Jump to content


Photo
- - - - -

Browser crashes - Mallware


  • This topic is locked This topic is locked
3 replies to this topic

#1 reflex

reflex

    New Member

  • Members
  • Pip
  • 2 posts

Posted 13 June 2011 - 04:20 PM

Hi Guys,

I need your help/advice for the following. My laptop worked fine until yesterday, after a reboot all my browsers (IE 7.X/FF4.X/Chrome 12.0) crash after a few minutes of surfing the web. Usually without a warning but sometimes they show a memory could not be read error.

Laptop: Lenovo T410, Intel i5, 3 GB ram, WIN XP SP3

I did the following:
- Upgraded browsers
- Disabled/removed add-ons
- CCcleaner/drive clean etc.
- FULL Memtest86, and no faults found
- FULL scans with Spysweeper/Adaware/Maleware bytes (no errors found)
- Checked PC for strange hidden files/dir/cleaned temp folders

Then I started checking the processes with sysinternal process monitor and it shows that during the browsing process strange *.dat files are "created". See screen shots. Example:

Module: asoorloplop.dat
Path: C:\DOCUME~1\ALLUSE~1\APPLIC~1\asoorloplop.dat
Description: tGpPj37u M
version: 4.685.230.0
Company: lInrjG&b !RKnTN3m

Of course these files themselves cannot be found or located... but the process monitor shows these items all over the place while running IE/FF/Chrome. It looks like mallware... but I cannot remove it nor can the scan/sweep programs...

HELP is appreciated :)

Reflex

http://www.almering..../hijackthis.log

Posted Image
Posted Image

#2 reflex

reflex

    New Member

  • Members
  • Pip
  • 2 posts

Posted 14 June 2011 - 05:09 PM

No replies yet... so I continued the war against the spyware/malware :mellow:

I was triggered by the stange *.dat files that the process monitor tool was refering too and noticed that these also popped-up while executing other program such as office applications. It looked like the malware was trying to cause a memory overflow that would eventually lead to a crash.

Hence, I had to find and remove these files...

In windows explorer these files didn't exist C:\Documents and Settings\All Users\Application Data\ but while using the command prompt (safe mode (F9), cmd, dir /ah, attrib -h asoorloplop.dat) these files (asoorloplop.dat & polpolroosa.dat) did actually appear to be present on the computer!! I made the files visible in the command prompt environment and deleted the files.

Reboot and all browser problems, memory errors gone :D (including the slowdowns I was encountering in MS office)

NICE! - I hope this may help someone else too. It took me > 8 hours to find the root cause and kill it.

Process Monitor Tool
http://technet.micro...ernals/bb896645

#3 screen317

screen317

    MBAM Sentinel

  • Moderators
  • PipPipPipPipPipPip
  • 19,486 posts
  • Gender:Male
  • Location:New Haven, CT

Posted 16 June 2011 - 10:29 PM

Great work! Nicely done tracking down the cause.


Let us know if there's anything we can do to help you.



I highly recommend the PRO version of MBAM; with it, it's likely that this issue would have been prevented in the first place.

Now that your computer seems to be in proper working order, please take the following steps to help prevent reinfection:

1) Download and install Javacool's SpywareBlaster, which will prevent malware from being installed on your computer. A tutorial on it can be found here.

2) Go to Windows Update frequently to get all of the latest updates (security or otherwise) for Windows.

3) Make sure your programs are up to date! Older versions may contain security risks. To find out what programs need to be updated, please run Secunia's Software Inspector.

4) WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
  • Green to go
  • Yellow for caution
  • Red to stop
WOT has an addon available for both Firefox and IE.

5) Be sure to update your Antivirus and Antispyware programs often!


Finally, please also take the time to read Tony Klein's excellent article on: So How Did I Get Infected in the First Place?




Safe surfing,

-screen317
Chris Fistonich
Research Team

Posted Image

Follow us: Twitter, Become a fan: Facebook

#4 screen317

screen317

    MBAM Sentinel

  • Moderators
  • PipPipPipPipPipPip
  • 19,486 posts
  • Gender:Male
  • Location:New Haven, CT

Posted 30 June 2011 - 03:49 PM

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!
Chris Fistonich
Research Team

Posted Image

Follow us: Twitter, Become a fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users