Windows keep hanging! Hanged programs cannot be killed. Cause is unknown.

S

SCC

New Member
Hi. ^^ I'm having a problem lately. I'm using Windows XP SP2. My Windows keep hanging recently. The programs'll hang eventually after I start my Windows. & the cause is unknown. I'm suffering from this for quite some time already. So, really hope that u can help me out, even though I wrote a lot.


PLZ HELP ME, EVEN THOUGH I WROTE A LOT. THEY'RE ALL DETAILS IN THIS PROB. THIS MIGHT BE A NEW VIRUS OUTBREAK AS WELL. UR HELP IS VERY VERY MUCH APPRECIATED.


The hanging process is hasten when I'm connected to internet. The hanged programs cannot be killed even in Windows Task Manager. I'm using several programs that're problematic in this issue. BitComet 0.98, Windows Live Messenger 8.1 & Mozilla Firefox.

After I connected to internet, I'll usually open these programs. & these are the programs that hang in this issue. BitComet will hang 1st, then turn to Windows Live Messenger. Mozilla Firefox will then become unable to connect to internet. The BitComet & Windows Live Messenger will appear to be unable to be killed even in Windows Task Manager after they hanged up.


Symptoms

The Status Bar under Mozilla Firefox windows shows 'Stopped', but the tabs're still showing 'Loading...'. I'm suspecting some services stopping the Firefox access to internet. Might be a rootkit.

Another symptom is the Windows will appears to be locked. The logged on user after the hanging occurs cannot be logged off or switched to other user. After clicking on Log Off on Start Menu, an 'Unlock Computer' window appears. The Window includes spaces to be filled in with Windows account username & password. However, changing to other user account cannot succeed, but logging back in to the current account can be done.

Besides, Restart can't be made after the programs hang. Only pressing on the Reset button on the CPU can solve the prob, but'll occurs again eventually.


Origins

I'm suspecting this is malware or virus's prob, but I've tried scanning with Spyware Doctor & SpySweeper, both with anti-virus, no threat found.

Actually, I've encounter this prob once few months ago, after installing ZoneAlarm Pro & NOD32, both trial ver. After suspecting that this is malware or virus prob, I did a scan with NOD32.

& then...

I'm suspecting virus... The virus reacted immediately during the scan. It spoilt my system partition's MFT & MFT mirror, rendered lost of my data.
I thought this is a virus that infected from the internet, so I installed ZoneAlarm Pro again after reinstalling my Windows & the prob occurs again.

I've cancel off the possibility of NOD32 causing the prob, bcoz I thought that NOD32 causing the prob initially, & I made an image of the system partition before installing NOD32. The prob occurs after installing NOD32, so I revert back to the image I've made, but the prob still occurs. & the only new program I've installed is ZoneAlarm Pro in the image.

So, I'm suspecting ZoneAlarm Pro causes the prob, since I'm experiencing the identical prob after installing this program twice. I didn't have this prob before I installed ZoneAlarm Pro. & I dun dare to make a scan again, afraid of losing data again.


Detecting cause of hanging or high CPU usage

Btw, I can't detect wat causes the hanging in this prob. I've checked Windows Task Manager, the CPU usage is fine, & the 'System' & 'System Idle Process' processes don't act strangely as well. Juz that those programs keep hanging & can't be killed.
So, I'd like to know how to detect the cause of a PC hanging or CPU usage is keep high while I don't running any resource demanding programs. Juz want to know in case of troubleshooting this kinda prob in future.

