Jump to content

Windows keep hanging! Hanged programs cannot be killed. Cause is u

SCC2002
 Share

Recommended Posts


SCC2002

SCC2002

Posted
  • Author
Posted

cluberti, try to look on the Trojan-Downloader.Dadobra.CP matter also. I think it's related to this prob.

Btw, how u want me to remove the PCTools driver? This is the Spyware Doctor driver. I think removing it means uninstalling the whole program, right? & for the Acronis, can I juz prevent the processes from running? By stopping the processes from running only, is it capable to make it not affecting the system at all?

Do u found anything that cause this prob? Juz the PCTools, NVidia driver & the Acronis? Is there anything that makes these things causing prob? They shouldn't be causing prob at 1st, even more that they're causing the prob at the same time, right?

Link to comment
Share on other sites
cluberti

cluberti

Posted
Posted
cluberti, try to look on the Trojan-Downloader.Dadobra.CP matter also. I think it's related to this prob.
could very well be, but I can't say for sure. The mutex is abandoned, so I have no way of knowing who owned it.
Btw, how u want me to remove the PCTools driver? This is the Spyware Doctor driver. I think removing it means uninstalling the whole program, right? & for the Acronis, can I juz prevent the processes from running? By stopping the processes from running only, is it capable to make it not affecting the system at all?
The only way to remove kernel-level filter drivers (Spyware Doctor and Acronis) is to uninstall. Disabling user-mode services does nothing to unload kernel drivers, as they load when the kernel does, long before services are even started.
Do u found anything that cause this prob? Juz the PCTools, NVidia driver & the Acronis? Is there anything that makes these things causing prob? They shouldn't be causing prob at 1st, even more that they're causing the prob at the same time, right?
As I said, I don't know for sure, but I do know it's network-related. The nvidia driver and Spyware doctor are both network drivers, and the virus could be too. Not sure about the Acronis software, but with a problem like this I like to remove ALL kernel-mode drivers when possible and work back from there.

However, if you really do have the virus, I'd just back up data and rebuilt - you'll never be able to be 100% sure that installation of Windows isn't compromised, ever again.

Link to comment
Share on other sites
SCC2002

SCC2002

Posted
  • Author
Posted

Hmm... I know. But I encountered same prob twice, so thinking of hot to prevent it & troubleshoot it. So, u think this trojan is the culprit as well? Btw, are u able to find the source of creating this prob? Those settings are not intended to be so initially, right?

Link to comment
Share on other sites
cluberti

cluberti

Posted
Posted
Hmm... I know. But I encountered same prob twice, so thinking of hot to prevent it & troubleshoot it. So, u think this trojan is the culprit as well?

If a machine has a virus, trojan, malware, what have you - that is suspect until completely removed. So yes, I'd consider it a good possibility.

Btw, are u able to find the source of creating this prob?

No - the mutex is abandoned, and it's unowned. I can't go back in time and figure it out for sure :), so I have to make educated guesses.

Link to comment
Share on other sites
SCC2002

SCC2002

Posted
  • Author
Posted

I see. Juz a question, the abandoned mutex should be caused by the trojan, right? Could it be abandoned bcoz it's partially removed?

So, the best move now is to remove the trojan 1st?

Btw, may I know how to analyze the dump files? Do I need any technical knowledge? Is there any tutorial on internet?

Link to comment
Share on other sites
cluberti

cluberti

Posted
Posted
I see. Juz a question, the abandoned mutex should be caused by the trojan, right? Could it be abandoned bcoz it's partially removed?

It was abandoned because someone wrote crappy code, but otherwise I cannot answer that question. Mutexes aren't removed, they're allocated and released - the kernel creates and deletes them (so if one is abandoned, it means a driver didn't free it before it terminated that thread or unloaded itself).

So, the best move now is to remove the trojan 1st?

Always, yes.

Btw, may I know how to analyze the dump files? Do I need any technical knowledge? Is there any tutorial on internet?

To debug you need at least the following:

1. Decent knowledge of C/C++ (and if you're debugging an app written in another language, you need to know that too) - being able to write code is not required, as just reading code is sufficient to do basic debugging. However, being able to write code means you can think in code, which you will have to be able to do when attempting any debug that is above and beyond something easy, like debugging an application crash is easy, but tracking down a system hang or "slowess" in an app or the system is much harder. You also need to be able to understand and follow Intel assembly language as well.

2. Knowledge of memory management, structures, code flow, reading hex, cpu registers and what they are and how they can be populated, heap structures, etc.

3. If you are debugging the Windows kernel, you need to understand how the memory manager works, how the kernel executive works, and a general understanding of how usermode and kernelmode apps, services, and drivers interact.

4. Understand debugging is part science, part art.

I would suggest first learning enough C++ to write a basic notepad program, a basic service, and a basic kernel driver. Then, acquire and read the books "Windows Internals, 4th Edition" and "Advanced Windows Debugging". Once you've gone through those books a few times and you've got decent code skills, start trying to debug things on your own machine or from dumps available here to work on your skills.

There are classes you can take to learn more about debugging, but you will still be expected to have code, assembly, and basic debug knowledge even for these classes. I don't endorse one school or training center above another, because I've not used any, but I know they're out there.

Link to comment
Share on other sites
SCC2002

SCC2002

Posted
  • Author
Posted

I've a new prob arises. I tried Spybot S&D to test out its detection capability.

It doesn't prove much use, anyway, but after I finish the scan using it, & clean several tracking cookies, & all the programs cannot be opened now!

Any .exe, .bat, & maybe more files can't be opened! An error msg will appears when I open any such files.

'This file does not have a program associated with it for performing this action. Create an association in the Folder Options control panel.'

I can't restore my Windows using System Restore, neither repair my Windows XP. Can't even Run... regedit or chkdsk things... Wat can I do now?

Link to comment
Share on other sites
Kelsenellenelvian

Kelsenellenelvian

Posted
Posted (edited)

How to fix Dadobra Trojan?

This problem can be solved manually by deleting all registry keys and files connected with this software, removing it from starup list and unregistering all corresponding DLLs. Additionally missing DLL's should be restored from distribution in case they are corrupted by Dadobra Trojan. To fix this threat, you should:

1. Kill the following processes and delete the appropriate files:

• nfw32.exe

• relacionamentos_amorosos.exe

• surpresa_exitvip.exe

• whp32.exe

• whpe.exe

2. Delete the following malicious folders:

• C:\Documents and Settings\User\Desktop\relacionamentos_amorosos\

• C:\Documents and Settings\User\Desktop\surpresa_exitvip\

Best done in safe mode.

Best yet do a full reformatt as suggested earlier. Then tighten your security.

Edited by Kelsenellenelvian
Link to comment
Share on other sites
SCC2002

SCC2002

Posted
  • Author
Posted

Thx for ur advice, Kelsenellenelvian. ^^ But I can't run anything now, opening the programs will appears this msg: 'This file does not have a program associated with it for performing this action. Create an association in the Folder Options control panel.' So, the priority is to fix this prob 1st.

Link to comment
Share on other sites
cluberti

cluberti

Posted
Posted

Unless you're trying to fix this as a learning exercise, I'm going to suggest backing your data up off of that machine and rebuilding - it'll be quicker, and you'll know for certain the install doesn't have a virus.

If you're fixing this to learn how to fix it, however, and don't mind the downtime, then by all means don't let me stand in your way ;).

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...