Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Firefox and Opera struggling with loading webpages


  • Please log in to reply
6 replies to this topic

#1 labarthe

labarthe

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:09 AM

Posted 14 July 2017 - 04:46 PM

OS: Windows 6.0.6002 SP2 (Windows Vista Business SP2 32-bit)

Main browser: Mozilla Firefox ESR 52.2.1 32-bit

2nd browser: Opera 36.0.2130.80 32-bit

3rd browser (using now): Pale Moon 27.4.0 32-bit

 

First of all, I'm really sorry for the massive wall of text, but "Before you post..." thread said to be as specific as I can ...

As of yesterday (13.07.2017) approximately at 19:00 Firefox started struggling while loading a Youtube video. Downloading speed started OK but quickly dropped to 0 kbytes/sec. Soon enough I couldn't open any webpage at all. I called my ISP thinking that was their problem but there was nothing wrong on their side. They said it might be malware but I brushed it off because I'm usually very cautious. [I have Virustotal Uploader installed and I check every exe, even from trusted sources, before running it. If there's more than 2 detections, I don't run the exe. However, I have Javascript enabled.] I have reset Firefox to its default settings and created a new user profile, which gave no improvement. Next I uninstalled firefox and installed it again, to no result. I ran Pale Moon (a Firefox fork) and everything was opening properly there. I then ran Opera, which had the same problems as Firefox. I turned off my PC for the day and went to sleep, deciding to investigate the matter further tomorrow.

 

Today (14.07.17) I ran a Threat Scan with MBAM Free with database version v2017.07.14.08, which gave no results. I then ran a quick scan with Avast Free, which I use as my main antivirus. It found Win32:Evo-gen [Susp] in "C:/Program Files/Microsoft DirectMusic Producer/ScriptStripMgr.dll". [The DirectMusic soft was something I downloaded myself from microsoft.com. I haven't used it in a long time].

I have copied the whole folder, archived it and uploaded to Virustotal, which hasn't found anything in any of the files contained in the archive. I then looked at Firefox process in Process Explorer and saw "C:/Program Files/Microsoft DirectMusic Producer" as an opened File handle. That really startled me. I closed the handle and deleted DirectMusic folder. That's where I thought my PC might really be infected with something like Sality. I proceeded to download GMER (the download was "Failed" a number of times, but I obtained it at the end). I ran a scan which presented me with some cryptic registry entries. While the scan was running, I looked around in system32/drivers, various Temp folders, Appdata/Local, LocalLow, Roaming, DLLs used by processes in Process Explorer, some often used by malware registry keys, the Autorun, Services, but found nothing unusual (to my inexperienced eye) or any Virustotal detection in Process Explorer.

 

After the scan I also have turned off several devices in Device Manager, namely "6TO4 Adapter" and 7 devices by name of "isatap.{4C4081C0-8149-4430-ACDA-95FD058FAB8F}". They had been marked with an exclamation mark prior to that. I can't say if these have been there before - I don't remember. Two of the registry keys presented by GMER have pointed to these devices.
 

I don't have any problems running Avast, MBAM, Regedit and Procexp. Neither the CPU usage has increased above normal. I have also tried temporarily disabling Avast.

However neither of these measures gave any improvement.

 

I have Combofix ready just in case, haven't run it yet. I also had to rename it to iexplore to be able to download it, which I thought was suspicious.

Prior to the whole shebang, I haven't installed any new software, system update, driver update, or hardware. However, I have automatic updates turned on on a lot of software. I have UAC on and hadn't encountered anything suspicious today, yesterday, or the day before that. I'm also using Windows Firewall  but I had incoming connections enabled until today (I disabled them manually).

 

This leads me to The Question. Am I infected with malware? How to proceed next? Should I run Combofix or turn my PC off for the day?

 

Thanks to everyone in advance. Sorry again for the long text.


Edited by labarthe, 14 July 2017 - 04:51 PM.


BC AdBot (Login to Remove)

 


#2 jwoods301

jwoods301

  • Members
  • 1,489 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:09 PM

Posted 14 July 2017 - 04:50 PM

Do the following malware checks and post the logs...

Download and run AdwCleaner -

https://www.bleepingcomputer.com/download/adwcleaner/

Run Malwarebytes Anti-Malware again (we want to see the log)

Download and run the portable version of Zemana Anti-Malware

https://www.zemana.com/en-US/Download

Download and run Junkware Removal Tool -

https://www.bleepingcomputer.com/download/junkware-removal-tool/

Create a System Restore point first.

 

 

Additionally, Avast is known for performance issues.

 

Win32:Evo-gen is a broad classification used by Avast to indicate a potentially malicious program.


Edited by jwoods301, 14 July 2017 - 04:53 PM.


#3 labarthe

labarthe
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:09 AM

Posted 15 July 2017 - 05:49 AM

Thanks for your reply!

I think I might have located the issue - according to this thread @ Avast forum, it has to do with HTTPS scan and Intelligent Stream Scanning and is apparently specific to Vista and XP. I have turned these two off and was able to access sites and watch videos with no problem at all. Strangely, that wasn't the case when I tried to turn Avast off altogether.

Posted are the logs. NB: The "Mail.ru" folder and entries are leftovers from a previous legitimate installation of Mail.ru Games which was uninstalled long ago. The "At1.job" file was something I made, trying to create a task that would automatically connect me to the Internet on logon using Rasdial. I use a batch file (written by me) for this now. The IE homepage is a legitimate site I use. However, I don't know what's the deal with JRT deleting wininit.ini ...

 

MBAM log

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 15.07.2017
Scan Time: 11:40:23
Logfile: mbam.txt
Administrator: Yes

Version: 2.2.1.1043
Malware Database: v2017.07.15.03
Rootkit Database: v2017.05.27.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows Vista Service Pack 2
CPU: x86
File System: NTFS
User: user

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 276172
Time Elapsed: 23 min, 40 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)

 

 

 

 

ADWCLEANER Log

 

# AdwCleaner v6.047 - Logfile created 15/07/2017 at 11:36:06
# Updated on 19/05/2017 by Malwarebytes
# Database : 2017-07-13.1 [Local]
# Operating System : Windows Vista ™ Business Service Pack 2 (X86)
# Username : user - home
# Running from : C:\Users\user\Desktop\A1dw1Cleaner1.exe
# Mode: Scan
# Support : https://www.malwarebytes.com/support



***** [ Services ] *****

No malicious services found.


***** [ Folders ] *****

Folder Found:  C:\Users\user\AppData\Local\Mail.Ru


***** [ Files ] *****

No malicious files found.


***** [ DLL ] *****

No malicious DLLs found.


***** [ WMI ] *****

No malicious keys found.


***** [ Shortcuts ] *****

No infected shortcut found.


***** [ Scheduled Tasks ] *****

No malicious task found.


***** [ Registry ] *****

Key Found:  HKU\S-1-5-21-1437188046-3075083938-996683759-1000\Software\Mail.Ru
Key Found:  HKCU\Software\Mail.Ru


***** [ Web browsers ] *****

No malicious Firefox based browser items found.
No malicious Chromium based browser items found.

*************************

C:\AdwCleaner\AdwCleaner[S0].txt - [1773 Bytes] - [15/07/2017 11:32:27]
C:\AdwCleaner\AdwCleaner[S1].txt - [1181 Bytes] - [15/07/2017 11:36:06]

########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt - [1254 Bytes] ##########
 

 

 

 

ZEMANA Log

 

Zemana AntiMalware 2.74.2.76 (Portable)

-------------------------------------------------------
Scan Result            : Completed
Scan Date              : 2017.7.15
Operating System       : Windows Vista 32-bit
Processor              : 2X Genuine Intel® CPU2160 @ 1.80GHz
BIOS Mode              : Legacy
CUID                   : 121428BE1CDDA73A1E61F3
Scan Type              : System Scan
Duration               : 26m 6s
Scanned Objects        : 110694
Detected Objects       : 3
Excluded Objects       : 0
Read Level             : SCSI
Auto Upload            : Disabled
Detect All Extensions  : Disabled
Scan Documents         : Disabled
Domain Info            : WORKGROUP,0,2

Detected Objects
-------------------------------------------------------

Internet Explorer Homepage
Status             : Scanned
Object             : http://fgis.economy.gov.ru/fgis/Strategis.FGISTestPageFGIS.aspx
MD5                : -
Publisher          : -
Size               : -
Version            : -
Detection          : Suspicious Browser Setting
Cleaning Action    : Repair
Related Objects    :
                Browser Setting - Internet Explorer Homepage

mail.ru
Status             : Scanned
Object             : NE->c:\users\user\appdata\local\mail.ru
MD5                : -
Publisher          : -
Size               : -
Version            : -
Detection          : PUA:Win32/Mail.Ru.C!Neng
Cleaning Action    : Quarantine
Related Objects    :
                (null) - (null)

at1.job
Status             : Scanned
Object             : NE->c:\windows\tasks\at1.job
MD5                : -
Publisher          : -
Size               : -
Version            : -
Detection          : Malware:Win32/Generic.C1!Neng
Cleaning Action    : Quarantine
Related Objects    :
                (null) - (null)
 

 

 

 

JRT Log

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.1.4 (07.09.2017)
Operating System: Windows Vista ™ Business x86
Ran by user (Administrator) on 15.07.2017 at 13:14:34,15
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




File System: 20

Successfully deleted: C:\Program Files\mozilla firefox\defaults\pref\itms.js (File)
Successfully deleted: C:\Windows\System32\Tasks\At1 (Task)
Successfully deleted: C:\Windows\Tasks\At1.job (Task)
Successfully deleted: C:\Windows\wininit.ini (File)
Successfully deleted: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\32X81VR5 (Temporary Internet Files Folder)
Successfully deleted: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\G6OVODEY (Temporary Internet Files Folder)
Successfully deleted: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H4UT8LBL (Temporary Internet Files Folder)
Successfully deleted: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ITENREQ7 (Temporary Internet Files Folder)
Successfully deleted: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KSQLIHV3 (Temporary Internet Files Folder)
Successfully deleted: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\M3BBXITZ (Temporary Internet Files Folder)
Successfully deleted: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OYVNS5FE (Temporary Internet Files Folder)
Successfully deleted: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\X6ARMZ1K (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\32X81VR5 (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\G6OVODEY (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H4UT8LBL (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ITENREQ7 (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KSQLIHV3 (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\M3BBXITZ (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OYVNS5FE (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\X6ARMZ1K (Temporary Internet Files Folder)



Registry: 0





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 15.07.2017 at 13:18:26,62
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 



#4 jwoods301

jwoods301

  • Members
  • 1,489 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:09 PM

Posted 15 July 2017 - 03:24 PM

It appears your system is clean.

 

Avast itself is known for performance issues.

 

I would not recommend it.



#5 labarthe

labarthe
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:09 AM

Posted 15 July 2017 - 03:41 PM

Thanks very much for your help, jwoods301!

It's only because Microsoft Security Essentials and Windows Defender are no longer available on Vista that I was forced to move onto other AVs. I've tried Avira, but that was a much, much worse resource hog. Could I ask for any recommendations? .. Thanks in advance.



#6 jwoods301

jwoods301

  • Members
  • 1,489 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:09 PM

Posted 15 July 2017 - 03:46 PM

The free Panda Cloud is one I recommend.

 

http://www.pandasecurity.com/usa/homeusers/solutions/free-antivirus/



#7 labarthe

labarthe
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:09 AM

Posted 15 July 2017 - 03:54 PM

Thanks a lot!






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users