SCC2002 Posted January 18, 2008 Share Posted January 18, 2008 (edited) Hi. ^^ I'm having a problem lately. I'm using Windows XP SP2. My Windows keep hanging recently. The programs'll hang eventually after I start my Windows. & the cause is unknown. I'm suffering from this for quite some time already. So, really hope that u can help me out, even though I wrote a lot.PLZ HELP ME, EVEN THOUGH I WROTE A LOT. THEY'RE ALL DETAILS IN THIS PROB. THIS MIGHT BE A NEW VIRUS OUTBREAK AS WELL. UR HELP IS VERY VERY MUCH APPRECIATED.The hanging process is hasten when I'm connected to internet. The hanged programs cannot be killed even in Windows Task Manager. I'm using several programs that're problematic in this issue. BitComet 0.98, Windows Live Messenger 8.1 & Mozilla Firefox.After I connected to internet, I'll usually open these programs. & these are the programs that hang in this issue. BitComet will hang 1st, then turn to Windows Live Messenger. Mozilla Firefox will then become unable to connect to internet. The BitComet & Windows Live Messenger will appear to be unable to be killed even in Windows Task Manager after they hanged up.SymptomsThe Status Bar under Mozilla Firefox windows shows 'Stopped', but the tabs're still showing 'Loading...'. I'm suspecting some services stopping the Firefox access to internet. Might be a rootkit.Another symptom is the Windows will appears to be locked. The logged on user after the hanging occurs cannot be logged off or switched to other user. After clicking on Log Off on Start Menu, an 'Unlock Computer' window appears. The Window includes spaces to be filled in with Windows account username & password. However, changing to other user account cannot succeed, but logging back in to the current account can be done.Besides, Restart can't be made after the programs hang. Only pressing on the Reset button on the CPU can solve the prob, but'll occurs again eventually.OriginsI'm suspecting this is malware or virus's prob, but I've tried scanning with Spyware Doctor & SpySweeper, both with anti-virus, no threat found.Actually, I've encounter this prob once few months ago, after installing ZoneAlarm Pro & NOD32, both trial ver. After suspecting that this is malware or virus prob, I did a scan with NOD32. & then...I'm suspecting virus... The virus reacted immediately during the scan. It spoilt my system partition's MFT & MFT mirror, rendered lost of my data.I thought this is a virus that infected from the internet, so I installed ZoneAlarm Pro again after reinstalling my Windows & the prob occurs again.I've cancel off the possibility of NOD32 causing the prob, bcoz I thought that NOD32 causing the prob initially, & I made an image of the system partition before installing NOD32. The prob occurs after installing NOD32, so I revert back to the image I've made, but the prob still occurs. & the only new program I've installed is ZoneAlarm Pro in the image. So, I'm suspecting ZoneAlarm Pro causes the prob, since I'm experiencing the identical prob after installing this program twice. I didn't have this prob before I installed ZoneAlarm Pro. & I dun dare to make a scan again, afraid of losing data again.Detecting cause of hanging or high CPU usageBtw, I can't detect wat causes the hanging in this prob. I've checked Windows Task Manager, the CPU usage is fine, & the 'System' & 'System Idle Process' processes don't act strangely as well. Juz that those programs keep hanging & can't be killed.So, I'd like to know how to detect the cause of a PC hanging or CPU usage is keep high while I don't running any resource demanding programs. Juz want to know in case of troubleshooting this kinda prob in future.IN CONCLUSION, I HOPE THAT U CAN HELP ME IN THIS PROB. WAT I WROTE MIGHT BE A LIL LONG, BUT PLZ DO HELP ME OUT. I'LL APPRECIATE UR ASSISTANCE VERY MUCH. THIS MIGHT BE A NEW VIRUS OUTBREAK AS WELL. SO, THX IN ADVANCE! HOPE TO HEAR FROM U SOON. ^^ Edited January 18, 2008 by SCC2002 Link to comment Share on other sites More sharing options...
cluberti Posted January 18, 2008 Share Posted January 18, 2008 Get a dump of the box next time something hangs, noting what process is hung and for how long, and then compress and upload it somewhere we can all get to it to download and analyze . Link to comment Share on other sites More sharing options...
SCC2002 Posted January 18, 2008 Author Share Posted January 18, 2008 Oh, okay. I'll try to.Oh, in addition to the things I've said, the Windows will hang more often if BitComet is opened, & even much often, almost immediately, after I opened Windows Live Messenger together wif BitComet. At last, both will hang anyway.Btw, cluberti. Can u help me to edit my topic name? Has a lil mistake. It should be 'Cause is unknown.' Thx. ^^Should I create dumps for the applications or the whole system? Since might be the whole system compromised. Link to comment Share on other sites More sharing options...
cluberti Posted January 18, 2008 Share Posted January 18, 2008 Should I create dumps for the applications or the whole system? Since might be the whole system compromised.The whole box would be better - just let us know once you get the dump which application hung, and approximately how long you noticed it was hung before you took the memory dump. Link to comment Share on other sites More sharing options...
SCC2002 Posted January 19, 2008 Author Share Posted January 19, 2008 Wat do u mean by whole box? & wat msg indicates the end of creating the memory dump? A warning appears when after I entered the command in command prompt. It says 'WARNING! An '_NT_SYMBOL_PATH' environment variable is not set. Please check the application event log or the ADPlus-report.txt for more details.' & following by 'Attaching the debugger to: BITCOMET.EXE <Process ID: 2624>.Is the dump creating process completed?Btw, about the files created, do I need to upload all 5 files? & for the text file, do I need to copy & paste into this topic? Link to comment Share on other sites More sharing options...
cluberti Posted January 19, 2008 Share Posted January 19, 2008 Wat do u mean by whole box?I meant you should be following the "Memory dump of the entire system:" section. What you did is a good first start though - we'll see what we can see from the application hang dump.Is the dump creating process completed?Yes it is - you will need to zip everything in the "Hang Mode..." folder, as it all goes together (the log files, the dump files, and the config info in the folders). Link to comment Share on other sites More sharing options...
SCC2002 Posted January 19, 2008 Author Share Posted January 19, 2008 But all of them together will be very large in size, especially the .dmp file. It is 61.3MB! Link to comment Share on other sites More sharing options...
cluberti Posted January 19, 2008 Share Posted January 19, 2008 But all of them together will be very large in size, especially the .dmp file. It is 61.3MB!That's why you .zip it up - remember, all of that data is just text (the dump is binary text, but still text). It should compress at least 50%. Link to comment Share on other sites More sharing options...
SCC2002 Posted January 19, 2008 Author Share Posted January 19, 2008 Yeah, true, but it still quite large for an attachment in forum. Zip file will do, right? It's around 21MB. The forum's attachment limit is 200KB only. Wat should I do then? Link to comment Share on other sites More sharing options...
SCC2002 Posted January 20, 2008 Author Share Posted January 20, 2008 Erm... cluberti? Are u still there? Can u continue to look on my prob? Or is there anyone else, who can give me some advice? Link to comment Share on other sites More sharing options...
nitroshift Posted January 20, 2008 Share Posted January 20, 2008 Now that you have the .dmp file compressed, find a place on the internet where you can upload that file and come back with the link to it for cluberti to have a look at it. And yes, I'm sure cluberti is still willing to help, but we are all here volunteers Link to comment Share on other sites More sharing options...
cluberti Posted January 20, 2008 Share Posted January 20, 2008 And it's the weekend and I have a wife and kids . Nitroshift said what I would have though - upload it somewhere that hosts files on the internet, and post the download link here. Link to comment Share on other sites More sharing options...
