Windows keep hanging! Hanged programs cannot be killed. Cause is unknown.

[SCC]

Hey, I havn't done wif ur SDFix yet. But now, another prob arises. I tried out the Spybot S&D 1st, like the one before u recommended, to test out its detection capability.

It doesn't proof much use, anyway, but after the scan, a prob occurs on my pc. I can't open any program now. .exe file or any other Windows utility cannot be opened. An error msg appears when I open them.

'This file does not have a program associated with it for performing this action. Create an association in the Folder Options control panel.'

I dunno how to deal wif this... I can't restore my Windows using System Restore, neither repair my Windows XP, even can't Run... any command that uses .exe files, like chkdsk & regedit. Soree for troubling u, but do u've any idea?

 

[y2k_itman]

SCAN WINDOWS USING MCAFEE SDAT FILE
For More Information visit this URL

http://itinfo4u.blogspot.com/2007_10_01_archive.html

 

[SCC]

Hmm... Thx for ur advice, y2k_itman. ^^ But I can't run anything from my pc now. All appears wif this msg: 'This file does not have a program associated with it for performing this action. Create an association in the Folder Options control panel.' So, to fix this is the priority.

 

[GameMaster]

This is nice!
Finally we found out what's the porblem...
Please visit and read this site as people have same problems there. There are even methods to work-around.
OK, it says this.

Method 1
Start MSN Explorer, and then type the Web address of the Web site that you want to browse to in the Address bar.
Back to the top

Method 2
Turn on access to Internet Explorer from the Start menu and desktop, and then use the Run command to browse to the Web site that you want. To do this, follow these steps: 1. Click Start, and then click Control Panel.
2. Double-click Add or Remove Programs, and then click Add/Remove Windows Components.
3. In the Components list, click to select the Internet Explorer check box, and then click Next.
4. Click Finish.
5. Click Start, and then click Run.
6. In the Open box, type the Web address of the Web site that you want to browse to, and then click OK.

Hope it helps!

 

[StrangleHold]

Hey, I havn't done wif ur SDFix yet. But now, another prob arises. I tried out the Spybot S&D 1st, like the one before u recommended, to test out its detection capability.

It doesn't proof much use, anyway, but after the scan, a prob occurs on my pc. I can't open any program now. .exe file or any other Windows utility cannot be opened. An error msg appears when I open them.

'This file does not have a program associated with it for performing this action. Create an association in the Folder Options control panel.'

I dunno how to deal wif this... I can't restore my Windows using System Restore, neither repair my Windows XP, even can't Run... any command that uses .exe files, like chkdsk & regedit. Soree for troubling u, but do u've any idea?

You have been dealing with this for 5 days now, I bet a clean install of XP would have been alittle quicker . Do a clean install-update Windows-update all your drivers-install a good Antivirus and antispyware program. Run it for awhile and see if the problem pops up again. If not start installing your programs one at a time and if Zonealarm causes you problems dont install it again.

 

[SCC]

Hmm... Actually, it should be solved by today, if the SDFix works, & this prob not appearing. & btw, I want to know how to deal wif such not-obvious & serious prob, which appears to be powerful trojan at last. & most important, I want to know how to know how to detect the cause of hanging & high CPU usage. So, hope that u guys can help me out.

& about GameMaster's solution... I'm not having such prob. I'm not accessing website using the 'Run...'. I juz simply can't open any programs. Believed that it's bcoz of lost file association of Windows wif .exe files. So, I can't even open Control Panel's utilities, except for a few, like Folder Option. However, can't save settings as well.

 

[GameMaster]

Uh...I don't know, how are you going to run any antivirus software if your computer does that? Now I'm afraid I completely agree you need to quickly reinstall your Windows. Then you will probably be able to enter all the programs and all, and then we will get back to cleaning viruses who done this, OK?

 

[SCC]

Hmm... That's the point. If I'm reinstalling Windows, no need to deal wif the virus anymore. The virus will be erased together when reinstalling Windows. So, u've no more idea?

 

[SCC]

SDFix: Version 1.130


Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

No Trojan Files Found






Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-25 01:03:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...


scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 5


Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019"
"C:\\Program Files\\Microsoft Virtual PC\\Virtual PC.exe"="C:\\Program Files\\Microsoft Virtual PC\\Virtual PC.exe:*:Enabled:Virtual PC 2007"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\Ocean Technology\\GG E-Sports Platform\\GGclient.exe"="C:\\Program Files\\Ocean Technology\\GG E-Sports Platform\\GGclient.exe:*:Enabled:GG E-Sports Platform Client"
"C:\\Program Files\\BitComet\\BitComet.exe"="C:\\Program Files\\BitComet\\BitComet.exe:*:Enabled:BitComet - a BitTorrent Client"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

Remaining Files:
---------------


Files with Hidden Attributes:

Wed 16 Jan 2008 24,576 ...H. --- "C:\Documents and Settings\SCC\Desktop\~WRL0004.tmp"
Wed 16 Jan 2008 28,160 ...H. --- "C:\Documents and Settings\SCC\Desktop\~WRL0264.tmp"
Wed 16 Jan 2008 30,720 ...H. --- "C:\Documents and Settings\SCC\Desktop\~WRL0720.tmp"
Wed 16 Jan 2008 30,720 ...H. --- "C:\Documents and Settings\SCC\Desktop\~WRL1479.tmp"
Sat 12 Jan 2008 165,232 A..H. --- "C:\Documents and Settings\SCC\Application Data\Microsoft\Virtual PC\VPCKeyboard.dll"

Finished!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:14:01 AM, on 1/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://codecs.r8.org/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.1.2.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" TRAY
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SW20] C:\WINDOWS\system32\sw20.exe
O4 - HKLM\..\Run: [SW24] C:\WINDOWS\system32\sw24.exe
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [IMSCMIG40W] C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMSC40W\IMSCMIG.EXE /SetPreload /Log
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.1.2.dll/206 (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1200363860134
O17 - HKLM\System\CCS\Services\Tcpip\..\{BFD392D8-FA1A-4B43-9CE3-CFC26AB49AA2}: NameServer = 202.188.0.133 202.188.1.5
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe

--
End of file - 7158 bytes

 

[SCC]

Finally, found a nice article to fix the lost .exe file association from here. http://filext.com/faq/broken_exe_association.php

Anyway, ur SDFix doesn't seems able to find any trojan. Actually, wat makes ur SDFix special? Does it match the commercial anti-spyware programs, like Spyware Doctor?

