reflex Posted June 13, 2011 ID:440588 Share Posted June 13, 2011 Hi Guys,I need your help/advice for the following. My laptop worked fine until yesterday, after a reboot all my browsers (IE 7.X/FF4.X/Chrome 12.0) crash after a few minutes of surfing the web. Usually without a warning but sometimes they show a memory could not be read error.Laptop: Lenovo T410, Intel i5, 3 GB ram, WIN XP SP3I did the following:- Upgraded browsers- Disabled/removed add-ons- CCcleaner/drive clean etc.- FULL Memtest86, and no faults found- FULL scans with Spysweeper/Adaware/Maleware bytes (no errors found)- Checked PC for strange hidden files/dir/cleaned temp foldersThen I started checking the processes with sysinternal process monitor and it shows that during the browsing process strange *.dat files are "created". See screen shots. Example:Module: asoorloplop.datPath: C:\DOCUME~1\ALLUSE~1\APPLIC~1\asoorloplop.datDescription: tGpPj37u Mversion: 4.685.230.0Company: lInrjG&b !RKnTN3mOf course these files themselves cannot be found or located... but the process monitor shows these items all over the place while running IE/FF/Chrome. It looks like mallware... but I cannot remove it nor can the scan/sweep programs...HELP is appreciated Reflexhttp://www.almering.com/download/mg/hijackthis.log Link to post Share on other sites More sharing options...
reflex Posted June 14, 2011 Author ID:441067 Share Posted June 14, 2011 No replies yet... so I continued the war against the spyware/malware I was triggered by the stange *.dat files that the process monitor tool was refering too and noticed that these also popped-up while executing other program such as office applications. It looked like the malware was trying to cause a memory overflow that would eventually lead to a crash.Hence, I had to find and remove these files...In windows explorer these files didn't exist C:\Documents and Settings\All Users\Application Data\ but while using the command prompt (safe mode (F9), cmd, dir /ah, attrib -h asoorloplop.dat) these files (asoorloplop.dat & polpolroosa.dat) did actually appear to be present on the computer!! I made the files visible in the command prompt environment and deleted the files.Reboot and all browser problems, memory errors gone (including the slowdowns I was encountering in MS office)NICE! - I hope this may help someone else too. It took me > 8 hours to find the root cause and kill it.Process Monitor Toolhttp://technet.microsoft.com/en-us/sysinternals/bb896645 Link to post Share on other sites More sharing options...
Staff screen317 Posted June 17, 2011 Staff ID:442131 Share Posted June 17, 2011 Great work! Nicely done tracking down the cause. Let us know if there's anything we can do to help you.I highly recommend the PRO version of MBAM; with it, it's likely that this issue would have been prevented in the first place.Now that your computer seems to be in proper working order, please take the following steps to help prevent reinfection:1) Download and install Javacool's SpywareBlaster, which will prevent malware from being installed on your computer. A tutorial on it can be found here.2) Go to Windows Update frequently to get all of the latest updates (security or otherwise) for Windows.3) Make sure your programs are up to date! Older versions may contain security risks. To find out what programs need to be updated, please run Secunia's Software Inspector.4) WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:Green to go Yellow for caution Red to stop WOT has an addon available for both Firefox and IE.5) Be sure to update your Antivirus and Antispyware programs often!Finally, please also take the time to read Tony Klein's excellent article on: So How Did I Get Infected in the First Place?Safe surfing,-screen317 Link to post Share on other sites More sharing options...
Staff screen317 Posted June 30, 2011 Staff ID:447601 Share Posted June 30, 2011 Glad we could help. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread. Thanks! Link to post Share on other sites More sharing options...
Recommended Posts