Vista Screen Freeze

[Walter]

I have had Vista 32 bit for roughly a year and have not had this problem before. The Vista screen freezes while I am working, The only solution for me has been to shut the computer off and then turn it back on. This only works some of the time. Even if I stop working for only a few moments. It happens so frequently that it occurred while I was attempting to log into this board.

Could you guys please help me?

What should I do first? Provide a HiJack this?

Thanks!
I

 

[Spyder_1386]

Hi Walter

Do you receive any errors? Are your drivers up to date? Do you have SP1 installed on Vista? You could do a virus check by completing the 8-step virus removal tool here .... https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/ and post your logs for us to look at.

Spyder_1386

 

[Walter]

Thanks for the reply.

The closest I get to an error is an audit failure in the event viewer audit section upon turning my machine back on.

Supposedly, Windows updates drivers on its own as needed. I can manually look for an update for a given driver, but I don't think that I can do a batch "update drivers" command. Of course, I'm no expert on drivers.

I have Version 6.0 (Build 6001: Service Pack 1)

I will attempt the 8 step virus check although I suspect that is not the problem.

Meanwhile, here is some more info for you:

I have a hunch that this is somehow related to the sleep, hibernation, or other functionality that is triggered by how long it has been since the keyboard has been touched. The screen has not frozen when I been working on the machine, as I am now. The problem seems to occur when I stop and do something else for a few minutes,

It occurs even if I do not have any applications open.

By "screen freeze", I mean that I can move the cursor and the cursor moves across the screen as expected, but nothing responds to my clicks. In addition, Ctrl Alt Del does nothing. I have been turning the machine off to get out of the screen freeze.

I have a laptop that I leave plugged in. I have "turn off the display" and "put the computer to sleep" both set to "Never".

I hope some of this helps. I will let you know what I find. Thanks!

It freezes during the Virus scan, so I might try a different approach.

 

[Bobbye]

The Vista screen freezes while I am working, The only solution for me has been to shut the computer off and then turn it back on

How much RAM do you have installed?
Shutting down and rebooting frees up the RAM.
Possible bad RAM sticks- or no enough.

I have a hunch that this is somehow related to the sleep, hibernation, or other functionality that is triggered by how long it has been since the keyboard has been touched.

Disable the Hibernation feature.
Set Stand By to two hours or more and set to go into Standby when you close the lid.

It is unusual for the cursor to move when the screen has frozen. Can you tell if you are still connected tot he internet- or if the connectivity has been lost?

 

[Walter]

I think that I have plenty of RAM, this is a fairly new computer (<2 years old).

I tried your suggestion regarding Hibernation settings but it didn't help.
Then I reset these settings to system defaults but this didn't help either.

Here are the logs requested by the 8 step virus removal tool.

Thanks!!!

 

[Bobbye]

I think that I have plenty of RAM, this is a fairly new computer (<2 years old).

"Plenty" of RAM is how much?
Do you know that all the sticks are good?

Step 3: Temporarily Disable Real Time Monitoring Programs

AD-AWARE AD-WATCH

* Right click on the Ad-Watch icon in the system tray.
* At the bottom of the screen there will be two checkable items called "Active" and "Automatic".
o Active: This will turn Ad-Watch On\Off without closing it.
o Automatic: Suspicious activity will be blocked automatically.
* Uncheck both of those boxes.
* (When done, you can re-enable it using the same steps but this time check both boxes.)

Please download ComboFix. HERE and save to the desktop:

With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.

Please disable all security programs, such as antiviruses, antispywares, and firewalls.
Also disable your internet connection.

• Run Combo-Fix.exe and follow the prompts.

**Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.
• Wait for the scan to be completed.
• If it requires a reboot, please do it.
• After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt)

Do not click on the ComoboFix window, as it may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Kaspersky' online scan
Open Kaspersky Online Scanner in Internet Explorer HERE:

* Click Accept and the web scanner will begin to load
* If a yellow warning bar appears at the top of the browser, click it and choose Install ActiveX Control
* You will be prompted to install an ActiveX component from Kaspersky, click Install
* If you are prompted about another ActiveX control called Kaspersky Online Scanner GUI part then allow it to be installed also.
* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT and then Scan Settings
* In the scan settings make that the following are selected:
o Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)
o Scan Options:
Scan Archives
Scan Mail Bases
* Click OK
* Now under select a target to scan:
Select My Computer
* The program will start to scan your system.
* Once the scan is complete, click on the Save as Text button and save the file to your desktop

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license is accepted, reset to 100%.

Rescan with HijackThis when trhough. Attach all reports and logs.

This thread is for the use of Walter only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our Virus and Malware Removal Forum.

 

[Walter]

Thanks for the reply.

I have 2GB of RAM. How can I check if my sticks are good?

With regards to unchecking "Active" and "Automatic" in Ad-Aware: I don't seem to have these choices. I have a Disable Ad-Watch Live setting that I can select. Should I do this instead? Thanks.

 

[kimsland]

You can use: => Memtest to test your Ram

Ad-Aware can just be fully uninstalled, that would be much easier

Then continue on

 

[Walter]

Thanks Kimsland.

I downloaded the memtest file and unzipped it so that I have an iso file on my desktop.
Then I downloaded and installed the ISO to DVD software and burned (I think) the ISO onto a DVD. The DVD now appears to have the ISO file and an empty VIDEO_TS folder (I'm not sure how that got there but oh well).

I then rebooted the computer with the DVD inserted but it did not run by itself. How do I get the memtest utility to open and run?

.

 

[kimsland]

Hmm

Please burn the ISO again (File open ISO file) to a new blank DVD (or CD) and try again
Something went wrong with that one, possibly already used

 

[Walter]

I did the memory test (1 pass) and no errors were found.

I will continue with the rest and keep you posted - thanks.

I ran ComboFix successfully and have a log file. ComboFix claims that some of my AntiVirus / AntiSpyWare applications were still enabled although the applications claimed that they were not enabled. Should I uninstall these applications and re-run ComboFix?

Edited to add: Here is the ComboFix.txt file that indicates that the applications were still running.

Aha!!! I believe that I have a useful observation to share.

I am seeing the following in Task Manager:
On the Processes Tab:
Firefox using ~92MB of Memory (Private Working Set)
Host Process For Windows Services Using ~41MB of Memory (Private Working Set)
Desktop Window Manager using ~15MB of Memory (Private Working Set)
Microsoft Windows Search Indexer Using ~12MB of Memory (Private Working Set)
75 other processes all using <10MB

On the bottom of this tab, it indicates that I am using ~3% of my CPU right now but
45% of my physical memory. The performance tab indicates that I am using ~900MB, which is 45% of 2GB, which is the total amount of RAM on my machine. However, I am only running FoxPro right now.

I am going to try to get the PC to freeze with the Task Manager showing. I want to see how much memory is used when it freezes.

Do you think that memory could be running out for some reason?

As I mentioned in the previous post, I closed FireFox and other open programs, opened Task Manager and waited for the screen to freeze as it usually does. I came back to the machine after ~3 hours and the screen was frozen with 54% of physical memory being used. Perhaps this is the limit of RAM that my machine can be using. It seems that a process called the defragmenter was running when I came back that was not running when I left.

I am not an expert and any help or explanation that could be provided here would be greatly appreciated. Thanks.

PS I have 2 co-processors, if that matters

 

[Bobbye]

This is what is eating the memory and CPU.

"TCP Query User{2F9EDDB1-3054-437D-8FDF-5E8B364A3C61}c:\\program files\\utorrent\\utorrent.exe"= UDP:c:\program files\utorrent\utorrent.exe:uTorrent
"UDP Query User{96E49972-9DFF-4A87-82C9-35BEE27614E8}c:\\program files\\utorrent\\utorrent.exe"= TCP:c:\program files\utorrent\utorrent.exe:uTorrent

And running in the background:

Yahoo! Music Jukebox
realplayer\\recordingmanager.exe
Toshiba Software Upgrades Pinger
Multiple Locked Registry keys for "Progid"="YMP.Media"

Step 3 in the Virus and MAlware Cleaning:

Uninstall File Sharing/P2P Programs

During the cleaning process all File Sharing Programs should be uninstalled
This is to avoid any possible reinfection of any malwares through file sharing

We reserve the right to withdraw our support:

* If such programs are found in your logs
* Should you not agree to their removal.

As they are normally set to bypass your Firewall and Anti-Virus software
Filesharing/P2P Programs serves as a constant threat to your computer

 

[Walter]

Thank you very much for this helpful reply. For reasons that are mysterious to me, the screen freeze problems that I had been experiencing several times each day ceased some time last week (~20th). Perhaps a background update was made by Vista that corrected some problem.

Anyway, my machine is still using memory at levels similar to what I previously mentioned. I will follow your advice to improve this.
Here are some questions and comments:

1. I am doing my best to abide by the rules of this board regarding P2P.
I had removed the Torrent application (or so I thought) even though the "Query User" messages appeared in ComboFix.txt. Will setting my firewall to "block all" for this application take care of this issue?

2. What should I do about realplayer\recordingmanager.exe? I want to keep Real Player on my machine for the time being, if feasible. Should I find the exe file and delete it manually?

3. Can I uninstall the Toshiba Software Upgrade program entirely, using Control Panel?

4. What should I do regarding the "Multiple Locked Registry keys for "Progid"="YMP.Media"" issue?

Thank you once again for your kind assistance.

 

[Bobbye]

1.

I am doing my best to abide by the rules of this board regarding P2P.

Firewall block okay, but better or additionally, search the system for BitTorrent and delete all files. Be sure Hidden files and folder show:
Open Search> tools> Folder options> View tab> CHECK 'show hidden files and folders> Apply> OK.

Now put the search term in the search file box. Reminder: when finished with search, go back and re-hide the files.

2.

What should I do about realplayer\recordingmanager.exe?

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
REAL PLAYER:

1. UNCHECK all 'Real', Real Player' and 'Real One' entries on the Startup menu
2. If you use Real Player disable the auto-update feature in your Tools- Preferences- Automatic Services- AutoUpdate (In RealPlayer).
Right click on Start> Exp[ore> Programs> Common> Real Update> right click> delete the file "realshed.exe"

3.

Can I uninstall the Toshiba Software Upgrade program entirely, using Control Panel?

You can do this from withing the Hijackthis program:
Using the Uninstall Manager in HijackThis, you can remove these entries from your uninstall list.

To access the Uninstall Manager you would do the following:
1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.
You will now be presented with a screen similar to the one below:

To delete an entry simply click on the entry you would like to remove and then click on the Delete this entry button.

These are the updater processes:
Suggest using Safe Mode as the processes ar running in Normal Mode and may give an error message for removal attempt:
File Location: C:\TOSHIBA\IVP\ISM\pinger.exe
(Description: Pinger is the resident program for Toshiba updates. Periodically checks to see if there are any software/driver upgrades for your particular computer model. If it finds any, it posts a notification)
C:\TOSHIBA\IVP\ISM\pinger.exe
For the Service:>>O23 - Service: pinger - Unknown owner - C:\Toshiba\IVP\ISM\pinger.exe
Start> Run> services.msc> right click on pinger>Properties> chnge startup type to Disabled Stop the Service.

4.

What should I do regarding the "Multiple Locked Registry keys for "Progid"="YMP.Media"" issue?

As far as I could find out, YMP Media File is just the description Yahoo Music Player gives to any associated file formats/extensions (ie. those which it is the default player for), purchased via Yahoo Music Engine.Since you have the Yahoo! Music Jukebox, it is likely the files are from that.

So I don't see any reason for them to be "locked". Hold on those please while I see if I can get more info on this. Since uTorrent was active, I don't care for 'locking' of these files.

One more question: What are you running from CheckPoint? It's showing here in ComboFix:
2009-04-08 23:30 -------- d-----w c:\users\All Users\CheckPoint
2009-04-08 23:30 -------- d-----w c:\programdata\CheckPoint
That is a company that makes security software, the best known is ZoneAlarm Firewall and now having a suite. But you have the Comodo firewall.

Go ahead and do the above. I'll be back with the 'progrid' answer.

 

[Walter]

Thank you very much!

To answer your question, I installed ZoneAlarm briefly, then removed it. Then I installed, Comodo, which I am now using. So I guess that you are looking at things from ZoneAlarm that were not removed but perhaps should have been when I removed the rest of the firewall software.

It is bedtime for me. I will work on your instructions tomorrow. Thanks again.

 

[Bobbye]

Okay, on 4/8/09 you did something with Zone Alarm, per the entry I left. But the only other ZA entry is:
2009-04-08 23:34 . 2009-04-08 23:34 -------- d-----w c:\program files\Zone Labs\.

Part of my job is to inform you if you exceed the right security limits or do not meet the suggested limits: this is one antivirus program, one firewall, and 2 or more spyware/adware programs.

Combofix shows you currently have processes from Avira, McAfee, Comodo ZoneAlarm.
The Comod AND ZoneAlarm firewalls appear to be running.. Their entries are identical except for the dates.

I also see entries for McAfee Network Agent which is a part of the McAfee security products.
c:\program files\common files\mcafee\mna\mcnasvc.

So here's the scoop:
Decide which third party firewall you want. Uninstall the others and delete any left-over files.
Decide which antivirus program you want and uninstall the others, delete any left-over files.
IF you have a suite that has both an antivirus program AND a firewall use the suite- you can't use parts of suites.

Update and run Combofix again. Attach the report.

 

[Walter]

I followed your instructions, as best I could.

The umbrella on the tray icon for AVir AntiVirus was closed, indicating that scanning was disabled (or should have been disabled) while ComboFix was running.

Likewise, I had closed and exited Comodo, and the tray icon disappeared, so I think that the Comodo Firewall should not have appeared as active in the ComboFix log.

I can uninstall both and then repeat ComboFix, but I won't unless you tell me to do so.

By the way, Windows has not crashed in several weeks, so my problem appears to have gone away. Thanks for your assistance.

Can we consider this thread officially finished?

 

[Bobbye]

The thread is finished. You are still using uTorrent and there is a problem with the Software Licensing Service, which is part of Vista's anti-piracy sub-system, validating your software, I withdraw from the thread.