 

[SCC]

Another symptom of the malware in my pc, which most likely to be the Trojan-Downloader.Dadobra.CP. It'll try to access to www.ftjcfx.com & btfans.3322.org.

 

[GameMaster]

Finally, found a nice article to fix the lost .exe file association from here. http://filext.com/faq/broken_exe_association.php

Anyway, ur SDFix doesn't seems able to find any trojan. Actually, wat makes ur SDFix special? Does it match the commercial anti-spyware programs, like Spyware Doctor?

It found and killed 5 rootkits.

Hmm... That's the point. If I'm reinstalling Windows, no need to deal wif the virus anymore. The virus will be erased together when reinstalling Windows. So, u've no more idea

Lol man, not in all cases. Quick reinstall only replaces bad files that need it, not cure viruses. Full install=reformat=lost of all data so and viruses.

Also, I will take some time to examine the log.

 

[SCC]

Are u sure those're rootkits? The file names & directory of those looks link juz some Application Data of MSN Messenger. & doesn't looks like causing any prob. The Dadobra is still exists. Anyway, I'll wait until u examine ur log 1st. ^^

 

[GameMaster]

Well application data is very suspicious place to place your folders. You may not know it, but I do. Many viruses are stored there, and why do you think that virus removal tool would say it found viruses if it didn't? Yes, I am sure that are malwares. Not all rootkits though, some of them are Trojans.

Also I have examined both the logs.
You are clean. Please tell me do you suffer anymore problems?

 

[SCC]

Hmm... I'll try to see is my pc still hanging or not, but my Spyware Doctor still reported that something is trying to access www.ftjcfx.com & btfans.3322.org. Btw, the file names of the trojans that u're referring're the e-mail add of my frens, looks like some data for MSN Messenger.

Anyway, wat's distinguishes ur SDFix wif commercial anti-spyware programs, like Spyware Doctor? Why ur SDFix can scan the trojans, but mine can't?

 

[SCC]

Oh, my Spyware Doctor will still report that rundll32.exe is trying to write the registry key of HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN, WinSys="C:\WINDOWS\System32\Winsys.exe"

However, it looks like blocked, so my pc will still looks clean now. If my Spyware Doctor is closed, then the malware will starts to download into my pc. So, there're still something in my pc. Looks like so hard to be removed.

Btw, I didn't delete the Winsys.exe the time I fix my pc using SDFix. I can't find the Winsys.exe even wif 'Hide operating system files' disabled.

 

[GameMaster]

OK, see if your system is hanging or not. Also, I don't have an idea why your SDFix didn't find it. The thing is if you search for help somewhere I guess you better listen to any advice given. Otherwise what's the point in asking?
I certainley hope your system got better. You are some tough case.

 

[GameMaster]

Oh, my Spyware Doctor will still report that rundll32.exe is trying to write the registry key of HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN, WinSys="C:\WINDOWS\System32\Winsys.exe"

However, it looks like blocked, so my pc will still looks clean now. If my Spyware Doctor is closed, then the malware will starts to download into my pc. So, there're still something in my pc. Looks like so hard to be removed.

Btw, I didn't delete the Winsys.exe the time I fix my pc using SDFix. I can't find the Winsys.exe even wif 'Hide operating system files' disabled.

Unninstall and delete Spyware Doctor. Right now please.
Also, if you didn't find Winsys.exe its good, meaning it's cleared ( SDFix or ComboFix or sth done it ).
If you need some good replacement for Spyware Doctor, I can recommend some.
Use Spybot Search and Destroy it's good and also it has SDHelper and some online spyware scanners.

Also, I can't see any firewall in your HijackThis log, so i assume you use windows firewall.

FIREWALL
Without a firewall your computer is susceptible to being hacked and taken over. If you use the Windows Firewall you might think that's sufficient but it only controls one way of the traffic (inbound). Simply using a Firewall in its default configuration can lower your risk greatly.
It's preferable to install one of the suggested firewalls.

FREE FIREWALLS

• Comodo
• Outpost
• Sunbelt Kerio

Tutorial about Firewalls can be found here

I am also sure your system is runnig smoothly. Still update me please.

 

[SCC]

Hmm... Yeah, I do listen. Juz wanna know wat distinguishes ur SDFix from others, since u're asking me to use that. For now, the system is still smooth, juz wonder will it still hang. The Winsys.exe can't be find even before I used SDFix.

Why uninstall Spyware Doctor? It's useless? Or to make the malwares show themselves? Wat'd u recommend to replace Spyware Doctor? Spybot is useless, isn't it? It made my pc lost file association wif .exe file also, like wat prob I had before I could try SDFix. However, Spyware Doctor is already the top anti-spyware program available. Is there anymore better substitute?

Hmm... I has installed ZoneAlarm Pro initially, but I think that's the thing that made my pc hang, & that's why I'm posting in this forum. Btw, I think outbound connection is so troublesome. U've to give permission for every act, & some programs can't work well, even if they're allowed in the Program Control. Any advice on this?

 

[SCC]

Hey, the prob still persists. Still hangs... T.T