Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Internet Crashes After A Few Minutes, I Have To Reboot.


  • Please log in to reply
8 replies to this topic

#1 rafota

rafota

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:50 AM

Posted 02 March 2008 - 06:02 PM

Hi everyone,

I had a Bagle virus that I removed in the quickest way someone explained somewhere in the web forum universe.
Now I can install my antivirus and security software but my connection frezees after ten minutes or so and I have to reboot to get online again. Any suggestions will be much appreciated.

Rafota

BC AdBot (Login to Remove)

 


#2 Da.One

Da.One

  • Banned
  • 41 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:50 PM

Posted 02 March 2008 - 06:32 PM

I think I've said this same line quite a few times today: You probably have malicious dll's running under your iexplore.exe (internet explorer). To check what dll's are running use HijackThis (HJT).

Download HJT here:
http://www.trendsecure.com/portal/en-US/to...ools/hijackthis

Install it.

Open it, select misc tools section. Select process manager. Click on iexplore.exe (not to be confusedwith explorer.exe). Check the box "Show dll's". Press the suitcase button to copy the list. Post the list back here in your next post and we will determine if there is indeed malware in your Internet explorer.

IMPORTANT: Do not use any other function of HJT unless directed by someone with experience. It could seriously damage you computer.

#3 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,992 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:03:50 PM

Posted 02 March 2008 - 07:08 PM

Hello rafota and welcome to BC :flowers:

In order to assist you, we need to know a bit more information.

What is your operating system: Windows XP, Vista, etc.?

I had a Bagle virus that I removed in the quickest way someone explained somewhere in the web forum universe.


What did you do to remove it? Please be specific. It is possible that something you did in removing the Bagle virus has caused the internet connection issues you are having.

What security programs do you have installed?

Please do not use HiJack this or post the dll log. It is an advanced tool, and we use it only in the HJT forums. If we determine that you need to post to the HJT forum, we will provide instructions for doing so.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#4 rafota

rafota
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:50 AM

Posted 04 March 2008 - 06:49 PM

Hi Da.One, hi Orange Blossom,
I'm gladly surprised by your quick response. I'm replaying you both in this message.
This is the replay for you orange blossom.

OS:
I'm using Windows XP Home edition version 5.1 build 2600 SP2

Removal procedure:
I've used AVG anti-rootkit to remove c:/windows/system32/drivers/hldrrr.exe and c:/windows/system32/drivers/srosa.sys
After that a was able to install NOD32 and Spybot search and destroy which are my only security. Before that I enabled the XP firewall and it still is. When NOD32 was up and running I let it find viruses but I do not remember weather it found something or not. I did create as well two empty files called hldrrr.exe and srosa.sys in the respective folder in case the worm was still operative and wanted to clone itself.

I used combo-fix.exe, winsockxpfix.exe and registryboosterplc.exe but I do not think they did any mayor changes.

Edited by Orange Blossom, 05 March 2008 - 12:10 AM.
Remove material not intended for this forum.


#5 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,992 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:03:50 PM

Posted 05 March 2008 - 12:16 AM

Hello rafota,

Thank you for posting the file paths of what AVG rootkit removed. That is very helpful. I have edited out the Combofix and dll stuff in your previous post to keep it from being closed as your initial post did indeed conform to proper posting rules at BC. If you have any questions about this, don't hesitate to send me a PM.

Note: ComboFix and HiJack This logs or parts thereof should not be posted outside the HijackThis forums. Combofix is a powerful tool intended by its creator to be used under the direction of an expert. It is NOT for private use. You should NOT use Combofix unless a Malware Removal Expert has told you to. At Bleeping Computer, these experts do this ONLY in the HiJack This forum. Improper use of this tool can seriously damage your operating system and may even prevent it from starting again. Please read Combofix's Disclaimer.

At this point, I would like you to run a scan with SUPERAntiSpyware in Safe Mode. You will, of course, install it in Normal Mode.

Download and install SUPERAntiSpyware free found here: SUPERAntiSpyware

Be sure to click on the download button to the left, not on the free trial download on the right.

Install it and double-click the icon on your desktop to run it.
It will ask if you want to update the program definitions, click Yes.
Under Configuration and Preferences, click the Preferences button.
Click the Scanning Control tab.
Under Scanner Options make sure the following are checked:
  • Close browsers before scanning
  • Scan for tracking cookies
  • Terminate memory threats before quarantining.
o Please leave the others unchecked.
o Click the Close button to leave the control center screen.
Reboot into Safe Mode
On the main screen, under Scan for Harmful Software click Scan your computer.
On the left check C:\Fixed Drive.
On the right, under Complete Scan, choose Perform Complete Scan.
Click Next to start the scan. Please be patient while it scans your computer.
After the scan is complete a summary box will appear. Click OK.
Make sure everything in the white box has a check next to it, then click Next.
It will quarantine what it found and if it asks if you want to reboot, click Yes.
Reboot into Normal Mode
To retrieve the removal information for me please do the following:
o After reboot, double-click the SUPERAntispyware icon on your desktop.
o Click Preferences. Click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o It will open in your default text editor (such as Notepad/Wordpad).
o Please highlight everything in the notepad, then right-click and choose copy.
Click close and close again to exit the program.

Please post the log in your next reply.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#6 rafota

rafota
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:50 AM

Posted 06 March 2008 - 02:32 PM

My partner came before me clicked ok and did restart the computer. I am not sure everything was checked for it to get rid of but I guess so. Anyway I'll run it again in safe mode to double check.
Here's the log.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/06/2008 at 08:29 AM

Application Version : 4.0.1154

Core Rules Database Version : 3414
Trace Rules Database Version: 1406

Scan type : Complete Scan
Total Scan Time : 01:58:45

Memory items scanned : 160
Memory threats detected : 0
Registry items scanned : 5326
Registry threats detected : 0
File items scanned : 48940
File threats detected : 9

Adware.Tracking Cookie
C:\Documents and Settings\celia and rafael\Cookies\celia and rafael@atdmt[1].txt
C:\Documents and Settings\celia and rafael\Cookies\celia and rafael@www.burstbeacon[2].txt
C:\Documents and Settings\celia and rafael\Cookies\celia and rafael@serving-sys[1].txt
C:\Documents and Settings\celia and rafael\Cookies\celia and rafael@adopt.euroclick[1].txt
C:\Documents and Settings\celia and rafael\Cookies\celia and rafael@cgi-bin[2].txt
C:\Documents and Settings\celia and rafael\Cookies\celia and rafael@adtech[1].txt
C:\Documents and Settings\celia and rafael\Cookies\celia and rafael@tribalfusion[1].txt
C:\Documents and Settings\celia and rafael\Cookies\celia and rafael@bs.serving-sys[2].txt

Trojan.Downloader-Gen/Suspicious
C:\PROGRAM FILES\WINRAR\WINRAR V3.51 KEYGENERATOR.EXE

#7 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,992 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:03:50 PM

Posted 06 March 2008 - 09:05 PM

Hello rafota,

Thanks for the log. I've consulted with some others about the internet connection issue and your log, and the suggestion is the following:

Go to Start > Run and type cmd
A dos Window will appear.
Type next in the dos window: netsh winsock reset

Let us know how that works.

There are some other issues to address.

Am I right in thinking that there are two of you using the same user account? Is the account an administrative account or a limited account?

Was this

C:\PROGRAM FILES\WINRAR\WINRAR V3.51 KEYGENERATOR.EXE

deliberately downloaded?

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#8 rafota

rafota
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:50 AM

Posted 07 March 2008 - 05:01 AM

Hi Orange Blossom,
Thanks for your dedication.

Am I right in thinking that there are two of you using the same user account?
Is the account an administrative account or a limited account?

It's an administrative one.

Was this
C:\PROGRAM FILES\WINRAR\WINRAR V3.51 KEYGENERATOR.EXE
deliberately downloaded?

It probably was... :-( :thumbsup:

About the CMD winsock command, I am sorry to let you know that it looked like it worked but the connection fails to stay alive.

I did another scan with superantispyware not booting in safe mode and gave me this.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/07/2008 at 07:51 AM

Application Version : 4.0.1154

Core Rules Database Version : 3414
Trace Rules Database Version: 1406

Scan type : Complete Scan
Total Scan Time : 01:08:22

Memory items scanned : 322
Memory threats detected : 0
Registry items scanned : 5327
Registry threats detected : 0
File items scanned : 50818
File threats detected : 1

Trojan.Downloader-Gen/Suspicious
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP21\A0003148.EXE

Clicked the box and cleaned.


#9 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,992 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:03:50 PM

Posted 07 March 2008 - 04:45 PM

Hello rafota,

There are security reasons why the administrative account should not be used for regular daily computing. One is that if something bad gets on board, using a limited account will also limit the damage.

Given that the keygenerator was "probably" deliberately downloaded, I suspect that you didn't download it, but your partner did - not good. I would password protect the admininstrative account and the administrative account found only in safe mode.

The use of keygens violates anti-piracy laws. The sites you get them from are loaded with malware. I've consulted with the malware experts, and they say that the presence of the keygen is likely the cause of your problems and that there is likely a bunch of other malware present. Unfortunately, that means that I'm going to have to send you to the HJT forum.

Please follow the directions in this guide. If you can't do a step, skip it and go on to the next. Then create an HJT log, you will find the directions in step 9 of the guide.

Create a new topic in this forum, not here and give it a good descriptive title. Briefly summarize what the problems are, what you have done to try to solve it, and what worked and didn't work and paste in your HJT log. Also, include the link to this thread and say that we sent you there.

After you post your log, DO NOT make any further changes to your computer: deleting files, editing the registry, using special fix tools, installing or uninstalling software etc. as this will make it more difficult for the HJT team to help you.

Please be patient as the HJT team is very busy. DO NOT bump your log as the team may think that someone is already helping you. If you have not had a response in five days, add a response to the five days no response topic and paste in the link to your thread.

Please post the link to your new thread as a reply to this topic so we know you are receiving help in the HJT forum.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users