gdi32.dll program hang (the ghost in the machine)

Discussion in 'Windows 64bit' started by miso@sushi.com, Dec 29, 2006.

  1. Guest

    I've got this periodic problem with gdi32.dll on X64 (AMD 64 4400 ).
    Every once in a while, my PC gets in this mode where three programs
    (Open Office Calc, Photoshop 6, and Vuescan) crash. Only Photoshop 6
    gives me the clue that the problem is due to gdi32.dll.

    Two questions:
    1)
    <http://securitydot.net/vuln/exploits/vulnerabilities/articles/18330/vuln.html>
    claims there is a potential to create a DOS attack using gdi32.dll. Now
    I'm not running a server, and I am behind a firewall router, but any
    chance there is a virus in gdi32.
    2) I've been waiting for sp2 to be released. What are the risks of
    installing the beta.
     
    , Dec 29, 2006
    #1
    1. Advertising

  2. Guest

    wrote:
    > I've got this periodic problem with gdi32.dll on X64 (AMD 64 4400 ).
    > Every once in a while, my PC gets in this mode where three programs
    > (Open Office Calc, Photoshop 6, and Vuescan) crash. Only Photoshop 6
    > gives me the clue that the problem is due to gdi32.dll.
    >
    > Two questions:
    > 1)
    > <http://securitydot.net/vuln/exploits/vulnerabilities/articles/18330/vuln.html>
    > claims there is a potential to create a DOS attack using gdi32.dll. Now
    > I'm not running a server, and I am behind a firewall router, but any
    > chance there is a virus in gdi32.
    > 2) I've been waiting for sp2 to be released. What are the risks of
    > installing the beta.


    Avast found a virus in memory.dmp. Virus was "Win32:Agent-SG [Trj]"
    Deleting the file made the problem go away, but I suspect this wasn't
    exactly the problem For one thing, the file was too large to put in the
    vault, so I assume it was the full size of my memory, which is around
    3+Gbytes. I doubt I downloaded something that big.
     
    , Dec 29, 2006
    #2
    1. Advertising

  3. It is probably hard to pinpoint an error so precisely. Something points
    somewhere specific could mean that is the avenue that brought on the
    offensive code, not necessarily where it originates.

    A memory dump would be a file the size of the memory, not a part thereof,
    and size should not have any relation to anything you downloaded. I suggest
    you make Avast run a full scan of your complete system over the course of a
    couple of days ( not continuously! ) - and after re-booting too. If it is
    something nasty, it may well regenerate itself, after being deleted.

    Tony. . .

    <> wrote in message
    news:...
    >
    > wrote:
    > > I've got this periodic problem with gdi32.dll on X64 (AMD 64 4400 ).
    > > Every once in a while, my PC gets in this mode where three programs
    > > (Open Office Calc, Photoshop 6, and Vuescan) crash. Only Photoshop 6
    > > gives me the clue that the problem is due to gdi32.dll.
    > >
    > > Two questions:
    > > 1)
    > >

    <http://securitydot.net/vuln/exploits/vulnerabilities/articles/18330/vuln.ht
    ml>
    > > claims there is a potential to create a DOS attack using gdi32.dll. Now
    > > I'm not running a server, and I am behind a firewall router, but any
    > > chance there is a virus in gdi32.
    > > 2) I've been waiting for sp2 to be released. What are the risks of
    > > installing the beta.

    >
    > Avast found a virus in memory.dmp. Virus was "Win32:Agent-SG [Trj]"
    > Deleting the file made the problem go away, but I suspect this wasn't
    > exactly the problem For one thing, the file was too large to put in the
    > vault, so I assume it was the full size of my memory, which is around
    > 3+Gbytes. I doubt I downloaded something that big.
    >
     
    Tony Sperling, Dec 30, 2006
    #3
  4. Guest

    Tony Sperling wrote:
    > It is probably hard to pinpoint an error so precisely. Something points
    > somewhere specific could mean that is the avenue that brought on the
    > offensive code, not necessarily where it originates.
    >
    > A memory dump would be a file the size of the memory, not a part thereof,
    > and size should not have any relation to anything you downloaded. I suggest
    > you make Avast run a full scan of your complete system over the course of a
    > couple of days ( not continuously! ) - and after re-booting too. If it is
    > something nasty, it may well regenerate itself, after being deleted.
    >
    > Tony. . .


    The size of the dump file made me draw the same conclusion, but maybe
    the virus can attach to the last dump file. Good idea on running the
    virus scan to see if it pops up again.

    Here are some older threads of mine with the same problem:
    [July 31, 2006)
    <http://groups.google.com/group/microsoft.public.windows.64bit.general/browse_frm/thread/2d3ca32209438ff0/d15c62ec09231767?lnk=st&q=&rnum=3&hl=en#d15c62ec09231767>
    [Sept 11, 2006]
    <http://groups.google.com/group/microsoft.public.windows.64bit.general/browse_frm/thread/178c95b4549e2886/2be476851b0e1fdd?lnk=st&q=&rnum=9&hl=en#2be476851b0e1fdd>
    [Sept 10, 2006]
    <http://groups.google.com/group/microsoft.public.windows.64bit.general/browse_frm/thread/e9dc73dfc54f94e1/223c95defd080d1d?lnk=st&q=group%3Amicrosoft.public.windows.64bit.general+author%3Amiso%40sushi.com&rnum=38&hl=en#223c95defd080d1d>

    X64 is really stable, but this bug just drives me crazy since it is so
    flaky.


    >
    > <> wrote in message
    > news:...
    > >
    > > wrote:
    > > > I've got this periodic problem with gdi32.dll on X64 (AMD 64 4400 ).
    > > > Every once in a while, my PC gets in this mode where three programs
    > > > (Open Office Calc, Photoshop 6, and Vuescan) crash. Only Photoshop 6
    > > > gives me the clue that the problem is due to gdi32.dll.
    > > >
    > > > Two questions:
    > > > 1)
    > > >

    > <http://securitydot.net/vuln/exploits/vulnerabilities/articles/18330/vuln.ht
    > ml>
    > > > claims there is a potential to create a DOS attack using gdi32.dll. Now
    > > > I'm not running a server, and I am behind a firewall router, but any
    > > > chance there is a virus in gdi32.
    > > > 2) I've been waiting for sp2 to be released. What are the risks of
    > > > installing the beta.

    > >
    > > Avast found a virus in memory.dmp. Virus was "Win32:Agent-SG [Trj]"
    > > Deleting the file made the problem go away, but I suspect this wasn't
    > > exactly the problem For one thing, the file was too large to put in the
    > > vault, so I assume it was the full size of my memory, which is around
    > > 3+Gbytes. I doubt I downloaded something that big.
    > >
     
    , Dec 30, 2006
    #4
  5. I'm not sure what benefit a Virus could possibly have from doing that. More
    likely - if there is a Virus, it trips a process which triggers a memory
    dump and the Virus gets dumped along with everything else, but this is not
    where it performs it's feat, I believe it will effectively be disabled
    there. The danger is to find it there (where it is harmless!) and thinking
    you got rid of it. In the mean-time it sits and waits quietly somewhere
    else. Nobody really knows what a Virus is doing - or why, sometimes they
    wait for one specific event (a date, or a certain chain of characters in the
    keyboard buffer?) this sets it off and it lands in a dump file, the original
    going back to sleep, the only thing a Virus Scanner can do is scan for API
    and System Calls that would be typical for a Virus to want to utilize!
    Whatever the scanner finds, a lot of it has to be false alarms - we just
    don't know which ones they are. Personally, I've noticed that Avast finds an
    inordinate amount of one specific type of Virus (Trojan's!). If I was using
    something else, it would probably just be a different type of Virus, and
    most of anything they find will be false alarms.

    Windows Defender is not Virus-Centric, but it does some very impressive
    scanning, and sometimes finds suspicious things that other's don't find.
    Most likely then it is a false alarm, but you have an option to go looking.
    I suggest you could install that and run it in tandem with Avast.

    Anyway, I think the behaviour you are seeing is looking more like a
    spyware/malware problem, than an actual Virus???

    I was being terrorised by one nasty thing called "NewDotNet", Recovering to
    a Restore Point helped for a while, but it came back and I ended up doing a
    fresh install. Defender was the only thing that found it - nothing could
    remove it. Not sure what your options are, but try and find out what it
    really is or you'll be stabbing at shadows.

