Browser Keeps Shutting Down - Please Help!

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by nottooknowledgeable, Aug 12, 2006.

  1. nottooknowledgeable

    nottooknowledgeable Private E-2

    Hello, I'm really glad I found this forum. My computer's almost completely down now. Have Windows 2000. The main problem is that the windows of the internet explorer browser keep on closing randomly. The windows either disappear forever into the background, or more commonly, I'm informed that internet explorer has to shut down and then the browser freezes and has to be shut down. Also, the entire computer has shut itself down a couple times already. Another problem is that I keep on getting the "<process has already exited> has generated errors and will be closed by windows program error message" -- it happened at least a couple dozen times while I was running spybot.

    I've installed and run lavasoft ad-aware and spybot search and destroy, but that didn't solve the problem. I've also checked add and remove programs and removed all suspicious-looking programs. I think the problem might've been caused by installing aol/aim, but I've removed it already. I've also installed and run Hijack This, and I'm posting the log below. I'd really appreciate any assistance. Can't work on my computer at this point till resolved, unless I want to risk losing what I'm typing. :rolleyes: Thanks a lot in advance! :)

    • Edit by bjgarrick: Unrequested, Inline HJT log removed!
     
    Last edited by a moderator: Aug 12, 2006
  2. nottooknowledgeable

    nottooknowledgeable Private E-2

    Sorry! Didn't notice the READ & RUN ME FIRST before posting. My bad. I'll follow the directions on that page first. Thanks.
     
  3. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Once your done attach the following logs.
    • runkeys.txt - the log from GetRunKey.bat
    • newfiles.txt - the log from ShowNew.bat
    • CounterSpy - ONLY IF you were not able to run Windows Defender
    • Bitdefender (Step 6)
    • Panda Scan (Step 6)
    • HijackThis
     
  4. nottooknowledgeable

    nottooknowledgeable Private E-2

    Ok, whew, well the good news is that I've finished all the steps and have all six of the logs now! :)

    The bad news is that the problems are now worse than ever. (e.g., the <process has already existed> error message must have appeared at least 200 times! while I was running CounterSpy -- for a while there, I just kept on clicking end task in windows task manager nonstop.) And the same problems as noted in the original post still exist, with the biggest problem being the browser disappearing completely or freezing up.

    Here are the first three attachments -- runkeys, newfile, and CounterSpy. The next three attachments will be in the following reply.

    I would really appreciate any help here. Thanks so much!
     

    Attached Files:

  5. nottooknowledgeable

    nottooknowledgeable Private E-2

    Here are the last three - BitDefender, PandaScan, and HiJackThis. Thanks in advance again!
     

    Attached Files:

  6. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Are you ready? You have several baddies, let's begin with a basic fix and then see what's left over once your done.

    Download Pocket KillBox
    • Save it to your desktop or a place easy to find.
    • Do not run it yet

    Please print out these instructions so that you can operate with All Browser Windows CLOSED.


    Please make sure the Viewing of Hidden Files & Folders is enabled per the READ ME.

    Now, look in Task Manager (Ctrl-Alt-Del) for the following running processes and, if you see any of them, try to END them:


    kbdusr.exe

    Now scan with HijackThis and check the boxes for the following entries:
    ( Make sure ALL browser windows are closed when you click FIX )

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sb/*http://www.yahoo.com/se arch/ie.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sp/*http://www.yahoo.com

    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [dnsrslvr] C:\WINNT\system32\dnsrslvr.exe
    O4 - HKCU\..\Run: [197_150_ni_4] C:\WINNT\system32\197_150_ni_4.exe

    Again, make sure ALL browser windows are closed when you click FIX.

    NOW:
    Click Start > Run > type services.msc and Click OK

    Locate kbdusr and RightClick on it to bring up the Service Properties Window.
    First: Stop the service by clicking the Stop Button.
    Next: Disable it by changing the Startup Type to Disabled and click Apply

    Next, open up HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

    kbdusr

    You may be told to reboot at this point. Do not reboot just exit HijackThis as we will be restarting it with different options in a moment.

    Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixme.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fixme.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes.

    Now, Please boot into Safe Mode, be sure you have the Viewing of Hidden Files & Folders Enabled per the tutorial. Now, navigate to and DELETE the following if they should remain:

    C:\RECYCLER Delete everything in this folder!

