PDA

View Full Version : Log-on instant crash



ihavenoidea
10-10-2007, 08:33 PM
Hi all,

I have recently had a major issue develop where I can get to the log-on screen, click to log-in, see the desktop for about 15 seconds and then the system reboots itself. Every time I restart it does exactly the same thing.

Does anyone have a suggestion on what the issue might be and how I can get it fixed.

Thanks heaps to anyone who has a suggestion.

Cheers

Speedy Gonzales
10-10-2007, 08:41 PM
Might help, if u can tell us, what version of Windows (if you use Windows), is on this computer, thats crashing.

If 98/2k/XP, (or Vista if it can do this) can it boot into safe mode, without crashing?

ihavenoidea
10-10-2007, 08:54 PM
Apologies, the PC at fault is running XP Professional.

This may sound like a silly question but how do I boot in safe mode? It doesn't seem to want to do much more than log-in and then reboot.

Speedy Gonzales
10-10-2007, 08:58 PM
Reboot and hold F8 down. (on some motherboards F8 also brings up the boot menu). If yours does after it boots, hold F8 down again.

Hopefully it'll come up with a menu.

Safe mode is one of the options here. Select it then press enter.

Wait for the login screen to appear, if it needs a password, type it in, and see if it crashes again.

How long has it been crashing? Can you remember what you installed (either hardware or software), before it started crashing?

ihavenoidea
10-10-2007, 09:14 PM
Ok I got it started in safe mode.

It has been happening for about 2 weeks and the last thing I can think of that may have had an impact was my pc crashed when I was trying to download a windows update.

What do I need to do now?

bob_doe_nz
10-10-2007, 09:21 PM
Has it crashed yet?

If not, try getting HijackThis from Speedys links. Copy and paste it here so he can analyse it.

Speedy Gonzales
10-10-2007, 09:23 PM
And it hasnt crashed in safe mode yet?

Go to start/run, and type msconfig. Tell me whats under the startup tab.

Look for any strange file names here.

Write down the paths / and filenames that appear in the startup tab.

Post them here.

You could try and download hijackthis in my sig below, and somehow get it on this computer thats crashing. (Is this computer networked)?

berryb
10-10-2007, 09:36 PM
If the computer is connected to the net via ethernet then choose the option of Safe Mode with Networking and you will have internet access. Download Hijackthis and post here all from the problem computer.

ihavenoidea
10-10-2007, 09:36 PM
These are the tasks that are checked under the startup tab:

qttaste
ituneshelper
carpserv
SiSUSBrg
SOUNDMAN
AnyDVD
PDVDServ
NeroCheck
CCAPP
UsrPrmpt
HPWUSchd2
MiciTrayApp
dumprep O -k
ALUNOTIFY
NMBgMonitor
ctfmon
Acrobat assistant
Adobe Gamma Loader
Hp Digital Imaging Monitor
HP Photosmart Premier
Utility Tray
Xtra Help Assistant

Is there any of those that I should get the file path for in particular?

The PCs aren't networked - this is old PC and changing the monitor between the two.

Thanks heaps for your help so far

ihavenoidea
10-10-2007, 09:57 PM
Ok I managed to download Hijack This and this is the logfile I got when I ran it.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:23:36 p.m., on 10/10/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.harbourrugby.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [tcnzTrayApp] "C:\Program Files\Xtra Help Assistant\bin\McciTrayApp.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNOTIFY.EXE
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O4 - Global Startup: Xtra Help Assistant.lnk = C:\Program Files\Xtra Help Assistant\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-622221193458} - file://c:\ex.cab
O16 - DPF: {43331111-1111-1111-1111-611111195622} - file://c:\ex.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1187995730703
O16 - DPF: {64311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1187995715468
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\System32\spool\drivers\w32x86\3\HPBPRO. EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\System32\spool\drivers\w32x86\3\HPBOID. EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 7618 bytes

Speedy Gonzales
10-10-2007, 10:10 PM
OK. Run hijackthis again tick these entries then tick fix checked.

Close browsers (altho I dont think any are open).

