Started with Browers Crashing (FF & IE)

Discussion in 'Malware Help (A Specialist Will Reply)' started by Smuckers05, Feb 2, 2010.

  1. Smuckers05

    Smuckers05 Private E-2

    6 days ago I went to play a game I downloaded and have played multiply times before, this time though, instead of the game popping up BSOD did. I restarted my computer and things seemed fine( I also uninstalled the game, just in case). Until my FF keep freezing and/or crashing on me. I thought it was maybe a FF problem, so I tried IE instead, it crashed as well.

    So at this point, I ran both spybot S&D, malewarebytes, upgraded FF, defragged, diskclean up, cleared cashe, cookied, ect. Nothing worked, well, sometimes it seemed to work for a bit, then it would crash again. In the beginning it seemed to mainly happend when I was trying to log into anything, or register for an account for a site.

    I posted that information here, over in the software section, some people were kind enough to provide other ways I might want to try, I downloaded Ccleaner, uninstall fox, ran ccleaner, reinstalled. My firefox isn't opening at all anymore. My IE seems to be doing better, not crashing, but slow.

    I tried a system restore, it wouldn't let me. It never completed. Then someone pointed me over here, and I followed the steps here, and have all the logs I believe, and have them attached.

    Problems still present :(

    My OS is XP Professional, Dell Dimension 4600 Intel(R) Pentium(R) 4CPU 2.66GHz, 760 MB of Ram.

    SAS report will be in next post.
     

    Attached Files:

    Smuckers05, Feb 2, 2010
    #1
  2. Smuckers05

    Smuckers05 Private E-2

    SAS log.

    Let me know if I need to do anything else.

    Thanks!

    -Sierra
     

    Attached Files:

    Smuckers05, Feb 2, 2010
    #2
  3. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You have, or had, a MBR infection. Combo is indicating it fixed it, but I want to be sure.

    Boot to the Recovery Console and run the fixmbr to clear a Master Boot Record infection that you have.

    You can read the below to help you do this:

    http://support.microsoft.com/kb/307654


    Then boot back into normal mode.

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.

    * Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    If it is not on your Desktop, the below will not work.
    * Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    * If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    * Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    KILLALL::

File::
C:\WINDOWS\Temp\$$$dq3e
C:\WINDOWS\Temp\$67we.$
C:\WINDOWS\Temp\xsw2
C:\Documents and Settings\Administrator\Local Settings\Temp\7ZS9.TMP 
C:\Documents and Settings\Administrator\Local Settings\Temp\MAR3.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\mar4.tmp     
C:\Documents and Settings\Administrator\Local Settings\Temp\MAR5.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\MAR6.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\MAR7.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\MAR8.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\MAR9.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\MARA.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\MARB.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\MARC.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\MARD.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\MARE.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\mm1.mht
C:\Documents and Settings\Administrator\Local Settings\Temp\mm2.mht
C:\Documents and Settings\Administrator\Local Settings\Temp\mm3.mht
C:\Documents and Settings\Administrator\Local Settings\Temp\mm4.mht
C:\Documents and Settings\Administrator\Local Settings\Temp\mmc020BB091.xml
C:\Documents and Settings\Administrator\Local Settings\Temp\pft75~tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\ypt10.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\ypt6.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\ypt9.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\yptD.tmp

Registry::
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}\NoExplorer]

[HKEY_LOCAL_MACHINE\software\Microsoft\windows\currentversion\Explorer\sharedtaskscheduler]
"{9F1FBC1F-8D17-4E78-B291-83052261DF77}"=-
    * Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    * At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    * You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    If it asks you to overide the prvevious file with the same name, click YES.
    * Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
    * Follow the prompts.
    * When it finishes, a log will be produced named c:\combofix.txt
    * I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    * C:\ComboFix.txt
    * C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
    TimW, Feb 3, 2010
    #3
  4. Smuckers05

    Smuckers05 Private E-2

    Im sorry, but I'm already lost. I printed out your directions and followed the link you provided for using the Recovery Console, but Im confused and don't want to mess something up. The site says something about needing startup disks.

    "After Windows XP is installed on your computer, to start the computer and use the Recovery Console you require the Windows XP startup disks or the Windows XP CD-ROM.

    For more information about how to create Startup disks for Windows XP (they are not included with Windows XP), click the following article number to view the article in the Microsoft "

    I clicked the link, but its all french to me. I don't know what to download, or if I even need to download any of that. I started my computer in the Recovery Console so I can get a look at it. It wanted me to put in some number, ( I randomly just put 1 ) Then I was able to type "fixmbr" but I didn't follow though because I wasn't sure what number I was supposed to put.

    I know my computer isn't fix, so I need to do these steps you have for me. Its ( the computer ) acting as wacky as ever! I just need a little bit more help about the Reovery Console.
     
    Last edited: Feb 4, 2010
    Smuckers05, Feb 4, 2010
    #4
  5. Smuckers05

    Smuckers05 Private E-2

    Ignore that last post please. I figured it out.

    I did everything as you asked, and here are the two logs you asked for. My computer still isn't right. My FF still won't even open. IE is working, but it much slower then should be. Still this is better then it crashing. I still would like to use my FF though. I don't like IE too much.

    Oh, and for the HJT log, where you wanted me to find certain files and click them, there were a few that weren't on there.

    These are the files that were missing from that.

    R3 - URLSearchHook: (no name) - *{C94E154B-1459-4A47-966B-4B843BEFC7DB} - (no file)
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present --> unless you set them
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present--> unless you set them
    O22 - SharedTaskScheduler: CadegeneOle - {9F1FBC1F-8D17-4E78-B291-83052261DF77} - (no file)


    Thank you for all your help so far, I really appericaite it.
     

    Attached Files:

    Smuckers05, Feb 4, 2010
    #5
  6. Smuckers05

    Smuckers05 Private E-2

    I'm so sorry for my.. triple posts.

    Update though, I uninstalled, then reinstalled FF, and its up and running.

    Im guessing IE was just being laggy, because its IE. :p

    So unless you find anything in those reports, it seems everything is good. :D
     
    Smuckers05, Feb 4, 2010
    #6
  7. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Sorry for the delay.

    Your logs are clean. You should be able to disable the HelpAssistant user account now.

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no real-time protection. They are useful as backup scanners.They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    4. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    5. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    6. Go to add/remove programs and uninstall HijackThis.
    7. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    8. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures ian step 3 the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore ato create a new clean Restore Point.
    9. After doing the above, you should work thru the below link:
     
    TimW, Feb 7, 2010
    #7

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds