IE stops responding

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by trowell, Sep 12, 2005.

  1. trowell

    trowell Private E-2

    do you have and clues or suggestions regarding the possible reason for my internet connection to freeze. It never seems to happen while I'm actively involved with the pc but when I leave it for a while (say 15 minutes guess) i am locked out and have to reboot in order to re-establish a connection. I have all the usuall mal-ware protection installed and running. Did wonder if there might be something in preferences in IE it's self; i searched but found nothing suggestive of a solution. thanks for your time. regards from Trowell Cymru.
     
  2. Tourangh

    Tourangh Master Sergeant

    I had similar problem when i had a major virus and spyware problem you could maybe look into that more. I recommend reading the stickies in spyware specific area.
     
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please follow the steps below:

    - Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support

    Make sure you check version numbers and get all updates.

    - Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.


    After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis:

    Downloading, Installing, and Running HijackThis

    .
     
  4. trowell

    trowell Private E-2

    Chaslang...

    i have been able to run all of the utils and scans suggested on the "read this first" sticky, except for the online "Trojanscan" app.

    Significant finds included 8 unidentified files found with HSREMOVE which, when run back to back, keep reappearing.

    RAV on-line scan log:

    Scan started at 12/10/2005 21:31:47

    Scanning memory...
    Scanning boot sectors...
    Scanning files...
    C:\WINDOWS\5-11-2-1.exe->(UPXW) - Tool:pornDialer.S -> Infected
    C:\WINDOWS\Downloaded Program Files\910000_213466_.exe->(UPXW) - TrojanDropper:Win32/Dialer.EH -> Suspicious
    D:\WINDOWS\wldr.dll - TrojanDownloader:Win32/Agent.BS -> Infected
    D:\Program Files\WinRAR\Uninstall.exe - Backdoor:Win32/Poebot.E -> Suspicious

    Scanned
    ============================
    Objects: 70279
    Directories: 5018
    Archives: 8825
    Size(Kb): 1519221
    Infected files: 2

    Found
    ============================
    Viruses found: 2
    Suspicious files: 2
    Disinfected files: 0
    Mail files: 531


    The system seems marginally less troublesome after all this but it is not as good as it was; data streaming seems irratic and "refresh" helps sometimes but not always. Also, I keep getting an extremely annoying pop-up browser window with the address "connection-internet........".

    I do wonder if i have suspect sites allowed in my (zonealarm) firewall, and if I have windows IE security limits set correctly?

    any ideas would be great. if you need more info dont hesitate

    many many thanks from

    Trowell
     

    Attached Files:

  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    The READ ME does not ask you to run HSremove. Are you looking at an old version of the READ ME? Look at the link I gave to you again. HSremove is only needed for HSA hijacker problems anyway and it always reports 8 items even on clean systems (this is a known bug).

    Download LSP - Fix

    Run LSP-Fix.

    Check the Box labeled "I know what I'm doing" and then click on the msvrl.dll file (in the “Keep” section) to select it.

    Then, Select the >> button to move msvrl.dll into the Remove section.

    Now, click the Finish Button. When the Repair Summary box appears, click OK.
    If it is already in the Remove section, just click Finish.


    If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
    For all OS types, make sure viewing of hidden files is enabled (per the tutorial).
    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
    O2 - BHO: (no name) - {0578C92A-33C4-49AF-ADBF-8A9D71E5F875} - D:\WINDOWS\System32\oojpaa.dll (file missing)
    O4 - HKLM\..\Run: [ControlPanel] D:\WINDOWS\System32\cmd32.exe internat.dll,LoadKeyboardProfile
    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra button: Microsoft AntiSpyware helper - {23945724-C478-4894-B228-656CA8AAD012} - (no file) (HKCU)
    O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {23945724-C478-4894-B228-656CA8AAD012} - (no file) (HKCU)
    O9 - Extra button: Microsoft AntiSpyware helper - {24842510-73F4-43B3-BC54-56104AF297AC} - (no file) (HKCU)
    O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {24842510-73F4-43B3-BC54-56104AF297AC} - (no file) (HKCU)
    O9 - Extra button: Microsoft AntiSpyware helper - {2EEC6F73-4614-418A-BA42-365651D84B76} - (no file) (HKCU)
    O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {2EEC6F73-4614-418A-BA42-365651D84B76} - (no file) (HKCU)
    O9 - Extra button: Microsoft AntiSpyware helper - {3F4BFCDB-76C9-4A68-BC18-147C16285406} - (no file) (HKCU)
    O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {3F4BFCDB-76C9-4A68-BC18-147C16285406} - (no file) (HKCU)
    O9 - Extra button: Microsoft AntiSpyware helper - {43BB8F3C-54AD-4716-8CDE-EAE71BFF6488} - (no file) (HKCU)
    O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {43BB8F3C-54AD-4716-8CDE-EAE71BFF6488} - (no file) (HKCU)
    O9 - Extra button: Microsoft AntiSpyware helper - {7AD09030-1939-4C7C-8FAB-A39D412C55D1} - (no file) (HKCU)
    O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {7AD09030-1939-4C7C-8FAB-A39D412C55D1} - (no file) (HKCU)
    O9 - Extra button: Microsoft AntiSpyware helper - {8126E354-A89B-4DE9-9CC4-65CA327ED157} - (no file) (HKCU)
    O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {8126E354-A89B-4DE9-9CC4-65CA327ED157} - (no file) (HKCU)
    O9 - Extra button: Microsoft AntiSpyware helper - {B14ED778-017D-4589-82A9-F9BC8471B4FF} - (no file) (HKCU)
    O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {B14ED778-017D-4589-82A9-F9BC8471B4FF} - (no file) (HKCU)
    O9 - Extra button: Microsoft AntiSpyware helper - {B600BCE0-64C0-499B-936D-D6E55AAFEC46} - (no file) (HKCU)
    O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {B600BCE0-64C0-499B-936D-D6E55AAFEC46} - (no file) (HKCU)
    O9 - Extra button: Microsoft AntiSpyware helper - {DD973AD2-F104-4A5A-A6AB-D51CA925ECEE} - (no file) (HKCU)
    O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {DD973AD2-F104-4A5A-A6AB-D51CA925ECEE} - (no file) (HKCU)
    O10 - Unknown file in Winsock LSP: d:\windows\system32\msvrl.dll <--- all of these should already be gone due to running LSP fix earlier
    O10 - Unknown file in Winsock LSP: d:\windows\system32\msvrl.dll
    O10 - Unknown file in Winsock LSP: d:\windows\system32\msvrl.dll
    O10 - Unknown file in Winsock LSP: d:\windows\system32\msvrl.dll
    O10 - Unknown file in Winsock LSP: d:\windows\system32\msvrl.dll
    O10 - Unknown file in Winsock LSP: d:\windows\system32\msvrl.dll
    O10 - Unknown file in Winsock LSP: d:\windows\system32\msvrl.dll
    O10 - Unknown file in Winsock LSP: d:\windows\system32\msvrl.dll
    O10 - Unknown file in Winsock LSP: d:\windows\system32\msvrl.dll
    O10 - Unknown file in Winsock LSP: d:\windows\system32\msvrl.dll
    O10 - Unknown file in Winsock LSP: d:\windows\system32\msvrl.dll
    O10 - Unknown file in Winsock LSP: d:\windows\system32\msvrl.dll
    O10 - Unknown file in Winsock LSP: d:\windows\system32\msvrl.dll
    O10 - Unknown file in Winsock LSP: d:\windows\system32\msvrl.dll

    After clicking Fix, exit HJT.
    Boot into safe mode and use Windows Explorer to delete (if found):
    D:\WINDOWS\System32\oojpaa.dll
    d:\windows\system32\internat.dll
    d:\windows\system32\msvrl.dll

    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

    Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

    Now reboot in normal mode and post a new HJT log. And tell us how things are working.
     
  6. trowell

    trowell Private E-2

    chaslang

    thanks for your reply. here is the latest hjt log. it's taken ages as the connection is still really slow and intermittant. I carried out your recommendations and at some point toward the end (after rebooting) I lost the winsoc settings; these are, I assume, reset as i can connect once more albeit "limping along" . Any further help would be very much appreciated.

    regards from

    Trowell
     

    Attached Files:

  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    What type of connection to the internet do you have (dial-up, cable, dsl)?
    Have you disabled the WinXP SP2 firewall?

    You may be having problems updating your Sophos AV with ZoneAlarm enabled. Try disabling ZoneAlarm and updating your Sophos. The below line make me think this:

    D:\WINDOWS\TEMP\sotmp1.dir\ALUpdate.exe
     
  8. trowell

    trowell Private E-2

    hello chaslang.
    my internet connection is via broadband. yes I have had a real headache trying to update sophos av and finally this morning i got all the updates loaded before the system stopped again. MSW SP2 firewall is switched on. why...should I be switching this off?
     
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Because you should never use more than one software firewall and you have ZoneAlarm. In addition the WinXP SP2 firewall is not an adequate firewall to begin with and also only provides incoming protection. It is also wasteful of system resources and can cause conflicts between the two programs.
     
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Are you sure that you really have to reboot to recover from what you are calling a "lockup"?

    When the problem occurs, you should just check to make your connection is still working by using a command prompt window to send some pings to a few addresses. Like:

    ping www.google.com

    and then try:

    ping 66.102.7.99

    These both ping google, but the second method bypasses any possible DNS issues (DNS = Domain Name Server which is used to translate URL's into IP addresses).
     
  11. trowell

    trowell Private E-2

    hello chaslang

    i followed your instructions and came up with the following

    Microsoft(R) Windows DOS
    (C)Copyright Microsoft Corp 1990-2001.

    D:\DOCUME~1\TROWELL>ping www.google.com
    Ping request could not find host www.google.com. Please check the name and try a
    gain.

    D:\DOCUME~1\TROWELL>ping 66.102.7.99

    Pinging 66.102.7.99 with 32 bytes of data:

    Request timed out.
    Reply from 66.102.7.99: bytes=32 time=174ms TTL=235
    Reply from 66.102.7.99: bytes=32 time=173ms TTL=235
    Reply from 66.102.7.99: bytes=32 time=174ms TTL=235

    Ping statistics for 66.102.7.99:
    Packets: Sent = 4, Received = 3, Lost = 1 (25% loss),
    Approximate round trip times in milli-seconds:
    Minimum = 173ms, Maximum = 174ms, Average = 173ms

    any ideas ?

    thankyou
     
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    This means that your connection is still there and that it is not locked up. It sounds like you are having a problem with your DNS server. What kind of connection do you have (dial-up, Cable, DSL)? And do you use a router?

    Next time you get what you have been calling "locked up", use the IP address I gave you and put it in the address bar of Internet Explorer and see if it connects you to Google.

    You can also try running the below command from the command prompt window:

    ipconfig /flushdns
     
  13. trowell

    trowell Private E-2

    Chaslang hello again

    I am using a ADSL router to connect to the internet.

    Putting "66.102.7.99" into my address bar did indeed bring up the google search page.

    I also ran the following at the command line prompt:

    D:\DOCUME~1\TROWELL>ipcomfig/flushdns
    'IPCOMFIG' is not recognized as an internal or external command,
    operable program or batch file.

    D:\DOCUME~1\TROWELL>ipconfig

    Windows IP Configuration


    Ethernet adapter Local Area Connection:

    Connection-specific DNS Suffix . :
    IP Address. . . . . . . . . . . . : 192.168.1.3
    Subnet Mask . . . . . . . . . . . : 255.255.255.0
    IP Address. . . . . . . . . . . . : ?
    Default Gateway . . . . . . . . . : 192.168.1.1

    Tunnel adapter Teredo Tunneling Pseudo-Interface:

    Connection-specific DNS Suffix . :
    IP Address. . . . . . . . . . . . : ?
    Default Gateway . . . . . . . . . :

    D:\DOCUME~1\TROWELL>flushdns
    'FLUSHDNS' is not recognized as an internal or external command,
    operable program or batch file.

    onwards and upwards !

    regards

    Trowell
     
  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You spelled it wrong try it again:

    ipconfig /flushdns

    don't forget the space between ipconfig and /flushdns
     
  15. trowell

    trowell Private E-2

    i dispair...................not sure now what else to try (except a new computer) seriously though, this is nuts...... i try to download a file and can see the tranfer rate getting slower and slower....time after time it stops. the dns experiments show that the connection is active and "flushing" is perhaps doing something but is very short lived if at all. I'm lost.......perhaps I should try fishing
     
  16. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Try using Mozilla FireFox instead of Internet Explorer. Let me know if it works ok or if you still have the same problems when you use it.
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds