks like I'll be formatting again over spring break (won't be too much of a hassle as all my data is on a separate drive), but if that doesn't solve this problem, you guys will have me to answer to!

Heh heh. Fair enough. And if it does fix the problem, you'll be sending that reward (the new car) on to mech, right? (He responded before I did, and prolly knows 10 times more than I ever will about this stuff, so I'll make no claims on any "reward!" Ha ha.)

BTW, you've prolly already thought of this, but after you reformat, keep the machine completely disconnected from the outside world and let it run for a day or two & see what happens. No college network, no Web, no nothin'! And set a strong password to log-on so no one (friends, dorm mates, whoever) can physically get in from your keyboard when you're not around.

Again, good luck.

 

[RelaxTheMind]

On a lighter note. tried changing the administrator password as well or even have one? Thats a pretty big hole in itself.

If its not a task from one of the many scanners u have on your computer running when its idle it may as well be spyware/malware/virii/some loser...

 

[Slikkster]

I can't argue in the least against the suggestions put forward here about some kind of firewall protection. That's just basic, man. You know that.

That said, I'm not convinced this is a malware or hack problem...yet, anyway.

Can you get into the registry?

If so, go to this key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\FileRenameOperations

You should only have one entry there...a "string" value with an "ab" icon followed by (Default). In other words,an icon that says "ab(Default)". Doubleclick on that. The box that comes up should be empty. If not, clear it so it's empty.

If there are any other items in that registry key underneath the ab(Default) icon, delete them.

Even though "CurrentControlSet" is what's active on your pc, take a look at the FileRenameOperations subkey in ControlSet001, ControlSet002, etc. Make sure there's no additional entries other than the blank ab key.

Close registry.

Before you reboot the pc, reset your pagefile. This could be corrupted. Here's how:

1. Click Start.

2. Right-click My Computer.

3. Click Properties.

4. On the Advanced tab, in the Performance section, click Settings.

5. In the Virtual Memory section, click Change.

6. For Paging file size for selected drive, click No Paging File, and then click Set.

7. Click Yes after the following warning appears:
If the paging file on volume X: has an initial size of less than xx megabytes, then the system may not be able to create a debugging information file if a STOP error occurs. Continue anyway? (Note: This message might not appear)

(X is the drive letter and xx is the amount of RAM installed on your computer minus 1 megabyte.)

8. Click System Managed Size.

9. Click OK four times, and then restart the computer when you are prompted.


Also, do you have any removable drives on your system? Like a usb key drive or a camera, or any external device that would get a drive letter when you plug it in? Sometimes people have found that even after disconnecting these drives, Windows still shows them in My Computer with a drive letter. Ensure that you don't see any drives in My Computer that aren't really active.

Report back on what you found in this registry key. It may not be the answer, but it's definitely worth a shot in the troubleshooting process.

Turn on that damn XP Firewall, or some firewall, at least!

 

[stevty2889]

While this does sound like maleware, there could also be hardware issues causing the problems. Have you run diagonistics on your hard drive? Run memtest? Doing any overclocking? Monitoring your temps and voltages?

 

[SWScorch]

Slikkster, everything checks out fine in regedit. Just reset the page file, have to reboot now and will report back. I do have a USB drive but the only issue I've had with that is sometimes it won't show up in the drives list when I connect it, and I have to force it to show by manually going into My Computer and it will show there. After I open it in My Computer, it will display in drop-down comboboxes such as found in Save As dialog boxes. Other than that, no issues.

 

[Slikkster]

Ok, man. Will look forward to your updated report.

 

[SWScorch]

Small update: I have since reset the pagefile, and have yet to witness another crash as before. However, now, my internet connection likes to get lost, and I have to reboot to fix it. AIM disconnects and immediately returns a "Cannot connect" as soon as I try to sign on. Firefox and Thunderbird both give me an immediate error stating that the server cannot be found. Renewing the IP address doesn't work either. Rebooting is the only way to get reconnected.