# Windows keep hanging! Hanged programs cannot be killed. Cause is unknown.



## SCC

Hi. ^^ I'm having a problem lately. I'm using Windows XP SP2. My Windows keep hanging recently. The programs'll hang eventually after I start my Windows. & the cause is unknown. I'm suffering from this for quite some time already. So, really hope that u can help me out, even though I wrote a lot.


PLZ HELP ME, EVEN THOUGH I WROTE A LOT. THEY'RE ALL DETAILS IN THIS PROB. THIS MIGHT BE A NEW VIRUS OUTBREAK AS WELL. UR HELP IS VERY VERY MUCH APPRECIATED.


The hanging process is hasten when I'm connected to internet. The hanged programs cannot be killed even in Windows Task Manager. I'm using several programs that're problematic in this issue. BitComet 0.98, Windows Live Messenger 8.1 & Mozilla Firefox.

After I connected to internet, I'll usually open these programs. & these are the programs that hang in this issue. BitComet will hang 1st, then turn to Windows Live Messenger. Mozilla Firefox will then become unable to connect to internet. The BitComet & Windows Live Messenger will appear to be unable to be killed even in Windows Task Manager after they hanged up.


_*Symptoms*_

The Status Bar under Mozilla Firefox windows shows 'Stopped', but the tabs're still showing 'Loading...'. I'm suspecting some services stopping the Firefox access to internet. Might be a rootkit.

Another symptom is the Windows will appears to be locked. The logged on user after the hanging occurs cannot be logged off or switched to other user. After clicking on Log Off on Start Menu, an 'Unlock Computer' window appears. The Window includes spaces to be filled in with Windows account username & password. However, changing to other user account cannot succeed, but logging back in to the current account can be done.

Besides, Restart can't be made after the programs hang. Only pressing on the Reset button on the CPU can solve the prob, but'll occurs again eventually.


_*Origins*_

I'm suspecting this is malware or virus's prob, but I've tried scanning with Spyware Doctor & SpySweeper, both with anti-virus, no threat found.

Actually, I've encounter this prob once few months ago, after installing ZoneAlarm Pro & NOD32, both trial ver. After suspecting that this is malware or virus prob, I did a scan with NOD32. 

& then...

I'm suspecting virus... The virus reacted immediately during the scan. It spoilt my system partition's MFT & MFT mirror, rendered lost of my data.
I thought this is a virus that infected from the internet, so I installed ZoneAlarm Pro again after reinstalling my Windows & the prob occurs again.

I've cancel off the possibility of NOD32 causing the prob, bcoz I thought that NOD32 causing the prob initially, & I made an image of the system partition before installing NOD32. The prob occurs after installing NOD32, so I revert back to the image I've made, but the prob still occurs. & the only new program I've installed is ZoneAlarm Pro in the image. 

So, I'm suspecting ZoneAlarm Pro causes the prob, since I'm experiencing the identical prob after installing this program twice. I didn't have this prob before I installed ZoneAlarm Pro. & I dun dare to make a scan again, afraid of losing data again.


_*Detecting cause of hanging or high CPU usage*_

Btw, I can't detect wat causes the hanging in this prob. I've checked Windows Task Manager, the CPU usage is fine, & the 'System' & 'System Idle Process' processes don't act strangely as well. Juz that those programs keep hanging & can't be killed.
So, I'd like to know how to detect the cause of a PC hanging or CPU usage is keep high while I don't running any resource demanding programs. Juz want to know in case of troubleshooting this kinda prob in future.

IN CONCLUSION, I HOPE THAT U CAN HELP ME IN THIS PROB. WAT I WROTE MIGHT BE A LIL LONG, BUT PLZ DO HELP ME OUT. I'LL APPRECIATE UR ASSISTANCE VERY MUCH. THIS MIGHT BE A NEW VIRUS OUTBREAK AS WELL. SO, THX IN ADVANCE! HOPE TO HEAR FROM U SOON. ^^


----------



## SCC

Hmm... No one replying~ Can anyone, plz help me~?