IN CONCLUSION, I HOPE THAT U CAN HELP ME IN THIS PROB. WAT I WROTE MIGHT BE A LIL LONG, BUT PLZ DO HELP ME OUT. I'LL APPRECIATE UR ASSISTANCE VERY MUCH. THIS MIGHT BE A NEW VIRUS OUTBREAK AS WELL. SO, THX IN ADVANCE! HOPE TO HEAR FROM U SOON. ^^
 
GameMaster

GameMaster

New Member
OK, let's suspect it really is a malware issue.
Click here to download HJTsetup.exe
  • Save HJTsetup.exe to your desktop.
  • Double click on the HJTsetup.exe icon on your desktop.
  • By default it will install to C:\Program Files\Hijack This.
  • Continue to click Next in the setup dialogue boxes until you get to the Select Additional Tasks dialogue.
  • Put a check by Create a desktop icon then click Next again.
  • Continue to follow the rest of the prompts from there.
  • At the final dialogue box click Finish and it will launch Hijack This.
  • Click on the Do a system scan and save a log file button. It will scan and then ask you to save the log.
  • Click Save to save the log file and then the log will open in notepad.
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
 
S

SCC

New Member
Oh. Thx a lot. ^^ Here's the HJT log file.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:16:28 AM, on 1/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://codecs.r8.org/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.1.2.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" TRAY
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SW20] C:\WINDOWS\system32\sw20.exe
O4 - HKLM\..\Run: [SW24] C:\WINDOWS\system32\sw24.exe
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [IMSCMIG40W] C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMSC40W\IMSCMIG. EXE /SetPreload /Log
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.1.2.dll/206 (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1200363860134
O17 - HKLM\System\CCS\Services\Tcpip\..\{00FF8A18-3F3C-4DC4-B7F8-300E9ACF6EB8}: NameServer = 202.188.0.133 202.188.1.5
O17 - HKLM\System\CS1\Services\Tcpip\..\{00FF8A18-3F3C-4DC4-B7F8-300E9ACF6EB8}: NameServer = 202.188.0.133 202.188.1.5
O17 - HKLM\System\CS2\Services\Tcpip\..\{00FF8A18-3F3C-4DC4-B7F8-300E9ACF6EB8}: NameServer = 202.188.0.133 202.188.1.5
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe

--
End of file - 6301 bytes
 
GameMaster

GameMaster

New Member
Hmm this is clean. No signs of infections I was looking for.
This all points out on hardware problems.
Otherwise...anyway from now on, I no longer can help...sorry.
I am sure some1 will answer you as fast as I did so don't worry.
 
S

SCC

New Member
If this log is clean, means my pc is undoubtedly clean? I guess this is a software prob.
 
GameMaster

GameMaster

New Member
OK, you mentioned you reinstalled your system. It didn't work. I am just curious, but I bet it would be the same if you reformat it.
I cannot be sure, however, I would plce 20$ it's a hardware issue. Probably a dying motherboard. To prove that, I bet soon your computer will take 5 minutes to boot ( if not so already ).
 
S

SCC

New Member
Intel Core2Duo 6300 1.83GHz, NVidia 7600GT, Dual-Channel 2GB 667MHz RAM & Intel DG965RY Motherboard.

I've said before, in the 1st post, but it might not so clear, soree. I actually had this prob few months ago, after installing ZoneAlarm Pro. After reformatting, I didn't install again until recently. & I dun experience this prob all along the time I reformatted until I installed the ZoneAlarm Pro again. So, I'm suspecting ZoneAlarm Pro more.

Anyway, wat should I do to check the hardware issue? Which hardware u're suspecting?

& there's another question u havn't answer. =p If this log is clean, means my pc is undoubtedly clean?
 
GameMaster

GameMaster

New Member
Dying motherboard was my prime thought.
Then again, it's always better first to check all software issues. So please then, unninstall Zone Alarm and tell is it better.
 
S

SCC

New Member
I've already uninstall ZoneAlarm Pro, but the prob still persists. But I think a format will fix this. Maybe something wrong still left inside my pc.

Or do u think the hardware prob only reacts when I installed ZoneAlarm Pro?

My motherboard juz bought for a year, shouldn't be spoiling this fast. This prob already appears for 2 or 3 weeks like that. If my motherboard is spoiling, it should be spoilt by now.

Anyway, if the HJT log is clean, is it undoubtedly my pc is clean as well?
 
GameMaster

GameMaster

New Member
Lol.
Hardware problem reacts all the time, but may stop for some time and start again, who can predict it?
I don't find any possible connection with dying motherboard and ZoneAlarm.
You can try to reformat anyway if it's hardware problem you will have your pc reformatted so... try and see.
 
