Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Firefox hanged on forever, tabs were unresponsive and had to close the browser


  • This topic is locked This topic is locked
39 replies to this topic

#1 Ceerg

Ceerg

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:10:16 AM

Posted 21 April 2017 - 10:36 PM

While the firefox was hanging on, the pages were just white and there was somekind of loading circle in the middle. The tabs were unresponsive or really slow to react to switch. Even if I recently wiped ssd, im little more worried because I had a chat with my friend and he posted some windows updater crack site link (we were talking about possible viruses on his computer), and I fear I might have accidentally clicked that link. (i dont use cracked softwares).

Here are farbar logs.

Attached Files



BC AdBot (Login to Remove)

 


#2 Ceerg

Ceerg
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:10:16 AM

Posted 22 April 2017 - 11:22 PM

----


Edited by Ceerg, 22 April 2017 - 11:32 PM.


#3 Ceerg

Ceerg
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:10:16 AM

Posted 22 April 2017 - 11:35 PM

---


Edited by Ceerg, 23 April 2017 - 12:12 AM.


#4 Ceerg

Ceerg
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:10:16 AM

Posted 23 April 2017 - 12:23 AM

Never mind those original logs, please analyze these ones. I recently opened thread https://www.bleepingcomputer.com/forums/t/645027/another-kmspico-virus/ and someone had posted an image of a woman there with gibberish text. That looks really shady, maybe that image can infect pc with malware via driveby attack?

Here are farbar logs

Attached Files



#5 nasdaq

nasdaq

  • Malware Response Team
  • 39,179 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:16 AM

Posted 25 April 2017 - 07:58 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Your logs are clean.

What problems do you have with this computer?

#6 Ceerg

Ceerg
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:10:16 AM

Posted 25 April 2017 - 08:21 AM

Firefox has got stuck two times loading pages with spinning wheel in the middle of empty page. It could be explained by addon conflicting with multiprocessing, but i only have noscript and ublock so maybe virus.

Also in general im pretty paranoid about this pc, because my mouse apparently moved by itself earlier some time ago when i was watching a video. The progress bar of video player showed up, and it only happens if mouse is moved around. Ive had a secure erase on ssd since then though, but im still worried current OS install would have something, if i had a spyware.

#7 nasdaq

nasdaq

  • Malware Response Team
  • 39,179 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:16 AM

Posted 25 April 2017 - 09:45 AM

Lets check further.

Please download and run the following tool to help allow other programs to run. (courtesy of BleepingComputer.com)
There are 3 different versions. If one of them won't run then download and try to run the other one.
Vista and Win7 users need to right click and choose Run as Admin
You only need to get one of them to run, not all of them.

rkill.exe
rkill.com
rkill.scr

It is possible that the infection you are trying to remove will not allow you to download files on the infected computer. If this is the case, then you will need to download the files requested on another computer and then transfer them to the desktop of the infected computer. You can transfer the files via a CD/DVD, external drive, or USB flash drive.

When completed it will create a log. Please post the content on your next reply.
===

--RogueKiller--
  • Download & SAVE to your Desktop Download RogueKiller
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or above, right-click the program file and select "Run as Administrator"
  • Accept the user agreements.
  • Execute the scan and wait until it has finished.
  • If a Windows opens to explain what [PUM's] are, read about it.
  • Click the RoguKiller icon on your taksbar to return to the report.
  • Click open the Report
  • Click Export TXT button
  • Save the file as ReportRogue.txt
  • Click the Remove button to delete the items in RED
  • Click Finish and close the program.
  • Locate the ReportRogue.txt file on your Desktop and copy/paste the contents in your next.
=======

#8 Ceerg

Ceerg
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:10:16 AM

Posted 25 April 2017 - 10:36 AM

I have scanned pc with rkill.com, roguekiller, sophos, avast, malwarebytes, eset online scanner, fsecure online scanner, hitman pro. None of these found anything.

What else can be done?

#9 Ceerg

Ceerg
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:10:16 AM

Posted 25 April 2017 - 10:45 AM

Here is rkill log

 

Rkill 2.8.4 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2017 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 04/25/2017 06:44:06 PM in x64 mode.
Windows Version: Windows 10 Home

Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

 * No malware processes found to kill.

Checking Registry for malware related settings:

 * No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

 * Windows Defender Disabled

   [HKLM\SOFTWARE\Microsoft\Windows Defender]
   "DisableAntiSpyware" = dword:00000001

Checking Windows Service Integrity:

 * DcpSvc [Missing Service]
 * gagp30kx [Missing Service]
 * IEEtwCollectorService [Missing Service]
 * IoQos [Missing Service]
 * nv_agp [Missing Service]
 * TimeBroker [Missing Service]
 * uagp35 [Missing Service]
 * uliagpkx [Missing Service]
 * WcsPlugInService [Missing Service]
 * wpcfltr [Missing Service]
 * WSService [Missing Service]

 * agp440 [Missing ImagePath]

 * AJRouter => %SystemRoot%\system32\svchost.exe -k LocalServiceNetworkRestricted [Incorrect ImagePath]
 * RetailDemo => %SystemRoot%\System32\svchost.exe -k rdxgroup [Incorrect ImagePath]
 * WpnService => %systemroot%\system32\svchost.exe -k netsvcs [Incorrect ImagePath]

 * vmicrdv => %SystemRoot%\System32\icsvcext.dll [Incorrect ServiceDLL]
 * vmicvss => %SystemRoot%\System32\icsvcext.dll [Incorrect ServiceDLL]

Searching for Missing Digital Signatures:

 * No issues found.

Checking HOSTS File:

 * No issues found.

