IE Malware “memory could not be read”?

My daughter’s computer seems to have malware again. In IE, she logged on to her Facebook account but was then redirected to a misc. web page. Avast notified her a Trojan was blocked so she closed the page and got “The instruction at 0x00000000 referenced memory at 0x00000000, The memory could not be read”. Her computer was then completely sluggish and her taskbar went black. She could not use Start to reboot. No programs would open; clicking on anything did nothing. Whatever it was used all her resources.

She hardbooted, ran Avast, but it found nothing, She then ran mbam which deleted 4 files and 8 registry entries. The computer seemed fine so she did it again (Facebook). Same thing.

After the next reboot, she went to Google and typed in the error code. She got search results but Windows notified her that “memory was low”. The search results convinced her to Run cmd to fix corrupt files. She did but nothing was corrupt.

I found that although now the web pages aren’t being redirected, when a web page is closed (or even just minimized) a new web page will open up all by itself and try to connect to a misc. page (like asianfurniture dot com?). Closing that page will again give the memory read error. Avast is not giving any more notifications of these being bad websites.

I figured this must be malware so I decided to go thru your Read and Run Me First. My daughter’s computer was frozen at this point so I shut it down and restarted. In bringing up your website, a small page also opened for a registry cleaner (Download Registry Defender). When I closed it, I got the “memory read” error message. I also got it after updating CCleaner and closing their window. When I got to Step 7 (Windows XP Cleaning) it opened in a new window. I closed your original window (Read and Run Me First) with no error message. Even after these memory error messages, the computer did not slow down or freeze.

I updated SuperAntispyware and it ran with no problems, found 1 trojan agent, Gen-Nullo[Short]. It needed to reboot. The computer ran considerably slower after the reboot.

I then updated Malwarebytes and it ran with no problems. Found 4 registry items, Alexa adware. When finished, it did not ask to reboot so I didn’t.

Ran Combofix next. It got to the scanning point and a message popped up saying Combofix has detected rootkit activity and needs to reboot. There was no choice but to press OK because everything else on the computer had disappeared. The computer rebooted (very quickly) and Combofix started over and completed successfully.

Note: After Combofix rebooted, nothing was showing in the startup tray. Avast was only supposed to be disabled until reboot but nothing showed up so I considered it still disabled, along with Zone Alarm firewall, after Combofix finished. So I then ran Root Repeal. This report has 23 locked files, 22 in temp folders?

Ran MGTools with no problems. Rebooted to get firewall and antivirus protection back to open internet and send reports to you. When I opened your site, the Download Registry Defender page again also opened. There was no memory error message this time when I closed it.

Reports are attached. Please let me know what you think or find.

 

Last report attached (MGTools)

 

Hi Chaslang!

Thanks for replying so fast. I'm not sure I did this right.

I was logged in when I read your message. I clicked the link and downloaded TDSSKiller, then ran it. When it was done it had a rootkit but I only saw a blue link that said "cure" . I clicked it and saw skip, quarantine, or cure (cure was already checked) so I left it and clicked continue. It then told me it needed to reboot.

So I logged out of this website, closed this website, got the memory error message (clicked OK, which is the only option) then clicked the OK to reboot on TDSSKiller.

After the reboot, I started IE and when my home page loaded, I also got the "Download Registry Defender" page that I thought came with your site. When I closed it I got the memory error again.

I didn't get that page when opening or logging into your site this time. I really had thought it was one of your ads. I now guess it's part of this malware problem.

Anyway, I'm attaching the report. Please tell me if I need to redo if I did this wrong because the problem has not changed after all this.

 

Hi Chaslang

Computer Update: After reading your last post from my computer, I went to my daughter's computer but couldn't use it as all resources were gone again.
I shut it down, restarted, opened IE, went to this website and got another registry cleaner popup and memory error code when I closed it.

I followed your instructions and the reports are attached. I then tried to post but the page was not responding well by then so I logged out (took a half hour to log out). After that the computer picked up a bit so I decided to run some searches (google) to see how it responded. It did fine for about 10 minutes, then 2 new windows opened all by themselves (Spybot S&D and Do you think you can dance).

I decided to come back here and post before the computer bogs down again. Let me know what you find. It still does not look good from here.

 

Sorry, I forgot to add:

After I went to this website and brought up the malware removal page, I got another error message: Generic Host Process for Win32 Services has encountered a problem and needs to close. I didn't send a report because for some reason the error form looked different somehow so I wasn't sure it was legit.

After I posted, I closed IE and got another memory error reading.

I thought you might need to know this.

 

Hi Chaslang!

Just wanted to thank you for all your help. It's great to know there's no more malware!

Yes, you're right about the memory, I was aware of it. I had 1 GB ready to install which is why Zone Alarm was on the machine. Unfortunately, it ended up not being the right chips for this machine so I had to uninstall Zone Alarm for the time being and go back to Windows firewall (don't want to fry the machine before we get it fixed).