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

These are safe but dont have to run on startup

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE

If you dont have a remote control for PowerDVD, tick this

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\System32\NeroCheck.exe

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

If you dont use Nero Home, tick this

O4 - HKCU\..\Run: "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"

[B]These maybe nasty

These may belong to an adult dialler.

O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-622221193458} - file://c:\ex.cab
O16 - DPF: {43331111-1111-1111-1111-611111195622} - file://c:\ex.cab
O16 - DPF: {64311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab

I would also get trojan remover (http://www.simplysup.com/download/dl/trsetup.exe)

Install it on this computer, then click on scan. Select all options under the utilities menu. Then open my computer, highlight c, / right mouse, and do a scan with trojan remover. Then reboot.

If it continues to crash AFTER this, boot into safe mode again go to control panel / admin tools / event viewer.

Go to the application entry on the left go thru the entries on the right. See if there are any entries with an X or error

If there is, tell us what it says, about the time it crashes.

Also look under the system entry on the left.

ihavenoidea
10-10-2007, 10:20 PM
I just got this message duing the scan

This file is called by a services registry key
C:\WINDOWS\system32\drivers\InCDFs.sys

An executable file with this file name has not been found

This file is loaded by the following registry key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\InCDFs\"ImagePath"

Should I leave this in place or remove it?

Speedy Gonzales
10-10-2007, 10:28 PM
Select remove reference from registry.

Then it'll tell you to reboot. Reboot.

ihavenoidea
10-10-2007, 11:41 PM
Hi,

I did both the HIjack This fix check and the Trojan Removal and tried to reboot in normal mode and while it got a lot further than normal it still crashed again.

Any ideas on next steps?

Speedy Gonzales
11-10-2007, 07:57 AM
From my previous post

If it continues to crash AFTER this, boot into safe mode again go to control panel / admin tools / event viewer.

Go to the application entry on the left go thru the entries on the right. See if there are any entries with an X or error

If there is, tell us what it says, about the time it crashes.

Also look under the system entry on the left.

Also boot into safe mode, right mouse on my computer on the desktop.

Advanced tab / settings (under startup and recovery). Untick automatically restart then click on OK twice.

Then reboot. When it crashes again it may bring up a blue screen, with the name of a file, or a stop error.

Tell us, what it says.

ihavenoidea
11-10-2007, 08:43 PM
Thanks for your patience, read your post again.

This is what event viewer is telling me:

Application has two errors:
VSS, None, 8193, N/A
Event System, (50), 4609, N/A

System has four errors:
Service control manager, none, 7026, N/A
DCOM, None, 10005, SYSTEM
DCOM, None, 10005, SYSTEM
DCOM, None, 10005, SYSTEM (appears three times)

Have just changed the reboot settings and while reboot now to see if I get blue screen

ihavenoidea
11-10-2007, 08:55 PM
Got a blue screen with this message

STOP: 0x0000008E (0xC0000005, 0x80612C2D, 0xF6B12BB4, 0x00000000)

Speedy Gonzales
11-10-2007, 08:58 PM
It could be because you havent got SP2.

This computer hasnt been updated recently has it??

Since its not on the net, or on a network.

When was this computer last updated / patched?

Are the video drivers on this computer Nvidia drivers?

Speedy Gonzales
11-10-2007, 09:03 PM
Got a blue screen with this message

STOP: 0x0000008E (0xC0000005, 0x80612C2D, 0xF6B12BB4, 0x00000000)

OK.

That 0x0000008E could mean this (http://support.microsoft.com/kb/315335)

this (http://support.microsoft.com/kb/330187)

Try killing the password in safe mode, remove it. Then boot normally.

See what happens.

ihavenoidea
11-10-2007, 09:07 PM
How do I "Try killing the password in safe mode, remove it"?

I tried to update recently and my PC crashed halfway through the update. I am connected to the net but not a network.

How do I tell if the video drivers are Nvidia drivers?

Speedy Gonzales
11-10-2007, 09:19 PM
How do I "Try killing the password in safe mode, remove it"?

Go to control panel user accounts, user / remove password whatever it says here.Type the password in. I cant tell you these aren't pw protected.


How do I tell if the video drivers are Nvidia drivers?

Right mouse on the desktop / properties / settings. Does it say ATI or Nvidia here? Or go to settings. Does it say ATI or Nvidia here?

I wouldnt be surprised if its that Symantec software. Thats causing it to crash.

I would also disable system restore (right mouse on my computer on the desktop / properties / system restore tab untick it).

Then open my computer / tools / folder options / view. Change it to show hidden files and untick hide protected files.

I'll wait for you to get to this step then we'll continue. We're going to see if theres any files in the system restore folders and delete them

ihavenoidea
11-10-2007, 09:41 PM
No password on this machine at the moment.

When I Right mouse on the desktop / properties / settings it doesnt say either of those options

done - I would also disable system restore (right mouse on my computer on the desktop / properties / system restore tab untick it).

done - Then open my computer / tools / folder options / view. Change it to show hidden files and untick hide protected files.

Speedy Gonzales
11-10-2007, 09:49 PM
Ok, now right mouse on the System volume information folder.

Properties / security tab / advanced tab / add.

Then type in the name that appears, when you click on the start button (the name that appears at the top of the start menu/button)

Then click on check names, if u did it right, the name will appear on the left.

Then click on OK, tick allow, then OK, OK OK. Then hopefully the system volume information folder opens. Delete everything in it.

If you've got more than 1 partition or hard drive on this computer, do the above for all of them.

Then reboot. If it crashes again, we may have to test the memory.

And we may have to kill that Symantec program.

ihavenoidea
14-10-2007, 02:07 PM
Sorry for the delay in responding. Did what you suggested and again crashed when logging in. Any other ideas?

Speedy Gonzales
14-10-2007, 02:10 PM
What does it say in event viewer now??

Is it showing a blue screen with the same stop error??

Or is it showing the name of a file on the blue screen?

How many sticks of ram are on the mobo?? 1 or 2??

If 2 remove 1, then see if it crashes, if it still crashes, put the stick back in, you removed, and remove the other stick.

Download memtest (http://www.memtest.org/) and burn the ISO to cd, if you've got a cd/dvd burner. Then boot from the CD.

Or if you've got a floppy / USB flash drive, get the install file for these. And boot from it.

Ho Chi Minh
14-10-2007, 02:16 PM
Sorry for the delay in responding. Did what you suggested and again crashed when logging in. Any other ideas?

Have you got a registered fully updated copy of XP?
Are you running Norton Anti Virus? saw some Symantic paths on start up

Ho

ihavenoidea
14-10-2007, 02:32 PM
Blue screen message is now: only thing changed in bold

STOP: 0x0000008E (0xC0000005, 0x80612C2D, 0xF7626BB4, 0x00000000)

Event viewer now says:
Two errors and a warning under application
VSS None 8193 N/A
Event System (50) 4609 N/A

Warning: Event System (52) 4354 N/A

11 errors under system all:
9x DCOM None 10005
service control manager None 7026
system error (102) 1003

Don't have service pack 2 yet. Do have Norton Anti Virus although it may need updating

Speedy Gonzales
14-10-2007, 02:37 PM
What about the ram?? How many sticks?? 1 or 2?

See my previous post.

I would check the ram.

ihavenoidea
14-10-2007, 02:39 PM
Are you able to tell me how I check my RAM?

Speedy Gonzales
14-10-2007, 02:44 PM
4 posts back.

Memtest

Since I think you had a dialler, boot into safe mode or whatever works (without crashing), run IE. Go to Tools / internet options / connections.

Whats under dialup??

If you're on dialup, and theres an extra entry here (besides the one you dial up with), delete it / click on remove.

HOW MANY sticks of ram have you got on the mobo??

Check and see if these files are still there. If theyre there delete them in safe mode.

file://c:\ex.cab
file://c:\ex.cab
file://c:\ex.cab
file://c:\ex.cab
file://c:\eied_s7.cab

Ho Chi Minh
14-10-2007, 02:52 PM
Safe mode Go msconfig startup tab uncheck everything try again

Ho

Metla
14-10-2007, 03:08 PM
Safe mode Go msconfig startup tab uncheck everything try again

Ho

Right on.

If teh damn thing starts in safe mode (and it does) then its most likely a startup item, Fire that sucker up and disable every damn thing under the startup tab, reboot, if she boots then you know the problem.