----------



## GameMaster

OK, let's suspect it really is a malware issue.
*Click here* to download *HJTsetup.exe*
Save HJTsetup.exe to your desktop. 
Double click on the HJTsetup.exe icon on your desktop. 
By default it will install to C:\Program Files\Hijack This. 
Continue to click *Next* in the setup dialogue boxes until you get to the *Select Additional Tasks* dialogue. 
Put a check by *Create a desktop icon* then click *Next* again. 
Continue to follow the rest of the prompts from there. 
At the final dialogue box click *Finish* and it will launch Hijack This. 
Click on the *Do a system scan and save a log file* button. It will scan and then ask you to save the log. 
Click *Save* to save the log file and then the log will open in notepad. 
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log. 
Come back here to this thread and Paste the log in your next reply. 
*DO NOT* have Hijack This fix anything yet. Most of what it finds will be harmless or even required.


----------



## SCC

Oh. Thx a lot. ^^ Here's the HJT log file.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:16:28 AM, on 1/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://codecs.r8.org/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.1.2.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" TRAY
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SW20] C:\WINDOWS\system32\sw20.exe
O4 - HKLM\..\Run: [SW24] C:\WINDOWS\system32\sw24.exe
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [IMSCMIG40W] C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMSC40W\IMSCMIG. EXE /SetPreload /Log
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.1.2.dll/206 (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1200363860134
O17 - HKLM\System\CCS\Services\Tcpip\..\{00FF8A18-3F3C-4DC4-B7F8-300E9ACF6EB8}: NameServer = 202.188.0.133 202.188.1.5
O17 - HKLM\System\CS1\Services\Tcpip\..\{00FF8A18-3F3C-4DC4-B7F8-300E9ACF6EB8}: NameServer = 202.188.0.133 202.188.1.5
O17 - HKLM\System\CS2\Services\Tcpip\..\{00FF8A18-3F3C-4DC4-B7F8-300E9ACF6EB8}: NameServer = 202.188.0.133 202.188.1.5
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe

--
End of file - 6301 bytes


----------



## GameMaster

Hmm this is clean. No signs of infections I was looking for.
This all points out on hardware problems.
Otherwise...anyway from now on, I no longer can help...sorry.
I am sure some1 will answer you as fast as I did so don't worry.


----------



## SCC

If this log is clean, means my pc is undoubtedly clean? I guess this is a software prob.


----------



## GameMaster

OK, you mentioned you reinstalled your system. It didn't work. I am just curious, but I bet it would be the same if you reformat it. 
I cannot be sure, however, I would plce 20$ it's a hardware issue. Probably a dying motherboard.  To prove that, I bet soon your computer will take 5 minutes to boot ( if not so already ).


----------



## 2048Megabytes

What is your computer system specifications (processor, RAM)?


----------



## SCC

Intel Core2Duo 6300 1.83GHz, NVidia 7600GT, Dual-Channel 2GB 667MHz RAM & Intel DG965RY Motherboard.

I've said before, in the 1st post, but it might not so clear, soree. I actually had this prob few months ago, after installing ZoneAlarm Pro. After reformatting, I didn't install again until recently. & I dun experience this prob all along the time I reformatted until I installed the ZoneAlarm Pro again. So, I'm suspecting ZoneAlarm Pro more.

Anyway, wat should I do to check the hardware issue? Which hardware u're suspecting?

& there's another question u havn't answer. =p If this log is clean, means my pc is undoubtedly clean?


----------



## GameMaster

Dying motherboard was my prime thought.
Then again, it's always better first to check all software issues. So please then, unninstall Zone Alarm and tell is it better.


----------



## SCC

I've already uninstall ZoneAlarm Pro, but the prob still persists. But I think a format will fix this. Maybe something wrong still left inside my pc.

Or do u think the hardware prob only reacts when I installed ZoneAlarm Pro?

My motherboard juz bought for a year, shouldn't be spoiling this fast. This prob already appears for 2 or 3 weeks like that. If my motherboard is spoiling, it should be spoilt by now.

Anyway, if the HJT log is clean, is it undoubtedly my pc is clean as well?


----------



## GameMaster

Lol.
Hardware problem reacts all the time, but may stop for some time and start again, who can predict it?
I don't find any possible connection with dying motherboard and ZoneAlarm.
You can try to reformat anyway if it's hardware problem you will have your pc reformatted so... try and see.


----------



## SCC

Okay, reformat is already my plan, anyway. Juz that want to know any way to troubleshoot such prob 1st. So, any way to fix this?

Btw, I want to know how to detect the cause of a pc hanging or high CPU usage. Can u tell me?


----------



## GameMaster

If I knew I'd tell you.


----------



## SCC

Lol. Okay. I guess according to ur advice, the best thing I can do is reformat, right? Anyway, I still need help on the things I've asked. So, if any other else who can help, plz kindly assist me.

GameMaster, thx a lot. U've been great help. ^^ But u still havn't tell me this... if the HJT log is clean, is it undoubtedly my pc is clean as well?


----------



## GameMaster

No. Yes. You choose. 
1. HijackThis log shows all registry changes and all, it's really the best way to find any infections. It doesn't find all, but if you see one, only one ( one is enough, that's my point )infection there it's most likely your computer is infected with like, 10 of the same kind.
2. However in this case you don't have any malware on your computer. To verify that, there are some online scans like Panda online scan or Kaspersky Antivirus online scan.
3. But I didn't suggest a scan because there are not manye infections that can cause your problem, and all of them are visible in HijackThis log. You can trust me on that, you are undoubtley clean.
4. Reformatting will sure help you for some period of time. Until you install Zone Alarm or get some virus or until your hardware keeps/starts dying. That's what we want to see, and what we will find out when you reformat.
5. I hope I helped you on this one, really sorry that I can't help any further. Hope you know the reformatting process and all.
Good luck!


----------



## SCC

I see, I see. It's fine. ^^ U helped a lot. I know how to reformat. Haha. So, thank u very much. ^^

Anyway, if anyone else has any more idea, plz kindly help me.
I need further answer, like how to determine whether is it software prob, other than reformatting, & how to detect the cause of pc hanging & high CPU usage. Any help would be greatly appreciated. ^^


----------



## SCC

I think I found something. Some trojans exist in my pc. & can't be removed even by Spyware Doctor & SpySweeper. I came across to a GPU overclocking utility installed on my pc, installed together wif my NVidia 7600GT driver, & simply enable & disable the D.O.T (Dynamic Over-Clocking Technology) feature, then a registry change is blocked by my Spyware Doctor. 

The registry path found is HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN, WinSys="C:\WINDOWS\System32\WinSys.exe"

& the threat name found is Trojan-Downloader.Dadobra.CP.

I tried to remove this trojan manually. However, I can't find this WinSys.exe in my System32 folder even after disabled the 'Hide protected operating system files'.

Btw, I dunno how to find the registry path wif the coma at the middle. Wat's the coma means? How to find that?

It's weird that the Spyware Doctor capable to detect & block the registry change & the source of this threat, but is unable to detect this threat in its scan & remove it.

Anyway, I think this Trojan-Downloader.Dadobra.CP is the culprit behind all the prob. But I dunno how to remove it. No clear guide on internet as well.


----------



## hNic

install and run Spybot Search and Destroy (Google It)

It will detect any spyware that exists on your machine and will give you the option to remove it


----------



## GameMaster

Spyware, but this is apparently a Trojan ( if exists ).
I am tired of this, and you are really sure u do have a virus, so let's do one more thing OK?
Download *SDFix* and save it to your Desktop. 

Double click *SDFix.exe* and it will extract the files to %systemdrive% 
(Drive that contains the Windows Directory, typically C:\SDFix) 

Please then reboot your computer in *Safe Mode* by doing the following :
Restart your computer 
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually; 
Instead of Windows loading as normal, the Advanced Options Menu should appear; 
Select the first option, to run Windows in Safe Mode, then press *Enter*. 
Choose your usual account. 
 Open the extracted SDFix folder and double click *RunThis.bat* to start the script. 
 Type *Y* to begin the cleanup process. 
 It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot. 
 Press any Key and it will restart the PC. 
 When the PC restarts the Fixtool will run again and complete the removal process then display *Finished*, press any key to end the script and load your desktop icons. 
 Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as *Report.txt* 
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
 Finally paste the contents of the Report.txt back on the forum with a new HijackThis log 

Now reboot in safe mode. If don't know how, 
*Print out* these instructions or save them into a notepad on your desktop, because you will not have internet access while in *Safe Mode*.
You can *go* in *Safe Mode* by restarting your computer, then continually tapping *F8* until a menu appears. Use your up arrow key to highlight *Safe Mode*, then hit enter.

How to view Hidden files/folders. 
http://www.bleepingcomputer.com/tutorials/tutorial62.html
don't forget to hide files/folders when this is finished

Search and find these files/folders in red below and delete them:
*Don't worry for files/folders not found*
C:\WINDOWS\System32\*WinSys.exe* 
Please delete the *WinSys.exe *file.
When done, reboot in normal mode...tell about your computer, is it better?


----------



## SCC

Hey, I havn't done wif ur SDFix yet. But now, another prob arises. I tried out the Spybot S&D 1st, like the one before u recommended, to test out its detection capability.

It doesn't proof much use, anyway, but after the scan, a prob occurs on my pc. I can't open any program now. .exe file or any other Windows utility cannot be opened. An error msg appears when I open them.

'This file does not have a program associated with it for performing this action. Create an association in the Folder Options control panel.'

I dunno how to deal wif this... I can't restore my Windows using System Restore, neither repair my Windows XP, even can't Run... any command that uses .exe files, like chkdsk & regedit. Soree for troubling u, but do u've any idea?


----------



## y2k_itman

SCAN WINDOWS USING MCAFEE SDAT FILE
For More Information visit this URL

http://itinfo4u.blogspot.com/2007_10_01_archive.html


----------



## SCC

Hmm... Thx for ur advice, y2k_itman. ^^ But I can't run anything from my pc now. All appears wif this msg: 'This file does not have a program associated with it for performing this action. Create an association in the Folder Options control panel.' So, to fix this is the priority.


----------



## GameMaster

This is nice! 
Finally we found out what's the porblem...
Please visit and read this site as people have same problems there. There are even methods to work-around.
OK, it says this.


> Method 1
> Start MSN Explorer, and then type the Web address of the Web site that you want to browse to in the Address bar.
> Back to the top
> 
> Method 2
> Turn on access to Internet Explorer from the Start menu and desktop, and then use the Run command to browse to the Web site that you want. To do this, follow these steps: 1. Click Start, and then click Control Panel.
> 2. Double-click Add or Remove Programs, and then click Add/Remove Windows Components.
> 3. In the Components list, click to select the Internet Explorer check box, and then click Next.
> 4. Click Finish.
> 5. Click Start, and then click Run.
> 6. In the Open box, type the Web address of the Web site that you want to browse to, and then click OK.


Hope it helps!


----------



## StrangleHold

SCC said:


> Hey, I havn't done wif ur SDFix yet. But now, another prob arises. I tried out the Spybot S&D 1st, like the one before u recommended, to test out its detection capability.
> 
> It doesn't proof much use, anyway, but after the scan, a prob occurs on my pc. I can't open any program now. .exe file or any other Windows utility cannot be opened. An error msg appears when I open them.
> 
> 'This file does not have a program associated with it for performing this action. Create an association in the Folder Options control panel.'
> 
> I dunno how to deal wif this... I can't restore my Windows using System Restore, neither repair my Windows XP, even can't Run... any command that uses .exe files, like chkdsk & regedit. Soree for troubling u, but do u've any idea?


 
You have been dealing with this for 5 days now, I bet a clean install of XP would have been alittle quicker . Do a clean install-update Windows-update all your drivers-install a good Antivirus and antispyware program. Run it for awhile and see if the problem pops up again. If not start installing your programs one at a time and if Zonealarm causes you problems dont install it again.


----------



## SCC

Hmm... Actually, it should be solved by today, if the SDFix works, & this prob not appearing. & btw, I want to know how to deal wif such not-obvious & serious prob, which appears to be powerful trojan at last. & most important, I want to know how to know how to detect the cause of hanging & high CPU usage. So, hope that u guys can help me out.

& about GameMaster's solution... I'm not having such prob. I'm not accessing website using the 'Run...'. I juz simply can't open any programs. Believed that it's bcoz of lost file association of Windows wif .exe files. So, I can't even open Control Panel's utilities, except for a few, like Folder Option. However, can't save settings as well.


----------



## GameMaster

Uh...I don't know, how are you going to run any antivirus software if your computer does that? Now I'm afraid I completely agree you need to quickly reinstall your Windows. Then you will probably be able to enter all the programs and all, and then we will get back to cleaning viruses who done this, OK?


----------



## SCC

Hmm... That's the point. If I'm reinstalling Windows, no need to deal wif the virus anymore. The virus will be erased together when reinstalling Windows. So, u've no more idea?


----------



## SCC

SDFix: Version 1.130


Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services: 


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files: 

No Trojan Files Found






Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found. 

C:\WINDOWS\system32
No streams found. 

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



                                 Final Check:

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-25 01:03:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...


scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 5


Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019"
"C:\\Program Files\\Microsoft Virtual PC\\Virtual PC.exe"="C:\\Program Files\\Microsoft Virtual PC\\Virtual PC.exe:*:Enabled:Virtual PC 2007"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\Ocean Technology\\GG E-Sports Platform\\GGclient.exe"="C:\\Program Files\\Ocean Technology\\GG E-Sports Platform\\GGclient.exe:*:Enabled:GG E-Sports Platform Client"
"C:\\Program Files\\BitComet\\BitComet.exe"="C:\\Program Files\\BitComet\\BitComet.exe:*:Enabled:BitComet - a BitTorrent Client"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

Remaining Files:
---------------


Files with Hidden Attributes:

Wed 16 Jan 2008        24,576 ...H. --- "C:\Documents and Settings\SCC\Desktop\~WRL0004.tmp"
Wed 16 Jan 2008        28,160 ...H. --- "C:\Documents and Settings\SCC\Desktop\~WRL0264.tmp"
Wed 16 Jan 2008        30,720 ...H. --- "C:\Documents and Settings\SCC\Desktop\~WRL0720.tmp"
Wed 16 Jan 2008        30,720 ...H. --- "C:\Documents and Settings\SCC\Desktop\~WRL1479.tmp"
Sat 12 Jan 2008       165,232 A..H. --- "C:\Documents and Settings\SCC\Application Data\Microsoft\Virtual PC\VPCKeyboard.dll"

Finished! 

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:14:01 AM, on 1/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://codecs.r8.org/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.1.2.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" TRAY
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SW20] C:\WINDOWS\system32\sw20.exe
O4 - HKLM\..\Run: [SW24] C:\WINDOWS\system32\sw24.exe
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [IMSCMIG40W] C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMSC40W\IMSCMIG.EXE /SetPreload /Log
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.1.2.dll/206 (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1200363860134
O17 - HKLM\System\CCS\Services\Tcpip\..\{BFD392D8-FA1A-4B43-9CE3-CFC26AB49AA2}: NameServer = 202.188.0.133 202.188.1.5
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe

--
End of file - 7158 bytes


----------



## SCC

Finally, found a nice article to fix the lost .exe file association from here. http://filext.com/faq/broken_exe_association.php

Anyway, ur SDFix doesn't seems able to find any trojan. Actually, wat makes ur SDFix special? Does it match the commercial anti-spyware programs, like Spyware Doctor?


----------



## SCC

Another symptom of the malware in my pc, which most likely to be the Trojan-Downloader.Dadobra.CP. It'll try to access to www.ftjcfx.com & btfans.3322.org.


----------



## GameMaster

SCC said:


> Finally, found a nice article to fix the lost .exe file association from here. http://filext.com/faq/broken_exe_association.php
> 
> Anyway, ur SDFix doesn't seems able to find any trojan. Actually, wat makes ur SDFix special? Does it match the commercial anti-spyware programs, like Spyware Doctor?



It found and killed 5 rootkits.



> Hmm... That's the point. If I'm reinstalling Windows, no need to deal wif the virus anymore. The virus will be erased together when reinstalling Windows. So, u've no more idea


Lol man, not in all cases. Quick reinstall only replaces bad files that need it, not cure viruses. Full install=reformat=lost of all data so and viruses.

Also, I will take some time to examine the log.


----------



## SCC

Are u sure those're rootkits? The file names & directory of those looks link juz some Application Data of MSN Messenger. & doesn't looks like causing any prob. The Dadobra is still exists. Anyway, I'll wait until u examine ur log 1st. ^^


----------



## GameMaster

Well application data is very suspicious place to place your folders. You may not know it, but I do. Many viruses are stored there, and why do you think that virus removal tool would say it found viruses if it didn't? Yes, I am sure that are malwares. Not all rootkits though, some of them are Trojans.

Also I have examined both the logs.
You are clean. Please tell me do you suffer anymore problems?


----------



## SCC

Hmm... I'll try to see is my pc still hanging or not, but my Spyware Doctor still reported that something is trying to access www.ftjcfx.com & btfans.3322.org. Btw, the file names of the trojans that u're referring're the e-mail add of my frens, looks like some data for MSN Messenger.

Anyway, wat's distinguishes ur SDFix wif commercial anti-spyware programs, like Spyware Doctor? Why ur SDFix can scan the trojans, but mine can't?


----------



## SCC

Oh, my Spyware Doctor will still report that rundll32.exe is trying to write the registry key of HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN, WinSys="C:\WINDOWS\System32\Winsys.exe"

However, it looks like blocked, so my pc will still looks clean now. If my Spyware Doctor is closed, then the malware will starts to download into my pc. So, there're still something in my pc. Looks like so hard to be removed.

Btw, I didn't delete the Winsys.exe the time I fix my pc using SDFix. I can't find the Winsys.exe even wif 'Hide operating system files' disabled.


----------



## GameMaster

OK, see if your system is hanging or not. Also, I don't have an idea why your SDFix didn't find it. The thing is if you search for help somewhere I guess you better listen to any advice given. Otherwise what's the point in asking?
I certainley hope your system got better. You are some tough case.


----------



## GameMaster

SCC said:


> Oh, my Spyware Doctor will still report that rundll32.exe is trying to write the registry key of HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN, WinSys="C:\WINDOWS\System32\Winsys.exe"
> 
> However, it looks like blocked, so my pc will still looks clean now. If my Spyware Doctor is closed, then the malware will starts to download into my pc. So, there're still something in my pc. Looks like so hard to be removed.
> 
> Btw, I didn't delete the Winsys.exe the time I fix my pc using SDFix. I can't find the Winsys.exe even wif 'Hide operating system files' disabled.



Unninstall and delete Spyware Doctor. Right now please.
Also, if you didn't find Winsys.exe its good, meaning it's cleared ( SDFix or ComboFix or sth done it ). 
If you need some good replacement for Spyware Doctor, I can recommend some.
Use Spybot Search and Destroy it's good and also it has SDHelper and some online spyware scanners.

Also, I can't see any firewall in your HijackThis log, so i assume you use windows firewall.

*FIREWALL*
Without a firewall your computer is susceptible to being hacked and taken over. If you use the Windows Firewall you might think that's sufficient but it only controls one way of the traffic (inbound). Simply using a Firewall in its default configuration can lower your risk greatly. 
It's preferable to install one of the suggested firewalls.

*FREE FIREWALLS*

Comodo
Outpost
Sunbelt Kerio

Tutorial about Firewalls can be found here

I am also sure your system is runnig smoothly. Still update me please.


----------



## SCC

Hmm... Yeah, I do listen. Juz wanna know wat distinguishes ur SDFix from others, since u're asking me to use that. For now, the system is still smooth, juz wonder will it still hang. The Winsys.exe can't be find even before I used SDFix.

Why uninstall Spyware Doctor? It's useless? Or to make the malwares show themselves? Wat'd u recommend to replace Spyware Doctor? Spybot is useless, isn't it? It made my pc lost file association wif .exe file also, like wat prob I had before I could try SDFix. However, Spyware Doctor is already the top anti-spyware program available. Is there anymore better substitute?

Hmm... I has installed ZoneAlarm Pro initially, but I think that's the thing that made my pc hang, & that's why I'm posting in this forum. Btw, I think outbound connection is so troublesome. U've to give permission for every act, & some programs can't work well, even if they're allowed in the Program Control. Any advice on this?


----------



## SCC

Hey, the prob still persists. Still hangs... T.T


----------



## GameMaster

Funny. I told you, unninstall Spyware Doctor. You don't need anything for substitution...yet.
Run.dll is safe and good process/entry. So teh Doctor obviously has some problems or sth. You can always install it back again. But if this won't cure your system, you really need to reformat your HDD. So think about unninstalling Spyware Doctor.


----------



## SCC

Hello, GameMaster. Are u still there? If there's no way to fix this, I'm going to reformat...

However, I'd still like to know how to detect the cause pc hanging & high CPU usage...


----------



## SCC

Oops, soree. Didn't notice u replied. Okay, then. I'll try to uninstall the Spyware Doctor. However, the rundll32.exe might be manipulated. If this doesn't works, u've no more way?


----------



## GameMaster

I do. 
Just click Allow changes next time. 
It's important WIndows process. Google it and you'll see. That's not some virus.


----------



## dznutz

this is what happens when you visit those suspicious porn sites without the proper protection

why uninstall spyware doctor?  i've tried a bunch of others and sd seems to be the best among them


----------



## GameMaster

It's obviously killed/modified by infections he had. So now he has to unninstall it and reinstall again ( the best to do ). 
Also, he has to click Allow changes in registry, otherwise, system will hang because lacking rundll32.exe. Which is as I said, important legit WIndows file.


----------



## GameMaster

I don't see you answering. Does that mean I have successfully helped you?


----------



## SCC

Soree for the late reply. Was a lil busy these few days. I've tried reinstalling Spyware Doctor, but it doesn't help. The point is there's still malware resides in my pc, but not Spyware Doctor.

I've wiped my system partition & reinstalled my Windows anyway. However, the same prob still appears within 12 hours in my fresh Windows. So, I'm thinking that the malware is residing in my other partitions as well. Wipe other partition as well? But I've a lot of data in those partitions. If I'm backing them up, means I might backing up the malware as well. Or my speculation is wrong?

If possible, I'd like to open a new topic, specifically on this malware, Trojan-Downloader.Dadobra.CP, as labeled by Spyware Doctor, to get more focused answers.


----------