Oh well, if I can get a fix from the software forum for these IE redirects and "jumps", I'll have new chips by then. These search engine redirects seem to be the only thing right now making the machine bog down; everything else works beautifully otherwise.

Thanks again for all your time and attention.

 

Hi Chaslang, it’s good to hear from you again.

Sorry I haven’t responded for awhile, I am pretty much wiped out from too many late nights fighting malware for the second time in a month (plus other misc. problems life throws at you now and then). It doesn’t surprise me you misread my poorly written late night messages.

I ‘m still overtired but am going to try to update you on what’s happened and try to answer some of your questions.

Yes, I ran sfc scannow – nothing was corrupt, no replacements needed. (Good thing – my daughter can’t find her original OEM disk which is lacking SP’s anyway).

I searched the software forum but found anyone with redirect problems being referred to the malware forum so I didn’t bother to post. I searched the internet and checked everything stuck people (like me) suggested – checking driver files, host file, IE add-ons, date and time changes, etc., etc. This computer really was clean. I was stumped.

Being stumped panicked my daughter (it’s her computer and she needed it to find a job, keep her website going, etc.) so when I heard her mention running Combofix herself, I panicked and told her to download and run HitmanPro3.5 which many stuck people claimed took care of the problem.

It worked. It found a hidden driver and called it a bootkit (alias Alureon). I tried to have her save a log file for you but it didn’t work out (unfamiliar program) so I don’t have one.

The computer runs great now with absolutely no problems at all. I would like to continue just to make sure it really is clean and nothing else is hiding or will pop up later, but I’m running into brick walls.

I can’t reset the router right now; I don’t have direct access to it. It belongs to a neighbor (in their house, not ours) who runs Macs and PS3. I know nothing about Macs and cannot reset their computers after default, but neither can they. It takes all day with a technician on the phone and they are not willing to do this since my daughter is not now having problems that I can show them (they don’t understand malware).

I haven’t been able to stay awake after my daughter goes to bed to run the two programs you’re asking for (tdsskiller and gmer). I don’t know how long you keep threads open but I will try to do it as soon as I am able. Please rest assured that I am not purposely trying to wait and see if anything else comes up as I would feel this to be unfair to you and anyone else needing your help by wasting your time and having to start over again. I really do hope to finish this before this thread closes.

Please let me know if you would prefer not to continue with this or take it any further.

Oh yeah, the emulation software. I don’t believe we had any so I did not run Defogger. I ran it the first time we had malware (a month ago) and it led me to believe we don’t. I will run it again this time anyway as I saw it doesn’t do any harm if you have none and is probably a good safety precaution (neither I nor my daughter really know what emulation software is).

The computer browser we have is IE8 on Windows XP SP3, no other browsers on this machine. Didn’t think to try safe mode at the time but since there’s no problem now I can’t test that.

These redirects, jumps (jump and jump2), and ad pop-ups, did not happen frequently while we were going through this, which made me sometimes believe it had been taken care of. This malware used a lot of resources, as did Zone Alarm, and took the computer down pretty fast. After removing Zone Alarm (when we were done) the resources were freed up enough for this thing to run at full force and it was constant, so much so that we could hardly keep up with it to get to a website we wanted. It happened at any website, including home page, or any search engine results. It didn’t matter whether you clicked on anything or not, you’d end up somewhere else. If you did click, it would jump or redirect. If you didn’t click, it would open new windows or tabs and make them the focus so you’d be carried along, away from your original page. If it was a redirect, you couldn’t get back to your original page as it never had a chance to load. If it was a jump, you could close the extra windows and tabs, or hit the back button until you got back to the original page you were on (if you were fast enough) but not for long. Typing (or copy/paste) the URL in the address bar sometimes helped for a few minutes. I hope this is understandable, but if not, let me know and I’ll try to clarify.

The ad pop-ups had quit by the time we were done, so there never were many (I think I mentioned all of them). The error messages stopped after uninstalling Zone Alarm (no more conflicts in fighting for resources?). As noted, they were not happening all the time, however, Zone Alarm was disabled at certain times while running these tests so that may have been a factor when they did or did not appear. I don’t know.

This post is too long and I’m too tired to continue. I hope I answered all your questions but I don’t know if it’s even necessary now. If you want any more info, or clarification, you’ll need to ask (again). I’m only afraid that, being a rootkit, something could still be hidden, just waiting to pop up later. That’s why I want to continue even though everything appears to be okay now.

Let me know if you think otherwise.

 

Thank you for telling me that. I had originally felt I hadn't run it correctly, and apparently that was the case. Now that I know that's what HitmanPro finished, I won't worry about this being hidden and reappearing again.

Yes, all is good now! I so badly wanted you to say that so I knew I was done. All I have to do now is toggle System Restore.

I can't thank you enough, and all who own/work/help on this forum. What a terrific service you all give, and being all voluntarily, so all I can say now is Bless All Of You! It's hearts like yours that make this world great.