    (One option is to mail the dump file to Avast - they are a helpfull lot, but
    I'm not sure that they can do anything helpfull with it?)


    Tony. . .



    <> wrote in message
    news:...
    >
    > Tony Sperling wrote:
    > > It is probably hard to pinpoint an error so precisely. Something points
    > > somewhere specific could mean that is the avenue that brought on the
    > > offensive code, not necessarily where it originates.
    > >
    > > A memory dump would be a file the size of the memory, not a part

    thereof,
    > > and size should not have any relation to anything you downloaded. I

    suggest
    > > you make Avast run a full scan of your complete system over the course

    of a
    > > couple of days ( not continuously! ) - and after re-booting too. If it

    is
    > > something nasty, it may well regenerate itself, after being deleted.
    > >
    > > Tony. . .

    >
    > The size of the dump file made me draw the same conclusion, but maybe
    > the virus can attach to the last dump file. Good idea on running the
    > virus scan to see if it pops up again.
    >
    > Here are some older threads of mine with the same problem:
    > [July 31, 2006)
    >

    <http://groups.google.com/group/microsoft.public.windows.64bit.general/brows
    e_frm/thread/2d3ca32209438ff0/d15c62ec09231767?lnk=st&q=&rnum=3&hl=en#d15c62
    ec09231767>
    > [Sept 11, 2006]
    >

    <http://groups.google.com/group/microsoft.public.windows.64bit.general/brows
    e_frm/thread/178c95b4549e2886/2be476851b0e1fdd?lnk=st&q=&rnum=9&hl=en#2be476
    851b0e1fdd>
    > [Sept 10, 2006]
    >

    <http://groups.google.com/group/microsoft.public.windows.64bit.general/brows
    e_frm/thread/e9dc73dfc54f94e1/223c95defd080d1d?lnk=st&q=group%3Amicrosoft.pu
    blic.windows.64bit.general+author%3Amiso%40sushi.com&rnum=38&hl=en#223c95def
    d080d1d>
    >
    > X64 is really stable, but this bug just drives me crazy since it is so
    > flaky.
    >
    >
    > >
    > > <> wrote in message
    > > news:...
    > > >
    > > > wrote:
    > > > > I've got this periodic problem with gdi32.dll on X64 (AMD 64 4400 ).
    > > > > Every once in a while, my PC gets in this mode where three programs
    > > > > (Open Office Calc, Photoshop 6, and Vuescan) crash. Only Photoshop 6
    > > > > gives me the clue that the problem is due to gdi32.dll.
    > > > >
    > > > > Two questions:
    > > > > 1)
    > > > >

    > >

    <http://securitydot.net/vuln/exploits/vulnerabilities/articles/18330/vuln.ht
    > > ml>
    > > > > claims there is a potential to create a DOS attack using gdi32.dll.

    Now
    > > > > I'm not running a server, and I am behind a firewall router, but any
    > > > > chance there is a virus in gdi32.
    > > > > 2) I've been waiting for sp2 to be released. What are the risks of
    > > > > installing the beta.
    > > >
    > > > Avast found a virus in memory.dmp. Virus was "Win32:Agent-SG [Trj]"
    > > > Deleting the file made the problem go away, but I suspect this wasn't
    > > > exactly the problem For one thing, the file was too large to put in

    the
    > > > vault, so I assume it was the full size of my memory, which is around
    > > > 3+Gbytes. I doubt I downloaded something that big.
    > > >

    >
     
    Tony Sperling, Dec 30, 2006
    #5
  6. Dshai Guest

    Tony, for future reference on NewDotNet, AdAware will find and disable it as
    well as identifying the registry keys that "control" it, this allows you to
    delete said keys and effectively rid yourself of the pest without a
    format/reload.

    Dshai

    "Tony Sperling" <> wrote in message
    news:...
    > I'm not sure what benefit a Virus could possibly have from doing that.
    > More
    > likely - if there is a Virus, it trips a process which triggers a memory
    > dump and the Virus gets dumped along with everything else, but this is not
    > where it performs it's feat, I believe it will effectively be disabled
    > there. The danger is to find it there (where it is harmless!) and thinking
    > you got rid of it. In the mean-time it sits and waits quietly somewhere
    > else. Nobody really knows what a Virus is doing - or why, sometimes they
    > wait for one specific event (a date, or a certain chain of characters in
    > the
    > keyboard buffer?) this sets it off and it lands in a dump file, the
    > original
    > going back to sleep, the only thing a Virus Scanner can do is scan for API
    > and System Calls that would be typical for a Virus to want to utilize!
    > Whatever the scanner finds, a lot of it has to be false alarms - we just
    > don't know which ones they are. Personally, I've noticed that Avast finds
    > an
    > inordinate amount of one specific type of Virus (Trojan's!). If I was
    > using
    > something else, it would probably just be a different type of Virus, and
    > most of anything they find will be false alarms.
    >
    > Windows Defender is not Virus-Centric, but it does some very impressive
    > scanning, and sometimes finds suspicious things that other's don't find.
    > Most likely then it is a false alarm, but you have an option to go
    > looking.
    > I suggest you could install that and run it in tandem with Avast.
    >
    > Anyway, I think the behaviour you are seeing is looking more like a
    > spyware/malware problem, than an actual Virus???
    >
    > I was being terrorised by one nasty thing called "NewDotNet", Recovering
    > to
    > a Restore Point helped for a while, but it came back and I ended up doing
    > a
    > fresh install. Defender was the only thing that found it - nothing could
    > remove it. Not sure what your options are, but try and find out what it
    > really is or you'll be stabbing at shadows.
    >
    > (One option is to mail the dump file to Avast - they are a helpfull lot,
    > but
    > I'm not sure that they can do anything helpfull with it?)
    >
    >
    > Tony. . .
    >
    >
    >
    > <> wrote in message
    > news:...
    >>
    >> Tony Sperling wrote:
    >> > It is probably hard to pinpoint an error so precisely. Something points
    >> > somewhere specific could mean that is the avenue that brought on the
    >> > offensive code, not necessarily where it originates.
    >> >
    >> > A memory dump would be a file the size of the memory, not a part

    > thereof,
    >> > and size should not have any relation to anything you downloaded. I

    > suggest
    >> > you make Avast run a full scan of your complete system over the course

    > of a
    >> > couple of days ( not continuously! ) - and after re-booting too. If it

    > is
    >> > something nasty, it may well regenerate itself, after being deleted.
    >> >
    >> > Tony. . .

    >>
    >> The size of the dump file made me draw the same conclusion, but maybe
    >> the virus can attach to the last dump file. Good idea on running the
    >> virus scan to see if it pops up again.
    >>
    >> Here are some older threads of mine with the same problem:
    >> [July 31, 2006)
    >>

    > <http://groups.google.com/group/microsoft.public.windows.64bit.general/brows
    > e_frm/thread/2d3ca32209438ff0/d15c62ec09231767?lnk=st&q=&rnum=3&hl=en#d15c62
    > ec09231767>
    >> [Sept 11, 2006]
    >>

    > <http://groups.google.com/group/microsoft.public.windows.64bit.general/brows
    > e_frm/thread/178c95b4549e2886/2be476851b0e1fdd?lnk=st&q=&rnum=9&hl=en#2be476
    > 851b0e1fdd>
    >> [Sept 10, 2006]
    >>

    > <http://groups.google.com/group/microsoft.public.windows.64bit.general/brows
    > e_frm/thread/e9dc73dfc54f94e1/223c95defd080d1d?lnk=st&q=group%3Amicrosoft.pu
    > blic.windows.64bit.general+author%3Amiso%40sushi.com&rnum=38&hl=en#223c95def
    > d080d1d>
    >>
    >> X64 is really stable, but this bug just drives me crazy since it is so
    >> flaky.
    >>
    >>
    >> >
    >> > <> wrote in message
    >> > news:...
    >> > >
    >> > > wrote:
    >> > > > I've got this periodic problem with gdi32.dll on X64 (AMD 64
    >> > > > 4400 ).
    >> > > > Every once in a while, my PC gets in this mode where three programs
    >> > > > (Open Office Calc, Photoshop 6, and Vuescan) crash. Only Photoshop
    >> > > > 6
    >> > > > gives me the clue that the problem is due to gdi32.dll.
    >> > > >
    >> > > > Two questions:
    >> > > > 1)
    >> > > >
    >> >

    > <http://securitydot.net/vuln/exploits/vulnerabilities/articles/18330/vuln.ht
    >> > ml>
    >> > > > claims there is a potential to create a DOS attack using gdi32.dll.