SCC2002 Posted January 21, 2008 Author Share Posted January 21, 2008 (edited) Oh. Soree for the urge. =p Didn't know that. Hehe. Juz felt waited for a lil long... Anyway, I've uploaded the files. They're in .rar format, due to their large size. Fine wif u guys, right?Here's the list of the memory dump files.http://hosted.filefront.com/SCC2002/The Hang_Mode__Date_01-19-200M.rar is BitComet.exe, which is BitComet 0.94. It also linked by http://files.filefront.com/Hang+Mode+Date+...;/fileinfo.htmlThe Hang_Mode__Date_01-20-200M.rar is Msnmsgr.exe, which is Windows Live Messenger 8.1. Also linked byhttp://files.filefront.com/Hang+Mode+Date+...;/fileinfo.html& the MEMORY.rar is the system dump. Is also linked byhttp://files.filefront.com/MEMORYrar/;9473796;/fileinfo.htmlPlz bear in mind that u might not immediately starting to dl once u click on the Download button. It might try a few times before it starts to download, juz leave it there for a while, & it'll starts eventually, won't be too long. So,I'll leave the analysis to u. ^^ Edited January 21, 2008 by SCC2002 Link to comment Share on other sites More sharing options...
cluberti Posted January 21, 2008 Share Posted January 21, 2008 Well, I can understand how processes across the whole machine appear to be hanging - it appears something at the kernel level at the network stack is causing this. Here's the bitcomet and msn messenger dumps so you can see how I determined the network stack is at fault:From the bitcomet dump:// There are three critical sections that are locked in this dump, and// the third one in the list is the important one - it's holding everything// else up:0:000> !locksCritSec +14744f8 at 014744f8LockCount 0RecursionCount 1OwningThread 208EntryCount 0ContentionCount 0*** LockedCritSec +14737b0 at 014737b0LockCount 0RecursionCount 1OwningThread 8a8EntryCount 0ContentionCount 0*** LockedCritSec +1234088 at 01234088LockCount 1RecursionCount 1OwningThread 208EntryCount 4ContentionCount 4*** Locked// The thread owning the critsec is thread 0, so if it's waiting on// something, the whole window or application will appear to hang:0:000> kbChildEBP RetAddr Args to Child 0012f4f4 7c90d8ef 71a5da55 000006ac 00000000 ntdll!KiFastSystemCallRet0012f4f8 71a5da55 000006ac 00000000 00000000 ntdll!ZwDeviceIoControlFile+0xc0012f59c 71a555af 01233ff0 0012f714 00000010 mswsock!SockDoConnectReal+0x1b00012f644 71a5542c 000008e0 0012f714 00000010 mswsock!SockDoConnect+0x3920012f674 71ab40bd 000008e0 0012f714 00000010 mswsock!WSPConnect+0xc60012f6c0 0053c485 000008e0 0012f714 00000010 ws2_32!connect+0x4fWARNING: Stack unwind information not available. Following frames may be wrong.0012f728 0053b7b4 014c59c0 0000c350 aa88f6ba BitComet+0x13c4850012f7cc 0040826c 00000000 0192a700 007009f2 BitComet+0x13b7b40012f854 005bdde5 01473890 0447e080 0447e0b8 BitComet+0x826c0012f870 005ab2d0 0447e080 0447e0b8 0447e300 BitComet+0x1bdde50012f8c4 005617eb 0012f938 aa88f80e 00000000 BitComet+0x1ab2d00012f918 005513a9 aa88f8b2 00000000 7c809728 BitComet+0x1617eb0012f9a4 005bce09 014744a0 014d3db8 00000000 BitComet+0x1513a90012f9bc 0045f761 aa88f8de 014d3db8 00000000 BitComet+0x1bce090012fae8 00697c52 00000000 aa88fa96 00000113 BitComet+0x5f7610012fb80 006934f8 00000113 00000000 0082a260 BitComet+0x297c520012fba0 0050af0a 00000113 00000000 00000000 BitComet+0x2934f80012fc0c 0048396e aa88fd2a 0012fc84 0012fc68 BitComet+0x10af0a0012fc3c 0050ab14 aa88fd5e 00000113 014d3db8 BitComet+0x8396e0012fc98 00695e1f 00000113 00000000 00000000 BitComet+0x10ab140012fd00 