Windows keep hanging! Hanged programs cannot be killed. Cause is u

[SCC2002]

Hi. ^^ I'm having a problem lately. I'm using Windows XP SP2. My Windows keep hanging recently. The programs'll hang eventually after I start my Windows. & the cause is unknown. I'm suffering from this for quite some time already. So, really hope that u can help me out, even though I wrote a lot.

PLZ HELP ME, EVEN THOUGH I WROTE A LOT. THEY'RE ALL DETAILS IN THIS PROB. THIS MIGHT BE A NEW VIRUS OUTBREAK AS WELL. UR HELP IS VERY VERY MUCH APPRECIATED.

The hanging process is hasten when I'm connected to internet. The hanged programs cannot be killed even in Windows Task Manager. I'm using several programs that're problematic in this issue. BitComet 0.98, Windows Live Messenger 8.1 & Mozilla Firefox.

After I connected to internet, I'll usually open these programs. & these are the programs that hang in this issue. BitComet will hang 1st, then turn to Windows Live Messenger. Mozilla Firefox will then become unable to connect to internet. The BitComet & Windows Live Messenger will appear to be unable to be killed even in Windows Task Manager after they hanged up.

Symptoms

The Status Bar under Mozilla Firefox windows shows 'Stopped', but the tabs're still showing 'Loading...'. I'm suspecting some services stopping the Firefox access to internet. Might be a rootkit.

Another symptom is the Windows will appears to be locked. The logged on user after the hanging occurs cannot be logged off or switched to other user. After clicking on Log Off on Start Menu, an 'Unlock Computer' window appears. The Window includes spaces to be filled in with Windows account username & password. However, changing to other user account cannot succeed, but logging back in to the current account can be done.

Besides, Restart can't be made after the programs hang. Only pressing on the Reset button on the CPU can solve the prob, but'll occurs again eventually.

Origins

I'm suspecting this is malware or virus's prob, but I've tried scanning with Spyware Doctor & SpySweeper, both with anti-virus, no threat found.

Actually, I've encounter this prob once few months ago, after installing ZoneAlarm Pro & NOD32, both trial ver. After suspecting that this is malware or virus prob, I did a scan with NOD32.

& then...

I'm suspecting virus... The virus reacted immediately during the scan. It spoilt my system partition's MFT & MFT mirror, rendered lost of my data.

I thought this is a virus that infected from the internet, so I installed ZoneAlarm Pro again after reinstalling my Windows & the prob occurs again.

I've cancel off the possibility of NOD32 causing the prob, bcoz I thought that NOD32 causing the prob initially, & I made an image of the system partition before installing NOD32. The prob occurs after installing NOD32, so I revert back to the image I've made, but the prob still occurs. & the only new program I've installed is ZoneAlarm Pro in the image.

So, I'm suspecting ZoneAlarm Pro causes the prob, since I'm experiencing the identical prob after installing this program twice. I didn't have this prob before I installed ZoneAlarm Pro. & I dun dare to make a scan again, afraid of losing data again.

Detecting cause of hanging or high CPU usage

Btw, I can't detect wat causes the hanging in this prob. I've checked Windows Task Manager, the CPU usage is fine, & the 'System' & 'System Idle Process' processes don't act strangely as well. Juz that those programs keep hanging & can't be killed.

So, I'd like to know how to detect the cause of a PC hanging or CPU usage is keep high while I don't running any resource demanding programs. Juz want to know in case of troubleshooting this kinda prob in future.

IN CONCLUSION, I HOPE THAT U CAN HELP ME IN THIS PROB. WAT I WROTE MIGHT BE A LIL LONG, BUT PLZ DO HELP ME OUT. I'LL APPRECIATE UR ASSISTANCE VERY MUCH. THIS MIGHT BE A NEW VIRUS OUTBREAK AS WELL. SO, THX IN ADVANCE! HOPE TO HEAR FROM U SOON. ^^

Edited January 18, 2008 by SCC2002

[cluberti]

Get a dump of the box next time something hangs, noting what process is hung and for how long, and then compress and upload it somewhere we can all get to it to download and analyze .

[SCC2002]

Oh, okay. I'll try to.

Oh, in addition to the things I've said, the Windows will hang more often if BitComet is opened, & even much often, almost immediately, after I opened Windows Live Messenger together wif BitComet. At last, both will hang anyway.

Btw, cluberti. Can u help me to edit my topic name? Has a lil mistake. It should be 'Cause is unknown.' Thx. ^^

Should I create dumps for the applications or the whole system? Since might be the whole system compromised.

[cluberti]

Should I create dumps for the applications or the whole system? Since might be the whole system compromised.

The whole box would be better - just let us know once you get the dump which application hung, and approximately how long you noticed it was hung before you took the memory dump.

[SCC2002]

Wat do u mean by whole box?

& wat msg indicates the end of creating the memory dump? A warning appears when after I entered the command in command prompt.

It says 'WARNING! An '_NT_SYMBOL_PATH' environment variable is not set. Please check the application event log or the ADPlus-report.txt for more details.' & following by 'Attaching the debugger to: BITCOMET.EXE <Process ID: 2624>.

Is the dump creating process completed?

Btw, about the files created, do I need to upload all 5 files? & for the text file, do I need to copy & paste into this topic?

[cluberti]

Wat do u mean by whole box?

I meant you should be following the "Memory dump of the entire system:" section. What you did is a good first start though - we'll see what we can see from the application hang dump.

Is the dump creating process completed?

Yes it is - you will need to zip everything in the "Hang Mode..." folder, as it all goes together (the log files, the dump files, and the config info in the folders).

[SCC2002]

But all of them together will be very large in size, especially the .dmp file. It is 61.3MB!

[cluberti]

But all of them together will be very large in size, especially the .dmp file. It is 61.3MB!

That's why you .zip it up - remember, all of that data is just text (the dump is binary text, but still text). It should compress at least 50%.

[SCC2002]

Yeah, true, but it still quite large for an attachment in forum. Zip file will do, right? It's around 21MB. The forum's attachment limit is 200KB only. Wat should I do then?

[SCC2002]

Erm... cluberti? Are u still there? Can u continue to look on my prob? Or is there anyone else, who can give me some advice?

[nitroshift]

Now that you have the .dmp file compressed, find a place on the internet where you can upload that file and come back with the link to it for cluberti to have a look at it. And yes, I'm sure cluberti is still willing to help, but we are all here volunteers

[cluberti]

And it's the weekend and I have a wife and kids . Nitroshift said what I would have though - upload it somewhere that hosts files on the internet, and post the download link here.

[SCC2002]

Oh. Soree for the urge. =p Didn't know that. Hehe. Juz felt waited for a lil long... Anyway, I've uploaded the files. They're in .rar format, due to their large size. Fine wif u guys, right?

Here's the list of the memory dump files.

http://hosted.filefront.com/SCC2002/

The Hang_Mode__Date_01-19-200M.rar is BitComet.exe, which is BitComet 0.94. It also linked by http://files.filefront.com/Hang+Mode+Date+...;/fileinfo.html

The Hang_Mode__Date_01-20-200M.rar is Msnmsgr.exe, which is Windows Live Messenger 8.1. Also linked by

http://files.filefront.com/Hang+Mode+Date+...;/fileinfo.html

& the MEMORY.rar is the system dump. Is also linked by

http://files.filefront.com/MEMORYrar/;9473796;/fileinfo.html

Plz bear in mind that u might not immediately starting to dl once u click on the Download button. It might try a few times before it starts to download, juz leave it there for a while, & it'll starts eventually, won't be too long. So,I'll leave the analysis to u. ^^

Edited January 21, 2008 by SCC2002

[cluberti]

Well, I can understand how processes across the whole machine appear to be hanging - it appears something at the kernel level at the network stack is causing this. Here's the bitcomet and msn messenger dumps so you can see how I determined the network stack is at fault:

From the bitcomet dump:

// There are three critical sections that are locked in this dump, and
// the third one in the list is the important one - it's holding everything
// else up:
0:000> !locks

CritSec +14744f8 at 014744f8
LockCount		  0
RecursionCount	 1
OwningThread	   208
EntryCount		 0
ContentionCount	0
*** Locked

CritSec +14737b0 at 014737b0
LockCount		  0
RecursionCount	 1
OwningThread	   8a8
EntryCount		 0
ContentionCount	0
*** Locked

CritSec +1234088 at 01234088
LockCount		  1
RecursionCount	 1
OwningThread	   208
EntryCount		 4
ContentionCount	4
*** Locked

// The thread owning the critsec is thread 0, so if it's waiting on
// something, the whole window or application will appear to hang:
0:000> kb
ChildEBP RetAddr  Args to Child			  
0012f4f4 7c90d8ef 71a5da55 000006ac 00000000 ntdll!KiFastSystemCallRet
0012f4f8 71a5da55 000006ac 00000000 00000000 ntdll!ZwDeviceIoControlFile+0xc
0012f59c 71a555af 01233ff0 0012f714 00000010 mswsock!SockDoConnectReal+0x1b0
0012f644 71a5542c 000008e0 0012f714 00000010 mswsock!SockDoConnect+0x392
0012f674 71ab40bd 000008e0 0012f714 00000010 mswsock!WSPConnect+0xc6
0012f6c0 0053c485 000008e0 0012f714 00000010 ws2_32!connect+0x4f
WARNING: Stack unwind information not available. Following frames may be wrong.
0012f728 0053b7b4 014c59c0 0000c350 aa88f6ba BitComet+0x13c485
0012f7cc 0040826c 00000000 0192a700 007009f2 BitComet+0x13b7b4
0012f854 005bdde5 01473890 0447e080 0447e0b8 BitComet+0x826c
0012f870 005ab2d0 0447e080 0447e0b8 0447e300 BitComet+0x1bdde5
0012f8c4 005617eb 0012f938 aa88f80e 00000000 BitComet+0x1ab2d0
0012f918 005513a9 aa88f8b2 00000000 7c809728 BitComet+0x1617eb
0012f9a4 005bce09 014744a0 014d3db8 00000000 BitComet+0x1513a9
0012f9bc 0045f761 aa88f8de 014d3db8 00000000 BitComet+0x1bce09
0012fae8 00697c52 00000000 aa88fa96 00000113 BitComet+0x5f761
0012fb80 006934f8 00000113 00000000 0082a260 BitComet+0x297c52
0012fba0 0050af0a 00000113 00000000 00000000 BitComet+0x2934f8
0012fc0c 0048396e aa88fd2a 0012fc84 0012fc68 BitComet+0x10af0a
0012fc3c 0050ab14 aa88fd5e 00000113 014d3db8 BitComet+0x8396e
0012fc98 00695e1f 00000113 00000000 00000000 BitComet+0x10ab14
0012fd00 00695eac 00000000 0001059c 00000113 BitComet+0x295e1f
0012fd20 7e418734 0001059c 00000113 00000000 BitComet+0x295eac
0012fd4c 7e418816 00695e78 0001059c 00000113 user32!InternalCallWinProc+0x28
0012fdb4 7e4189cd 0017ace8 00695e78 0001059c user32!UserCallWinProcCheckWow+0x150
0012fe14 7e418a10 001790e8 00000000 00000000 user32!DispatchMessageWorker+0x306
0012fe24 0069b41c 001790e8 001790e8 00975040 user32!DispatchMessageW+0xf
00000000 00000000 00000000 00000000 00000000 BitComet+0x29b41c

Note it's waiting on a return from the mswsock call, which is the socket functionality. It sent data over the wire, and is waiting for a response. Now, onto the msn messenger dump, showing similar issues:

// Again, two critical sections are locked, but the first in this list is
// the important one:
0:000> !locks

CritSec +25b29f0 at 025b29f0
LockCount		  0
RecursionCount	 1
OwningThread	   eac
EntryCount		 0
ContentionCount	0
*** Locked

