Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Firefox Won't Run


  • Please log in to reply
25 replies to this topic

#1 fastsigns

fastsigns

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:10:33 AM

Posted 19 February 2010 - 11:24 AM

Hi All!

Not sure if I should be posting this in the anti virus section, but here goes:

I double click or right click and hit 'run' and nothing happens with both IE and Firefox.

Just recently had a problem with malware defense that seemed to go away. Also, recently did some updates from MS for XP, which included IE V7. I also updated it to V8. I don't use IE, but thought it might help. I also ran MalwareBytes, in safe mode, and it found a password infection that I told it to remove.

Any ideas, and thanks in advance?

Edited by Andrew, 23 February 2010 - 11:36 PM.
Mod Edit: Moved to more appropriate forum - AA


BC AdBot (Login to Remove)

 


#2 Sashacat

Sashacat

  • Members
  • 372 posts
  • OFFLINE
  •  
  • Local time:12:33 PM

Posted 23 February 2010 - 11:43 PM

Hello :thumbsup:

Remove Malware Defense (Uninstall Guide)
Posted by Grinler on December 19, 2009

http://www.bleepingcomputer.com/virus-remo...malware-defense

Please follow the steps in the removal guide above.

Please reply back with the results of the Malwarebytes' scan (copy/paste the entire contents of the scan results log into your next reply), and advise what symptoms, if any, you are still experiencing.
If we don't change the direction we are going,
We are likely to end up where we are headed.

#3 fastsigns

fastsigns
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:10:33 AM

Posted 04 March 2010 - 11:03 AM

Thanks, Sashacat. I'll get back to you with results!

#4 fastsigns

fastsigns
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:10:33 AM

Posted 04 March 2010 - 05:04 PM

OK, browser still do not work after running through what you outlined. Here is the log:

Malwarebytes' Anti-Malware 1.44
Database version: 3690
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

3/4/2010 2:57:21 PM
mbam-log-2010-03-04 (14-57-21).txt

Scan type: Full Scan (C:\|)
Objects scanned: 171633
Time elapsed: 19 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\crntdll (Spyware.Passwords) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Also, printer connected via usb, now does not work either.

Thanks in advance for all your help! tm

#5 Sashacat

Sashacat

  • Members
  • 372 posts
  • OFFLINE
  •  
  • Local time:12:33 PM

Posted 04 March 2010 - 06:21 PM

Hello :thumbsup:

Your Malwarebytes' database is OUTDATED.
Scan shows database version 3690.
Malwarebytes' is very good about updates, sometimes TWICE in one day.
In order for Malwarebytes' to do its best work for you, give it the most current database definitions.

Update your Malwarebytes' and scan again.

Use ATF Cleaner (free program)
http://www.atribune.org/index.php?option=c...5&Itemid=25
Instructions on web page.


Just to confirm, when following the steps in:
Remove Malware Defense (Uninstall Guide)
Posted by Grinler on December 19, 2009

http://www.bleepingcomputer.com/virus-remo...malware-defense
Did you follow the instructions in steps 3, 4, 5 and 6, and your internet is STILL not working ?

Please reply back with the results of the next Malwarebytes' scan (after you update it), and do the same thing,
copy/paste the ENTIRE CONTENTS of the scan log into your next reply for an official staff member to help you with.
Also, in your next reply, state what, if any, symptoms you are still experiencing.

"only trained members of the following groups: Malware Response Team, Malware Study Hall Senior, Moderators or Administrators are allowed to help people with logs."

source:
http://www.bleepingcomputer.com/forums/t/126946/a-reminder-to-our-members-regarding-malware-logs/
If we don't change the direction we are going,
We are likely to end up where we are headed.

#6 fastsigns

fastsigns
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:10:33 AM

Posted 04 March 2010 - 06:48 PM

Thanks, I will rerun MalwareBytes AND then ATF Cleaner and get you a log.

FYI, yes, I checked for proxy server setting for Explorer, but I don't know where to look for that for Firefox, as the program does not even come up to get to the settings. Again, it's not that the browsers don't connect, they don't run.

Thanks again! tm

#7 Sashacat

Sashacat

  • Members
  • 372 posts
  • OFFLINE
  •  
  • Local time:12:33 PM

Posted 04 March 2010 - 07:04 PM

Ok, am clear now....."don't run" is indeed different than "don't connect".

Just curious, are you having the "don't run" thing with OTHER programs as well, or only Firefox and IE ?
Sometimes malware will prevent you from running all (or most) programs.
If we don't change the direction we are going,
We are likely to end up where we are headed.

#8 Sashacat

Sashacat

  • Members
  • 372 posts
  • OFFLINE
  •  
  • Local time:12:33 PM

Posted 04 March 2010 - 07:12 PM

Hello again :thumbsup:
I did not know how to check for proxy settings in Firefox either, so I went hunting.

I have Firefox 3.6 and this is where I found it in mine (and my Firefox is working):
Tools, Options, Network tab
Top section is Connection (says Configure how Firefox connects to the Internet).
Hit the Settings button.
Mine has a radio dot next to:
"No proxy".
If we don't change the direction we are going,
We are likely to end up where we are headed.

#9 fastsigns

fastsigns
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:10:33 AM

Posted 05 March 2010 - 10:43 AM

Thanks for the responses.

The browsers seem to be the only programs that don't work, but as I said, usb printer stopped working at the same time.

With regard to connection settings in Firefox, I know where they are, but you can't get to them if firefox won't run.

#10 techextreme

techextreme

    Bleepin Tech


  • Members
  • 2,125 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pittsburgh, PA
  • Local time:12:33 PM

Posted 05 March 2010 - 11:00 AM

First, Download rkill.com to your desktop.

Double-click on the rkill.com in order to automatically attempt to stop any processes associated with Rogue programs. Please be patient while the program looks for various malware programs and ends them. When it has finished, the black window will automatically close and you can continue with the next step. If you get a message that rkill is an infection, do not be concerned. This message is just a fake warning given by these Rogue programs when it terminates programs that may potentially remove it. If you run into these infections warnings that close Rkill, a trick is to leave the warning on the screen and then run Rkill again. By not closing the warning, this typically will allow you to bypass the malware trying to protect itself so that rkill can terminate these Rogue Programs. So, please try running Rkill until malware is no longer running. You will then be able to proceed with the rest of the instructions.

Once again Rerun Malwarebytes as directed and be sure to update it first. Be sure you run Malwarebytes in Normal ( not Safe ) Mode.

After running Malwarebytes, Reboot if it asks you to ( and even if it doesn't ). Then once again try opening Internet Explorer. If it will open and you can access the internet, then once again try FireFox.

The Proxy settings for each can be found by following this:

Check your Proxy settings in Internet Explorer to make sure malware did not alter them. If so, that can affect your ability to browse or download tools required for disinfection:

* Open Internet Explorer > click Tools > Internet Options > Connections tab.
* Click the LAN Settings... button and uncheck Use a proxy server for your LAN
or change the settings to the proxy you normally use if you previously reconfigured it.
* Remove any unknown addresses from the Address box. 80 is the default Port so it does not have to be changed.
* Click Ok and then click Ok again.
* Close Internet Explorer and restart the computer.
* An example of how to do this with screenshots can be found in steps 3-7 under the section Automated Removal Instructions... in this guide..

Check your Proxy settings in Firefox to make sure malware did not alter them:

* Open Firefox, click Tools > Options > Advanced and click the Network Tab.
* Under the Connection section click on the Settings... button.
* Under Configure Proxies to Access the Internet, check No proxy. This is the default option if you don't use a proxy.
* Click Ok and then click OK again.
* Close Firefox and restart the computer.

For other browsers, please refer to How to configure browser proxy settings.
Techextreme

"Admire those who attempt great things, even though they fail."

-- Seneca

#11 fastsigns

fastsigns
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:10:33 AM

Posted 05 March 2010 - 01:39 PM

It works, oh master of the bits and bytes!!

No proxy servers were added. If you would like, I can send you the MB log. It found quite a bit of crapoly.

Thanks to all of you for your help!

tm

#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,344 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:33 PM

Posted 05 March 2010 - 04:10 PM

Please do post the malware bytes log.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#13 techextreme

techextreme

    Bleepin Tech


  • Members
  • 2,125 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pittsburgh, PA
  • Local time:12:33 PM

Posted 08 March 2010 - 07:39 AM

Yes, as Boopme stated, please post your malwarebytes log so we can have a look and help you get cleaned up.
Techextreme

"Admire those who attempt great things, even though they fail."

-- Seneca

#14 fastsigns

fastsigns
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:10:33 AM

Posted 08 March 2010 - 10:52 AM

Sorry for the delay, but here is the log file:

Malwarebytes' Anti-Malware 1.44
Database version: 3826
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

3/5/2010 11:03:40 AM
mbam-log-2010-03-05 (11-03-40).txt

Scan type: Full Scan (C:\|)
Objects scanned: 176928
Time elapsed: 19 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 2
Registry Values Infected: 2
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 15

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\0034.DLL (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\_VOID (Rootkit.TDSS) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\_VOIDd.sys (Rootkit.TDSS) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\appinit_dlls (Trojan.Witkinat) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\crntdll (Trojan.Witkinat) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Agent) -> Data: c:\windows\system32\0034.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Agent) -> Data: system32\0034.dll -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\0034.DLL (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\POS Client 2\Local Settings\Temp\000180.exe.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP550\A0018080.dll (Trojan.Backdoor) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\spool\prtprocs\w32x86\DA.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\_VOIDkrl32mainweq.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\_VOIDmainqt.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\_VOIDbwehrrbmkd.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\_VOIDbwfvqtawwy.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\_VOIDulqipyyufy.dat (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\_VOIDshsyst.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\_VOID474a.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\_VOID4b60.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\_VOID4c7a.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\_VOID541b.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wupd.dat (Malware.Trace) -> Quarantined and deleted successfully.

Also, usb printer working again, but won't scan. Probably on my end.

As always, thanks to all of you for your assistance! :thumbsup:

Edited by fastsigns, 08 March 2010 - 10:54 AM.


#15 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,208 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:33 PM

Posted 09 March 2010 - 08:09 AM

Hello there :thumbsup:

Unfortunately your MBAM log shows a rootkit. Its possible MBAM took care of it, but please consider the following first.

BACKDOOR WARNING
------------------------------
One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.


Now lets make sure the rootkit is gone indeed....

GMER
-------
Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users