Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browsers Crashing - Just Feels Like Malware


  • Please log in to reply
13 replies to this topic

#1 MrMiyagi

MrMiyagi

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:30 PM

Posted 02 February 2010 - 09:48 AM

Hello. I am trying to help out a co-worker with his computer. His OS is Windows XP SP2 and he had AVG antivirus. His browsers continually crash and/or don't load pages when they are opened. This happens both with IE and Mozilla Firefox.

I recommended he change to McAfee or Avast and get Spybot, which he has since done. I ran a scan with Avast at system startup and it found nothing. Also, Spybot does not find anything. I then ran a scan with MalwareBytes, which also found nothing.

I really feel like there is something going on that is being missed. Also, there is an icon on the desktop without a name or a defined icon/logo. When I rt click my only options are cut, create shortcut, and delete.

I realize the information is very thin here, but hopefully someone can help. Please bear with me, as it may take me a while to run through any actions that are proposed. Thank you for your help in advance.

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,344 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:30 PM

Posted 02 February 2010 - 04:22 PM

Hello, let's do one more scan as it may not be malware..

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 MrMiyagi

MrMiyagi
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:30 PM

Posted 03 February 2010 - 01:11 PM

Okay, ran the scan, the results are below. I did not disable McAfee which was running in the background. During the scan it (McAfee) popped a notice that 8306pL6i.sys was detected as a Generic.dx!11k Trojan and was deleted - this message would not go away. Also, after a while the scan said that the user ended the scan, which should not be the case, as I just let it go. Here are the results. Thank you for your help.


C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC.zip Win32/Bagle.gen.zip worm cleaned by deleting - quarantined
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Citrix\GoToAssist\GoToAssist_chat2way_application_462_en.exe probably unknown NewHeur_PE virus deleted - quarantined

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,344 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:30 PM

Posted 03 February 2010 - 02:47 PM

Hello, the malwares you have found are backdoors. A backdoor Trojan can allow an attacker to
gain control of the system, log keystrokes, steal passwords, access personal
data, send malevolent outgoing traffic, and close the security warning
messages displayed by some anti-virus and security programs.

I would advise you to disconnect this PC from the Internet, and then go to
a known clean computer and change any passwords or security information held
on the infected computer. In particular, check whatever relates to online
banking financial transactions, shopping, credit cards, or sensitive
personal information.


Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.


Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 MrMiyagi

MrMiyagi
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:30 PM

Posted 04 February 2010 - 08:27 AM

I attempted to run the Kaspersky scan this morning, but it is unavailable at the moment. So, I will run that once it is back up. For the time being, here is the MalwareBytes scan log. Thanks, again.


Malwarebytes' Anti-Malware 1.44
Database version: 3685
Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.13

2/3/2010 3:09:49 PM
mbam-log-2010-02-03 (15-09-42).txt

Scan type: Quick Scan
Objects scanned: 130494
Time elapsed: 14 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\Drivers\8306pL6i.sys (Rootkit.Agent) -> No action taken.

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,344 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:30 PM

Posted 04 February 2010 - 11:38 AM

Hello, First in that log "no Action Taken " may mean you did not click the "Remove Selected" button.
Next we need a rootkit check,, Also if Kaspersky is still down use ESET (below)

We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 MrMiyagi

MrMiyagi
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:30 PM

Posted 04 February 2010 - 02:03 PM

The "no action taken" is probably due to my clicking "save report" prior to "remove selected" as I was not sure if the program was going to close after I removed the items. The results of the RootRepeal scan are below. The ESET scan is currently running, and I will post those results when it is finished. Thank you.


ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2010/02/04 11:48
Program Version: Version 1.3.5.0
Windows Version: Windows XP Media Center Edition SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB5136000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBAE3E000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB1677000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: c:\documents and settings\all users\application data\pure networks\log\logfile.nmctxth_exe.txt
Status: Allocation size mismatch (API: 4096, Raw: 456)

Path: c:\documents and settings\all users\application data\pure networks\log\logfile.nmsrvc_exe.txt
Status: Size mismatch (API: 21716, Raw: 20032)

==EOF==

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,344 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:30 PM

Posted 04 February 2010 - 03:12 PM

are we still crashing?
btw, GoToAssist from the 1st log was probably an application by Cyrix. They may have used an Online support app for help or help with installing something online. It isn't realy harmful but seen as an intrusion to thr system (which it is). So it gets removed.. I say this as if they needed it they will have to reapply it.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 MrMiyagi

MrMiyagi
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:30 PM

Posted 05 February 2010 - 03:21 PM

Just thought I'd better give you an update. The ESET scan is running - going on 7 hrs now somewhere near 25% complete - I did not start it yesterday because I figured I would not be around for the finish. However, I will not be around the computer for this weekend either. So, early next week I will post the results of the scan.

We are no longer crashing, and the system seems to be running a little more smoothly. Also, there was a remote assistance session run on this computer at one time, as you suspected.

Thank you for bearing with me as I don't have a lot of time with the computer and have made it a one-step-at-a-time process.

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,344 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:30 PM

Posted 06 February 2010 - 02:18 PM

OK.. It is important that we get clean logs. Slow progress is cool with me..
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 MrMiyagi

MrMiyagi
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:30 PM

Posted 08 February 2010 - 04:02 PM

Hello. The ESET scan completed and found no threats. At the scan completion screen I did not see an option to save the log, just finish.

#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,344 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:30 PM

Posted 08 February 2010 - 04:37 PM

This will happen on occaision if there is bo malware found. So is it running well now?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#13 MrMiyagi

MrMiyagi
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:30 PM

Posted 08 February 2010 - 05:03 PM

Yes, it seems to be running better, and firefox works now. I will give another update tomorrow after he has used it for a day. Thank you for your help.

#14 MrMiyagi

MrMiyagi
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:30 PM

Posted 10 February 2010 - 01:33 PM

Everything seems to be working just fine now. Thank you very much for your help and patience.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users