CritSec +25b2b18 at 025b2b18
LockCount		  0
RecursionCount	 1
OwningThread	   b88
EntryCount		 0
ContentionCount	0
*** Locked

// Again, this is blocked in thread 0 waiting on mswsock, so the app
// is going to appear hung until this network request comes back:
0:000> kb
ChildEBP RetAddr  Args to Child			  
0006faf0 7c90d8ef 71a5da55 000007bc 00000000 ntdll!KiFastSystemCallRet
0006faf4 71a5da55 000007bc 00000000 00000000 ntdll!ZwDeviceIoControlFile+0xc
0006fb98 71a555af 025b2958 0006fcd8 00000010 mswsock!SockDoConnectReal+0x1b0
0006fc40 71a5542c 00000660 0006fcd8 00000010 mswsock!SockDoConnect+0x392
0006fc70 71ab40bd 00000660 0006fcd8 00000010 mswsock!WSPConnect+0xc6
0006fcbc 004a2084 00000660 0006fcd8 00000010 ws2_32!connect+0x4f
WARNING: Stack unwind information not available. Following frames may be wrong.
0006fcec 004a971f d8d094db 004a96b8 01f18cd8 msnmsgr+0xa2084
0006fd10 004aef2b 00170388 01fe57e0 d8d0948f msnmsgr+0xa971f
0006fd44 0047a120 00000400 00296220 008bc214 msnmsgr+0xaef2b
0006fd5c 0046fdc3 00000400 00000003 00000000 msnmsgr+0x7a120
0006fd74 0046fd76 0001081e 00000400 00000003 msnmsgr+0x6fdc3
0006fdc4 7e418734 00296220 00000000 00000003 msnmsgr+0x6fd76
0006fdf0 7e418816 01a40f30 0001081e 00000400 user32!InternalCallWinProc+0x28
0006fe58 7e4189cd 00000000 01a40f30 0001081e user32!UserCallWinProcCheckWow+0x150
0006feb8 7e418a10 0006fed8 00000000 0006fef4 user32!DispatchMessageWorker+0x306
0006fec8 0040328d 0006fed8 00926470 0001081e user32!DispatchMessageW+0xf
0006fef4 00542f57 008bb820 591610fb 0006ff24 msnmsgr+0x328d
0006ff04 0055d188 00000000 0055d0be 009294a8 msnmsgr+0x142f57
0006ff24 00561550 0009233d 0006ffc0 00561581 msnmsgr+0x15d188
0006ff30 00561581 00400000 00000000 0009233d msnmsgr+0x161550
0006ffc0 7c816fd7 00340039 00320032 7ffd7000 msnmsgr+0x161581
0006fff0 00000000 005708ed 00000000 78746341 kernel32!BaseProcessStart+0x23

And looking at the full dump, I'm going to blame either the PCTools software's TDI driver, or the Nvidia miniport driver:

// In the full dump, we have an abandoned mutex that appears to be
// created by a network driver:
0: kd> dt nt!_KMUTANT 0xba398cc0
   +0x000 Header		   : _DISPATCHER_HEADER
   +0x010 MutantListEntry  : _LIST_ENTRY [ 0x0 - 0x0 ]
   +0x018 OwnerThread	  : (null) 
   +0x01c Abandoned		: 0 '' // it says it isn't abandoned, but it really is...
   +0x01d ApcDisable	   : 0x1 ''