00695eac 00000000 0001059c 00000113 BitComet+0x295e1f0012fd20 7e418734 0001059c 00000113 00000000 BitComet+0x295eac0012fd4c 7e418816 00695e78 0001059c 00000113 user32!InternalCallWinProc+0x280012fdb4 7e4189cd 0017ace8 00695e78 0001059c user32!UserCallWinProcCheckWow+0x1500012fe14 7e418a10 001790e8 00000000 00000000 user32!DispatchMessageWorker+0x3060012fe24 0069b41c 001790e8 001790e8 00975040 user32!DispatchMessageW+0xf00000000 00000000 00000000 00000000 00000000 BitComet+0x29b41cNote it's waiting on a return from the mswsock call, which is the socket functionality. It sent data over the wire, and is waiting for a response. Now, onto the msn messenger dump, showing similar issues:// Again, two critical sections are locked, but the first in this list is// the important one:0:000> !locksCritSec +25b29f0 at 025b29f0LockCount 0RecursionCount 1OwningThread eacEntryCount 0ContentionCount 0*** LockedCritSec +25b2b18 at 025b2b18LockCount 0RecursionCount 1OwningThread b88EntryCount 0ContentionCount 0*** Locked// Again, this is blocked in thread 0 waiting on mswsock, so the app// is going to appear hung until this network request comes back:0:000> kbChildEBP RetAddr Args to Child 0006faf0 7c90d8ef 71a5da55 000007bc 00000000 ntdll!KiFastSystemCallRet0006faf4 71a5da55 000007bc 00000000 00000000 ntdll!ZwDeviceIoControlFile+0xc0006fb98 71a555af 025b2958 0006fcd8 00000010 mswsock!SockDoConnectReal+0x1b00006fc40 71a5542c 00000660 0006fcd8 00000010 mswsock!SockDoConnect+0x3920006fc70 71ab40bd 00000660 0006fcd8 00000010 mswsock!WSPConnect+0xc60006fcbc 004a2084 00000660 0006fcd8 00000010 ws2_32!connect+0x4fWARNING: Stack unwind information not available. Following frames may be wrong.0006fcec 004a971f d8d094db 004a96b8 01f18cd8 msnmsgr+0xa20840006fd10 004aef2b 00170388 01fe57e0 d8d0948f msnmsgr+0xa971f0006fd44 0047a120 00000400 00296220 008bc214 msnmsgr+0xaef2b0006fd5c 0046fdc3 00000400 00000003 00000000 msnmsgr+0x7a1200006fd74 0046fd76 0001081e 00000400 00000003 msnmsgr+0x6fdc30006fdc4 7e418734 00296220 00000000 00000003 msnmsgr+0x6fd760006fdf0 7e418816 01a40f30 0001081e 00000400 user32!InternalCallWinProc+0x280006fe58 7e4189cd 00000000 01a40f30 0001081e user32!UserCallWinProcCheckWow+0x1500006feb8 7e418a10 0006fed8 00000000 0006fef4 user32!DispatchMessageWorker+0x3060006fec8 0040328d 0006fed8 00926470 0001081e user32!DispatchMessageW+0xf0006fef4 00542f57 008bb820 591610fb 0006ff24 msnmsgr+0x328d0006ff04 0055d188 00000000 0055d0be 009294a8 msnmsgr+0x142f570006ff24 00561550 0009233d 0006ffc0 00561581 msnmsgr+0x15d1880006ff30 00561581 00400000 00000000 0009233d msnmsgr+0x1615500006ffc0 7c816fd7 00340039 00320032 7ffd7000 msnmsgr+0x1615810006fff0 00000000 005708ed 00000000 78746341 kernel32!BaseProcessStart+0x23And looking at the full dump, I'm going to blame either the PCTools software's TDI driver, or the Nvidia miniport driver:// In the full dump, we have an abandoned mutex that appears to be// created by a network driver:0: kd> dt nt!_KMUTANT 0xba398cc0 +0x000 Header : _DISPATCHER_HEADER +0x010 MutantListEntry : _LIST_ENTRY [ 0x0 - 0x0 ] +0x018 OwnerThread : (null) +0x01c Abandoned : 0 '' // it says it isn't abandoned, but it really is... +0x01d ApcDisable : 0x1 ''// Looking at the nv4_mini driver's callstacks, I can see that this is// a mutex similar to the ones it's currently set up:0: kd> !thread 89b6fda8 THREAD 89b6fda8 Cid 0004.04f0 Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable ba398cc0 Mutant - owning thread 0 ba398cb0 SynchronizationEventNot impersonatingDeviceMap e1009288Owning Process 89e23830 Image: SystemAttached Process N/A Image: N/AWait Start TickCount 1109 Ticks: 2319973 (0:10:04:09.578)Context Switch Count 1 UserTime 00:00:00.000KernelTime 00:00:00.000Start Address nv4_mini (0xba020030)Stack Init b781f000 Current b781ed10 Base b781f000 Limit b781c000 Call 0Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0ChildEBP RetAddr Args to Child b781ed28 80502d26 00000000 89b6fda8 804fac40 nt!KiSwapContext+0x2f (FPO: [Uses EBP] [0,0,4])b781ed34 804fac40 00000000 89b6fda8 804fa9bc nt!KiSwapThread+0x8a (FPO: [0,0,0]) (CONV: fastcall)b781ed6c ba020068 00000002 b781eda8 00000000 nt!KeWaitForMultipleObjects+0x284 (FPO: [Non-Fpo]) (CONV: stdcall)WARNING: Stack unwind information not available. Following frames may be wrong.b781edac 805ce84c 00000000 00000000 00000000 nv4_mini+0x1d068ba398cb0 00000000 89b6fe30 8886f0a8 00080002 nt!PspSystemThreadStartup+0x34 (FPO: [Non-Fpo]) (CONV: stdcall)0: kd> dt nt!_KMUTANT ba398cc0 +0x000 Header : _DISPATCHER_HEADER +0x010 MutantListEntry : _LIST_ENTRY [ 0x0 - 0x0 ] +0x018 OwnerThread : (null) +0x01c Abandoned : 0 '' +0x01d ApcDisable : 0x1 ''There are 4 mutexes like the one above, all waiting on the abandoned mutex. Since this is a mutex in a network driver, this is the likely culprit causing the mswsock hangs, as the network stack is likely hung at this point. Here's the nvidia and pctools drivers - I'd remove the pctools driver (and the Acronis software too, as that has a LOT of waiters here that you should remove for testing, and only put back when the problem is gone) and update the nvidia driver(s):0: kd> lmvm nv4_ministart end module nameba003000 ba3c17a0 nv4_mini (deferred) Image path: \SystemRoot\system32\DRIVERS\nv4_mini.sys Image name: nv4_mini.sys Timestamp: Thu Jun 01 21:11:09 2006 (447F902D) CheckSum: 003C1170 ImageSize: 003BE7A0 Translations: 0000.04b0 0000.04e0 0409.04b0 0409.04e00: kd> lmvm pctfw2start end module nameb7986000 b79c0000 pctfw2 (no symbols) Loaded symbol image file: pctfw2.sys Image path: \??\C:\WINDOWS\system32\drivers\pctfw2.sys Image name: pctfw2.sys Timestamp: Thu Nov 29 15:27:58 2007 (474F20CE) CheckSum: 0003BEFC ImageSize: 0003A000 Translations: 0000.04b0 0000.04e0 0409.04b0 0409.04e0 Link to comment Share on other sites More sharing options...
SCC2002 Posted January 21, 2008 Author Share Posted January 21, 2008 I think I found something. Some trojan exists in my pc. & can't be removed even by Spyware Doctor & SpySweeper. I came across to a GPU overclocking utility installed on my pc, installed together wif my NVidia 7600GT driver, & simply enable & disable the D.O.T (Dynamic Over-Clocking Technology) feature, then a registry change is blocked by my Spyware Doctor. The registry path found is HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN, WinSys="C:\WINDOWS\System32\WinSys.exe"& the threat name found is Trojan-Downloader.Dadobra.CP.I tried to remove this trojan manually. However, I can't find this WinSys.exe in my System32 folder even after disabled the 'Hide protected operating system files'.Btw, I dunno how to find the registry path wif the coma at the middle. Wat's the coma means? How to find that?It's weird that the Spyware Doctor capable to detect & block the registry change & the source of this threat, but is unable to detect this threat in its scan & remove it. Why?Anyway, I think this Trojan-Downloader.Dadobra.CP is the culprit behind all the prob. But I dunno how to remove it. No clear guide on internet as well. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now