S

SCC

New Member
Okay, reformat is already my plan, anyway. Juz that want to know any way to troubleshoot such prob 1st. So, any way to fix this?

Btw, I want to know how to detect the cause of a pc hanging or high CPU usage. Can u tell me?
 
S

SCC

New Member
Lol. Okay. I guess according to ur advice, the best thing I can do is reformat, right? Anyway, I still need help on the things I've asked. So, if any other else who can help, plz kindly assist me.

GameMaster, thx a lot. U've been great help. ^^ But u still havn't tell me this... if the HJT log is clean, is it undoubtedly my pc is clean as well?
 
GameMaster

GameMaster

New Member
No. Yes. You choose.
1. HijackThis log shows all registry changes and all, it's really the best way to find any infections. It doesn't find all, but if you see one, only one ( one is enough, that's my point )infection there it's most likely your computer is infected with like, 10 of the same kind.
2. However in this case you don't have any malware on your computer. To verify that, there are some online scans like Panda online scan or Kaspersky Antivirus online scan.
3. But I didn't suggest a scan because there are not manye infections that can cause your problem, and all of them are visible in HijackThis log. You can trust me on that, you are undoubtley clean.
4. Reformatting will sure help you for some period of time. Until you install Zone Alarm or get some virus or until your hardware keeps/starts dying. That's what we want to see, and what we will find out when you reformat.
5. I hope I helped you on this one, really sorry that I can't help any further. Hope you know the reformatting process and all.
Good luck!
 
S

SCC

New Member
I see, I see. It's fine. ^^ U helped a lot. I know how to reformat. Haha. So, thank u very much. ^^

Anyway, if anyone else has any more idea, plz kindly help me.
I need further answer, like how to determine whether is it software prob, other than reformatting, & how to detect the cause of pc hanging & high CPU usage. Any help would be greatly appreciated. ^^
 
S

SCC

New Member
I think I found something. Some trojans exist in my pc. & can't be removed even by Spyware Doctor & SpySweeper. I came across to a GPU overclocking utility installed on my pc, installed together wif my NVidia 7600GT driver, & simply enable & disable the D.O.T (Dynamic Over-Clocking Technology) feature, then a registry change is blocked by my Spyware Doctor.

The registry path found is HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN, WinSys="C:\WINDOWS\System32\WinSys.exe"

& the threat name found is Trojan-Downloader.Dadobra.CP.

I tried to remove this trojan manually. However, I can't find this WinSys.exe in my System32 folder even after disabled the 'Hide protected operating system files'.

Btw, I dunno how to find the registry path wif the coma at the middle. Wat's the coma means? How to find that?

It's weird that the Spyware Doctor capable to detect & block the registry change & the source of this threat, but is unable to detect this threat in its scan & remove it.

Anyway, I think this Trojan-Downloader.Dadobra.CP is the culprit behind all the prob. But I dunno how to remove it. No clear guide on internet as well.
 
Last edited:
hNic

hNic

New Member
install and run Spybot Search and Destroy (Google It)

It will detect any spyware that exists on your machine and will give you the option to remove it
 
GameMaster

GameMaster

New Member
Spyware, but this is apparently a Trojan ( if exists ).
I am tired of this, and you are really sure u do have a virus, so let's do one more thing OK?
Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

Now reboot in safe mode. If don't know how,
Print out these instructions or save them into a notepad on your desktop, because you will not have internet access while in Safe Mode.
You can go in Safe Mode by restarting your computer, then continually tapping F8 until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.

How to view Hidden files/folders.
http://www.bleepingcomputer.com/tutorials/tutorial62.html
don't forget to hide files/folders when this is finished

Search and find these files/folders in red below and delete them:
Don't worry for files/folders not found
C:\WINDOWS\System32\WinSys.exe
Please delete the WinSys.exe file.
When done, reboot in normal mode...tell about your computer, is it better?
 
You must log in or register to reply here.
Top