    > Now
    >> > > > I'm not running a server, and I am behind a firewall router, but
    >> > > > any
    >> > > > chance there is a virus in gdi32.
    >> > > > 2) I've been waiting for sp2 to be released. What are the risks of
    >> > > > installing the beta.
    >> > >
    >> > > Avast found a virus in memory.dmp. Virus was "Win32:Agent-SG [Trj]"
    >> > > Deleting the file made the problem go away, but I suspect this wasn't
    >> > > exactly the problem For one thing, the file was too large to put in

    > the
    >> > > vault, so I assume it was the full size of my memory, which is around
    >> > > 3+Gbytes. I doubt I downloaded something that big.
    >> > >

    >>

    >
    >
     
    Dshai, Dec 30, 2006
    #6
  7. Well, thank YOU! This is the only kind of malware that ever brought my
    machine (any of them) to it's knees. It was silent for a long time, maybe a
    year, then started playing tricks with the i-net connection. As a last
    attempt I tried deleting it manually and that completely broke my
    connection and nothing could bring it back up.

    O.K. - AdAware it is then!

    Since Defender recognised it, I assume it will stop it and protect you, but
    once it is inside? This is certainly good news on the threshold of a new
    year!


    Tony. . .


    "Dshai" <> wrote in message
    news:%...
    > Tony, for future reference on NewDotNet, AdAware will find and disable it

    as
    > well as identifying the registry keys that "control" it, this allows you

    to
    > delete said keys and effectively rid yourself of the pest without a
    > format/reload.
    >
    > Dshai
    >
    > "Tony Sperling" <> wrote in message
    > news:...
    > > I'm not sure what benefit a Virus could possibly have from doing that.
    > > More
    > > likely - if there is a Virus, it trips a process which triggers a memory
    > > dump and the Virus gets dumped along with everything else, but this is

    not
    > > where it performs it's feat, I believe it will effectively be disabled
    > > there. The danger is to find it there (where it is harmless!) and

    thinking
    > > you got rid of it. In the mean-time it sits and waits quietly somewhere
    > > else. Nobody really knows what a Virus is doing - or why, sometimes they
    > > wait for one specific event (a date, or a certain chain of characters in
    > > the
    > > keyboard buffer?) this sets it off and it lands in a dump file, the
    > > original
    > > going back to sleep, the only thing a Virus Scanner can do is scan for

    API
    > > and System Calls that would be typical for a Virus to want to utilize!
    > > Whatever the scanner finds, a lot of it has to be false alarms - we just
    > > don't know which ones they are. Personally, I've noticed that Avast

    finds
    > > an
    > > inordinate amount of one specific type of Virus (Trojan's!). If I was
    > > using
    > > something else, it would probably just be a different type of Virus, and
    > > most of anything they find will be false alarms.
    > >
    > > Windows Defender is not Virus-Centric, but it does some very impressive
    > > scanning, and sometimes finds suspicious things that other's don't find.
    > > Most likely then it is a false alarm, but you have an option to go
    > > looking.
    > > I suggest you could install that and run it in tandem with Avast.
    > >
    > > Anyway, I think the behaviour you are seeing is looking more like a
    > > spyware/malware problem, than an actual Virus???
    > >
    > > I was being terrorised by one nasty thing called "NewDotNet", Recovering
    > > to
    > > a Restore Point helped for a while, but it came back and I ended up

    doing
    > > a
    > > fresh install. Defender was the only thing that found it - nothing could
    > > remove it. Not sure what your options are, but try and find out what it
    > > really is or you'll be stabbing at shadows.
    > >
    > > (One option is to mail the dump file to Avast - they are a helpfull lot,
    > > but
    > > I'm not sure that they can do anything helpfull with it?)
    > >
    > >
    > > Tony. . .
    > >
    > >
    > >
    > > <> wrote in message
    > > news:...
    > >>
    > >> Tony Sperling wrote:
    > >> > It is probably hard to pinpoint an error so precisely. Something

    points
    > >> > somewhere specific could mean that is the avenue that brought on the
    > >> > offensive code, not necessarily where it originates.
    > >> >
    > >> > A memory dump would be a file the size of the memory, not a part

    > > thereof,
    > >> > and size should not have any relation to anything you downloaded. I

    > > suggest
    > >> > you make Avast run a full scan of your complete system over the

    course
    > > of a
    > >> > couple of days ( not continuously! ) - and after re-booting too. If

    it
    > > is
    > >> > something nasty, it may well regenerate itself, after being deleted.
    > >> >
    > >> > Tony. . .
    > >>
    > >> The size of the dump file made me draw the same conclusion, but maybe
    > >> the virus can attach to the last dump file. Good idea on running the
    > >> virus scan to see if it pops up again.
    > >>
    > >> Here are some older threads of mine with the same problem:
    > >> [July 31, 2006)
    > >>

    > >

    <http://groups.google.com/group/microsoft.public.windows.64bit.general/brows
    > >

    e_frm/thread/2d3ca32209438ff0/d15c62ec09231767?lnk=st&q=&rnum=3&hl=en#d15c62
    > > ec09231767>
    > >> [Sept 11, 2006]
    > >>

    > >

    <http://groups.google.com/group/microsoft.public.windows.64bit.general/brows
    > >

    e_frm/thread/178c95b4549e2886/2be476851b0e1fdd?lnk=st&q=&rnum=9&hl=en#2be476
    > > 851b0e1fdd>
    > >> [Sept 10, 2006]
    > >>

    > >

    <http://groups.google.com/group/microsoft.public.windows.64bit.general/brows
    > >

    e_frm/thread/e9dc73dfc54f94e1/223c95defd080d1d?lnk=st&q=group%3Amicrosoft.pu
    > >

    blic.windows.64bit.general+author%3Amiso%40sushi.com&rnum=38&hl=en#223c95def
    > > d080d1d>
    > >>
    > >> X64 is really stable, but this bug just drives me crazy since it is so
    > >> flaky.
    > >>
    > >>
    > >> >
    > >> > <> wrote in message
    > >> > news:...
    > >> > >
    > >> > > wrote:
    > >> > > > I've got this periodic problem with gdi32.dll on X64 (AMD 64
    > >> > > > 4400 ).
    > >> > > > Every once in a while, my PC gets in this mode where three

    programs
    > >> > > > (Open Office Calc, Photoshop 6, and Vuescan) crash. Only

    Photoshop
    > >> > > > 6
    > >> > > > gives me the clue that the problem is due to gdi32.dll.
    > >> > > >
    > >> > > > Two questions:
    > >> > > > 1)
    > >> > > >
    > >> >

    > >

    <http://securitydot.net/vuln/exploits/vulnerabilities/articles/18330/vuln.ht
    > >> > ml>
    > >> > > > claims there is a potential to create a DOS attack using

    gdi32.dll.
    > > Now
    > >> > > > I'm not running a server, and I am behind a firewall router, but
    > >> > > > any
    > >> > > > chance there is a virus in gdi32.
    > >> > > > 2) I've been waiting for sp2 to be released. What are the risks

    of
    > >> > > > installing the beta.
    > >> > >
    > >> > > Avast found a virus in memory.dmp. Virus was "Win32:Agent-SG [Trj]"
    > >> > > Deleting the file made the problem go away, but I suspect this

    wasn't
    > >> > > exactly the problem For one thing, the file was too large to put in

    > > the
    > >> > > vault, so I assume it was the full size of my memory, which is

    around
    > >> > > 3+Gbytes. I doubt I downloaded something that big.
    > >> > >
    > >>

    > >
    > >

    >
    >
     
    Tony Sperling, Dec 30, 2006
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. gdi32.dll program hang

    , Jul 31, 2006, in forum: Windows 64bit
    Replies:
    6
    Views:
    3,153
  2. gdi32.dll program hang

    , Sep 12, 2006, in forum: Windows 64bit
    Replies:
    0
    Views:
    430
  3. gdi32.dll program hang returns

    , Jan 1, 2007, in forum: Windows 64bit
    Replies:
    0
    Views:
    1,141
  4. Snoopy
    Replies:
    16
    Views:
    3,205
    Mainlander
    Aug 25, 2003
  5. Replies:
    1
    Views:
    647
Loading...

Share This Page