Jump to content

Recommended Posts

Hi Guys,

I need your help/advice for the following. My laptop worked fine until yesterday, after a reboot all my browsers (IE 7.X/FF4.X/Chrome 12.0) crash after a few minutes of surfing the web. Usually without a warning but sometimes they show a memory could not be read error.

Laptop: Lenovo T410, Intel i5, 3 GB ram, WIN XP SP3

I did the following:

- Upgraded browsers

- Disabled/removed add-ons

- CCcleaner/drive clean etc.

- FULL Memtest86, and no faults found

- FULL scans with Spysweeper/Adaware/Maleware bytes (no errors found)

- Checked PC for strange hidden files/dir/cleaned temp folders

Then I started checking the processes with sysinternal process monitor and it shows that during the browsing process strange *.dat files are "created". See screen shots. Example:

Module: asoorloplop.dat

Path: C:\DOCUME~1\ALLUSE~1\APPLIC~1\asoorloplop.dat

Description: tGpPj37u M

version: 4.685.230.0

Company: lInrjG&b !RKnTN3m

Of course these files themselves cannot be found or located... but the process monitor shows these items all over the place while running IE/FF/Chrome. It looks like mallware... but I cannot remove it nor can the scan/sweep programs...

HELP is appreciated :)

Reflex

http://www.almering.com/download/mg/hijackthis.log

browser_problem1.jpg

browser_problem2.jpg

Link to post
Share on other sites

No replies yet... so I continued the war against the spyware/malware :mellow:

I was triggered by the stange *.dat files that the process monitor tool was refering too and noticed that these also popped-up while executing other program such as office applications. It looked like the malware was trying to cause a memory overflow that would eventually lead to a crash.

Hence, I had to find and remove these files...

In windows explorer these files didn't exist C:\Documents and Settings\All Users\Application Data\ but while using the command prompt (safe mode (F9), cmd, dir /ah, attrib -h asoorloplop.dat) these files (asoorloplop.dat & polpolroosa.dat) did actually appear to be present on the computer!! I made the files visible in the command prompt environment and deleted the files.

Reboot and all browser problems, memory errors gone :D (including the slowdowns I was encountering in MS office)

NICE! - I hope this may help someone else too. It took me > 8 hours to find the root cause and kill it.

Process Monitor Tool

http://technet.microsoft.com/en-us/sysinternals/bb896645

Link to post
Share on other sites

  • Staff

Great work! Nicely done tracking down the cause.

Let us know if there's anything we can do to help you.

I highly recommend the PRO version of MBAM; with it, it's likely that this issue would have been prevented in the first place.

Now that your computer seems to be in proper working order, please take the following steps to help prevent reinfection:

1) Download and install Javacool's SpywareBlaster, which will prevent malware from being installed on your computer. A tutorial on it can be found here.

2) Go to Windows Update frequently to get all of the latest updates (security or otherwise) for Windows.

3) Make sure your programs are up to date! Older versions may contain security risks. To find out what programs need to be updated, please run Secunia's Software Inspector.

4) WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:

  • Green to go
  • Yellow for caution
  • Red to stop

WOT has an addon available for both Firefox and IE.

5) Be sure to update your Antivirus and Antispyware programs often!

Finally, please also take the time to read Tony Klein's excellent article on: So How Did I Get Infected in the First Place?

Safe surfing,

-screen317

Link to post
Share on other sites

  • 2 weeks later...
  • Staff

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.