Program finished at: 04/25/2017 06:44:15 PM
Execution time: 0 hours(s), 0 minute(s), and 8 seconds(s)
 



#10 Ceerg

Ceerg
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:10:16 AM

Posted 25 April 2017 - 11:11 AM

RogueKiller V12.10.6.0 (x64) [Apr 24 2017] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : https://forum.adlice.com
Website : http://www.adlice.com/download/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 10 (10.0.15063) 64 bits version
Started in : Normal mode
User : CHEW [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Scan -- Date : 04/25/2017 19:00:06 (Duration : 00:09:36)

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 4 ¤¤¤
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 192.168.1.1 0.0.0.0 ([-][])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{412a07c7-c6b5-4a57-b97d-4cada6dd9192} | DhcpNameServer : 192.168.1.1 0.0.0.0 ([-][])  -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-3795232181-68720890-2366713165-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_TrackProgs : 0  -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-3795232181-68720890-2366713165-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_TrackProgs : 0  -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 1 ¤¤¤
[PUP.Gen1][Folder] C:\Program Files\Windows Security -> Found

¤¤¤ WMI : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: Samsung SSD 850 EVO 500GB +++++
--- User ---
[MBR] f660937005bb7bf5539c02d3512412c0
[BSP] 57783f4c7b553d839bb099634ff37296 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 500 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 1026048 | Size: 476438 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

 



#11 Ceerg

Ceerg
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:10:16 AM

Posted 25 April 2017 - 12:07 PM

Ran the setup with admin rights in right click to make sure it was properly done, and also clicked the shortcut on desktop with admin right. The log seems to look same though. Weird thing is, that when i type roguekiller in search bar, and it shows the program there, the clicking of the Roguekiller doesnt do anything, it doesnt open the program that way. The search works on avast etc.

 

RogueKiller V12.10.6.0 (x64) [Apr 24 2017] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : https://forum.adlice.com
Website : http://www.adlice.com/download/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 10 (10.0.15063) 64 bits version
Started in : Normal mode
User : CHEW [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Scan -- Date : 04/25/2017 19:49:01 (Duration : 00:09:52)

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 4 ¤¤¤
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 192.168.1.1 0.0.0.0 ([-][])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{412a07c7-c6b5-4a57-b97d-4cada6dd9192} | DhcpNameServer : 192.168.1.1 0.0.0.0 ([-][])  -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-3795232181-68720890-2366713165-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_TrackProgs : 0  -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-3795232181-68720890-2366713165-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_TrackProgs : 0  -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 1 ¤¤¤
[PUP.Gen1][Folder] C:\Program Files\Windows Security -> Found

¤¤¤ WMI : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: Samsung SSD 850 EVO 500GB +++++
--- User ---
[MBR] f660937005bb7bf5539c02d3512412c0
[BSP] 57783f4c7b553d839bb099634ff37296 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 500 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 1026048 | Size: 476438 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

 



#12 nasdaq

nasdaq

  • Malware Response Team
  • 39,179 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:16 AM

Posted 25 April 2017 - 12:54 PM



Avast is protecting against the running of the RogueKiller.

Run RogueKiller as you did previously and remove the entries.

[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 192.168.1.1 0.0.0.0 ([-][]) -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{412a07c7-c6b5-4a57-b97d-4cada6dd9192} | DhcpNameServer : 192.168.1.1 0.0.0.0 ([-][]) -> Found


The default values will be used.

What is the current issue?

#13 Ceerg

Ceerg
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:10:16 AM

Posted 25 April 2017 - 03:04 PM

Why those entries need to be removed? Arent those normal?

#14 Ceerg

Ceerg
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:10:16 AM

Posted 25 April 2017 - 08:59 PM

I scanned with tdsskiller and it found 4 threats

 

http://i.imgur.com/Sj5QcRe.png

 

Those seem to be false positives, but can you confirm?



#15 nasdaq

nasdaq

  • Malware Response Team
  • 39,179 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:16 AM

Posted 26 April 2017 - 07:21 AM

RogueKiller item.
Why those entries need to be removed? Arent those normal?

([-][]) What is this?

As I said the Default values will be set. Please run it.

===
 

I scanned with tdsskiller and it found 4 threats

http://i.imgur.com/Sj5QcRe.png

Those seem to be false positives, but can you confirm?


They look good. Since I cannot copy the image and I'm unable to check the MD5 or Sha values.
Please copy and paste the results of any log in a post. It's not convenience for me to open saved images.

===

Quoted from your post No. 6
 

Firefox has got stuck two times loading pages with spinning wheel in the middle of empty page. It could be explained by addon conflicting with multiprocessing, but i only have noscript and ublock so maybe virus.

Also in general im pretty paranoid about this pc, because my mouse apparently moved by itself earlier some time ago when i was watching a video. The progress bar of video player showed up, and it only happens if mouse is moved around. Ive had a secure erase on ssd since then though, but im still worried current OS install would have something, if i had a spyware.


Remove Firefox using the instructions one this page.
https://support.mozilla.org/en-US/kb/uninstall-firefox-from-your-computer

Before proceeding save your Bookmarks.
https://support.mozilla.org/en-US/kb/export-firefox-bookmarks-to-backup-or-transfer

Install the latest version of the application.

You can then import them to the new version of Firefox.

If you want to save your Firefox Password manager -
Remember, delete and change saved passwords in Firefox
https://support.mozilla.org/en-US/kb/password-manager-remember-delete-change-passwords
<<<>>>

If the problem persists with the moving cursor and are used an external mouse disable the touchpad.

Google this string enable touchpad windows 10 the instructions may not be the same for all computer model.
Check it out.

Keep me posted.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users