// Looking at the nv4_mini driver's callstacks, I can see that this is
// a mutex similar to the ones it's currently set up:
0: kd> !thread 89b6fda8  
THREAD 89b6fda8  Cid 0004.04f0  Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable
	ba398cc0  Mutant - owning thread 0
	ba398cb0  SynchronizationEvent
Not impersonating
DeviceMap				 e1009288
Owning Process			89e23830	   Image:		 System
Attached Process		  N/A			Image:		 N/A
Wait Start TickCount	  1109		   Ticks: 2319973 (0:10:04:09.578)
Context Switch Count	  1			 
UserTime				  00:00:00.000
KernelTime				00:00:00.000
Start Address nv4_mini (0xba020030)
Stack Init b781f000 Current b781ed10 Base b781f000 Limit b781c000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr  Args to Child			  
b781ed28 80502d26 00000000 89b6fda8 804fac40 nt!KiSwapContext+0x2f (FPO: [Uses EBP] [0,0,4])
b781ed34 804fac40 00000000 89b6fda8 804fa9bc nt!KiSwapThread+0x8a (FPO: [0,0,0]) (CONV: fastcall)
b781ed6c ba020068 00000002 b781eda8 00000000 nt!KeWaitForMultipleObjects+0x284 (FPO: [Non-Fpo]) (CONV: stdcall)
WARNING: Stack unwind information not available. Following frames may be wrong.
b781edac 805ce84c 00000000 00000000 00000000 nv4_mini+0x1d068
ba398cb0 00000000 89b6fe30 8886f0a8 00080002 nt!PspSystemThreadStartup+0x34 (FPO: [Non-Fpo]) (CONV: stdcall)

0: kd> dt nt!_KMUTANT ba398cc0
   +0x000 Header		   : _DISPATCHER_HEADER
   +0x010 MutantListEntry  : _LIST_ENTRY [ 0x0 - 0x0 ]
   +0x018 OwnerThread	  : (null) 
   +0x01c Abandoned		: 0 ''
   +0x01d ApcDisable	   : 0x1 ''

There are 4 mutexes like the one above, all waiting on the abandoned mutex. Since this is a mutex in a network driver, this is the likely culprit causing the mswsock hangs, as the network stack is likely hung at this point. Here's the nvidia and pctools drivers - I'd remove the pctools driver (and the Acronis software too, as that has a LOT of waiters here that you should remove for testing, and only put back when the problem is gone) and update the nvidia driver(s):

0: kd> lmvm nv4_mini
start	end		module name
ba003000 ba3c17a0   nv4_mini   (deferred)			 
	Image path: \SystemRoot\system32\DRIVERS\nv4_mini.sys
	Image name: nv4_mini.sys
	Timestamp:		Thu Jun 01 21:11:09 2006 (447F902D)
	CheckSum:		 003C1170
	ImageSize:		003BE7A0
	Translations:	 0000.04b0 0000.04e0 0409.04b0 0409.04e0

0: kd> lmvm pctfw2
start	end		module name
b7986000 b79c0000   pctfw2	 (no symbols)		   
	Loaded symbol image file: pctfw2.sys
	Image path: \??\C:\WINDOWS\system32\drivers\pctfw2.sys
	Image name: pctfw2.sys
	Timestamp:		Thu Nov 29 15:27:58 2007 (474F20CE)
	CheckSum:		 0003BEFC
	ImageSize:		0003A000
	Translations:	 0000.04b0 0000.04e0 0409.04b0 0409.04e0

[SCC2002]

I think I found something. Some trojan exists in my pc. & can't be removed even by Spyware Doctor & SpySweeper. I came across to a GPU overclocking utility installed on my pc, installed together wif my NVidia 7600GT driver, & simply enable & disable the D.O.T (Dynamic Over-Clocking Technology) feature, then a registry change is blocked by my Spyware Doctor.

The registry path found is HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN, WinSys="C:\WINDOWS\System32\WinSys.exe"

& the threat name found is Trojan-Downloader.Dadobra.CP.

I tried to remove this trojan manually. However, I can't find this WinSys.exe in my System32 folder even after disabled the 'Hide protected operating system files'.

Btw, I dunno how to find the registry path wif the coma at the middle. Wat's the coma means? How to find that?

It's weird that the Spyware Doctor capable to detect & block the registry change & the source of this threat, but is unable to detect this threat in its scan & remove it. Why?

Anyway, I think this Trojan-Downloader.Dadobra.CP is the culprit behind all the prob. But I dunno how to remove it. No clear guide on internet as well.