    C:\Documents and Settings\Administrator\Local Settings\Temp Delete everything in this folder!

    C:\Documents and Settings\Administrator\Application Data\Qualcomm Delete this whole folder if it exist!

    Next, run CCleaner to clean up cookies and temp files.


    Locate PocketKillbox
    (Procede with this step even if they do not show in blue)

    Next, you will be entering items into Pocket KillBox. Please select the “Delete on Reboot” Option. Copy&Paste each of the file names listed below into the box one by one, making sure Delete on Reboot is Checked for each entry. Click the Red X for each entry, but DO NOT Allow your machine to be rebooted until the last item has been entered:

    ** Note: For any of the .dll files, check the Unregister .dll Before Deleting box as well. If this option is not enabled, don't worry about it.

    • If you get an error message about Pending Operations, just reboot your computer manually.

    Once you have complete the above steps and have rebooted back to normal mode please finish these last few steps.

    Please download HOSTER and then follow the below steps.
    • Unzip HOSTER to a convenient folder such as C:\Hoster

    • Run Hoster.exe, click Restore Original Hosts and then click OK.

    • Click the X to exit the program.

    Finally, I would like you to flush your System Restore points. Please follow the instructions in the below:


    • Disable and Re-enable System Restore

    • Turn OFF System Restore to flush any bad Restore Points.

    • Then, follow the instructions at the bottom of the linked page to Re-enable the Restore Utility which will create a fresh restore point.
    After you complete the above reboot once more and then scan with HijackThis and attach the new log.

    Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.
     
  7. nottooknowledgeable

    nottooknowledgeable Private E-2

    Thanks a lot! Really appreciate it. I followed all the directions, except 1) I was unable to delete C:\Documents and Settings\Administrator\Application Data\Qualcomm. (I tried several times, but receive the error message "Cannot Selete CARNEC~1: Cannot find the Specified File: Make sure you specific the correct path and file name" each time), and 2) I have Windows 2000, and please correct me if I'm wrong here, but I don't think I can "Disable and Re-enable System Restore" with Windows 2000 -- I looked around for instructions but couldn't find them. Also, 3) With CCCleaner, the instructions say to "run CCCleaner to clean up cookies and temp files," which I have done, but I didn't use default -- I just left "Internet Explorer" checked and checked "Temporary Files" under "System". I didn't check anything under "Windows Explorer" or anything else under "System." "Advanced" was unchecked before, and I left that unchecked. So basically, I followed the directions literally to try to stay on the safe side but was not sure if I should've left anything else checked.

    How Running: Good News: The <process has already existed> message has not appeared since I took all the steps above. Bad News: The Internet Explorer browser continues to freeze up, and the windows have to be shut down. It usually happens when I click links (happens maybe with about half the links that I click, and it seems random which links, although it happens with greater frequency when an entirely new window is opened). This remains unchanged from before.

    Attached is my new HiJackThis log. Thanks again!
     

    Attached Files:

  8. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    I overlooked your having Win2k, in this case you do not have system restore.

    Let's get a fresh Panda log, GetRunKey and ShowNew log.
     
  9. nottooknowledgeable

    nottooknowledgeable Private E-2

    Here you go. Also, I don't know if this will help, but I had Project Killbox already, but it was from a while ago, so I downloaded again and called it "Killbox2". Thanks!

    (Funny but sad note: tried to reply about 10 times already, but browser has shut itself down each time, including once when I'd made all the attachments already. Oh well.)

    [EDIT: Ok, I'm not sure if the attachments went through, but it's not showing. I clicked on "Attachments," and it says "In Progress." So maybe I should wait? Please let me know if the attachments aren't working. Thanks.]
     
  10. nottooknowledgeable

    nottooknowledgeable Private E-2

    Ok, I think the attachments are working now! :)
     

    Attached Files:

  11. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Run CCleaner to clean up cookies and temp files.

    Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixme.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fixme.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes.

    Locate PocketKillbox
    (Procede with this step even if they do not show in blue)

    Now, Copy and Paste C:\WINNT\system32\sfcfiles.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES and allow your PC to reboot.

    • If you get an error message about Pending Operations, just reboot your computer manually.

    Once you complete this post, reboot and then delete the following folders. Once you complete this, reboot once more and let me know if problem remains.

     
  12. nottooknowledgeable

    nottooknowledgeable Private E-2

    Thanks a lot! It seems somewhat better now. I've used the Internet for about a couple hours now. None of the windows have disappeared in that time, though the browser has still frozen up about twenty times or so. It's the same problem there -- the browser freezes up, usually when I click a link, and the window has to be shut down.

    Also, quick note: when I was saving and naming the file fixme.reg, I was asked if I wanted to replace the fixme.reg from before, and I said yes. (I had named it fixme2.reg but then I wasn't sure about that so I went ahead and said it was ok to override the first fixme.reg.)

    I've attached a fresh Panda, GetRunKey, and ShowNew log here.
     

    Attached Files:

  13. nottooknowledgeable

    nottooknowledgeable Private E-2

    And here's a fresh HiJack This log.
     

    Attached Files:

  14. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Please attach one last HJT log.

    *Edit* Nevermind, your one step ahead of me :p
     
    Last edited: Aug 14, 2006
  15. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixpanda.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fixpanda.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes.
    Next, run CCleaner to clean up cookies and temp files.

    Once you complete the above, run one more Panda scan to confirm your clean.
     
  16. nottooknowledgeable

    nottooknowledgeable Private E-2

    Thanks again! :) I think that it's improved a little more now -- the browser's frozen only several times the past hour or so. But I followed the steps, rebooted, and ran PandaScan and the same errors came up, so I don't think my computer is clean.

    (Quick thought: the browser freezing/disappearing thing happened really soon after I'd installed aol/aim, and right when it started, I uninstalled it. I don't know if that has to do with anything.)

    Anyhow, thanks a lot for the help! It's definitely been an interesting, educational, and memorable journey. ;) I don't know if this will help, but I've attached a fresh hijackthis and pandascan log.
     

    Attached Files:

  17. nottooknowledgeable

    nottooknowledgeable Private E-2

    Also, here is a fresh ShowNew log. Can't attach a fresh GetRunKeys log for some reason :confused:
     

    Attached Files:

  18. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Download this trial version of Spy Sweeper 5. See the thread below on how to configure the scan settings. Be sure you update the definitions before scanning!

    Once you have completed this scan attach the log with a fresh Panda scan log.

     
  19. nottooknowledgeable

    nottooknowledgeable Private E-2

    Thanks! I downloaded Spy Sweeper 5. After I downloaded it, I was prompted to restart the computer for it to work -- but the computer just would not restart. :rolleyes: Every time I tried to restart the computer, I got a "Stop Error Screen" in blue and had to completely shut down the computer's power supply. Eventually, I had to go into "Safe Mode" to uninstall Spy Sweeper for the computer to work at all. (I tried a couple different links to Spy Sweeper, but it was the same result each time.)

    Before I uninstalled Spy Sweeper in "Safe Mode," I was able to run it (but only the Diagnostic version -- which did not allow me to update the settings -- and seemed to be slightly different from the instructions). So I'm attaching the Spy Sweeper log that was run in Safe Mode -- along with a new HiJack This log.

    For some reason, after the failed attempts with Spy Sweeper, I have not been able to run a Fresh Panda scan either. I've tried about a dozen times over the past ten hours or so. The error message that I've been receiving is "Error on Downloading ActiveScan" -- "Possible causes of this error are: Not allowing the application's ActiveX control to be downloaded, Problems with the internet connection, The error could be due to a download error or an installation error due to lack of hard disk space, privileges etc."

    The browser's freezing up somewhat more often today -- maybe ten to fifteen times/hour on avg, depending on which links are clicked. A few times the browser has disappeared completely.
     

    Attached Files:

  20. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Let's just skip SS, never heard of that with SS, see the below thread on how to install and run Ewido Anti-Malware. Also, if you still have it run a new CounterSpy scan and attach the log.
     
  21. nottooknowledgeable

    nottooknowledgeable Private E-2

    Ok, I've installed and run Ewido Anti-Malware, and I'm attaching the log. The Ewido directions say to run HiJack This and post a new log, so I'm attaching a new HiJack This log as well. I also ran CounterSpy, and I'm attaching the log for that too. (I had uninstalled CounterSpy when the <process has already existed> error messages kept on popping up nonstop when CounterSpy was running, but that problem has already been resolved and didn't reoccur when I was running CounterSpy this time.) There are still the same issues with the browser as yesterday...Thanks a lot!
     

    Attached Files:


MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds