Browsers, Thunderbird crash when attempting to download/transfer files

cteno · 10 Aug 2014

ThrashZone said:

Hi and thanks,
Firstly open Chrome,
Alter one of the Advanced setting to Not run background apps when Chrome is closed,
...
Compare your add-ons in each Firefox and Internet explorer,
Post any listing if they exist toolbars and extensions,
Reset Firefox, ...

Thanks for these explicit guides. I had already disabled all add-ons and extensions in IE and Chrome. Have now reset both to original condition. Also FF (my main browser; that's going to take a while to put back...) and disabled everything extra.

Every browser still crashes when attempting to "save as" - as soon as the folder selection window appears.

Any other ideas? I'm willing to pay for help at this point; a clean windows re-install wouldcost me a couple of days to rebuild and debug.

ThrashZone · 10 Aug 2014

Review Jacee’s instructions to run Adwcleaner here post #7,
Ignore the title of the thread,
Instant Savings App
Screen shot of the download button to use for Adwcleaner
You can use these free tools to see if they find anything,
Manually Update them before running full scans,
Try not to use your computer while the scans are running, (one at a time of course).
Uncheck the box to Activate the Free trial from the final install options,
Also use the Custom scan option not the Threat scan,
Select the drive to scan usually C,
If your really infected check the box to scan for Rootkits = this scan option will take several hours to complete,
Never use your machine while scans are running for best results,
Please Do Not clean/ Delete or Remove Any detections before posting the scan results first before review especially Malwarebytes,
http://www.malwarebytes.org/products/malwarebytes_free
SAS is safe to remove anything it finds

http://www.superantispyware.com/?tag=SUPERANTISPYWARE
This one is the longest up to 4 hours, the others are only about 45 minutes,
http://www.microsoft.com/security/scanner/en-us/default.aspx

If you cannot download as you've said use Safe made with networking to download the scanners,
You can probably skip the power drain process,
Shut down your machine, Unplug-Hold the power button down for 30/45 seconds (Power Drain)
Power up and Tap the F8 key continuously until you see a black page with white text,
Use the down arrow key to toggle to safe mode with networking/ hit the enter key.
Login as usual
Other advanced methods,
https://www.sevenforums.com/tutorials/69585-safe-mode.html
http://windows.microsoft.com/en-US/windows7/Advanced-startup-options-including-safe-mode

cteno · 11 Aug 2014

First: many thanks to ThrashZone for taking so much time, as well as the specific suggestions. I hope this is all useful to others - though I also hope that no-one experiences this problem!

Had run Adwcleaner, Malwarebytes and Norton 360 full scan before starting here. Ran all those again; as hoped, found nothing new.

Very grateful to learn about the other two programs. SAS found a whole lot of stuff. All in archives that have not been accessed in a long time, but perhaps they can get out during backup or search/indexing operations.

MSERT analysis showed multiple instances of two viruses, Sality.R and Magistr.A@mm, again all in archive files. The cleanup operation showed a lot more issues. Does anyone know why it says "partially removed? And how did Norton miss so much?

~~The good news: following the SAS scan and cleanup, it is again possible with Firefox to download files and web content without crashing.~~ Oops - only worked for a few minutes. Firefox, IE and Chrome still crash, as does saving attached files in Thunderbird.

I will run all the cleaners again in the next few days (MSERT took six hours, and stalled on system file tcpip.sys on the first try - worked second time) in case there's some kind of re-infection. At least I am able to do most normal operations again, so again thanks!

ThrashZone · 12 Aug 2014

Hi thanks we'll need some follow up scanning
I requested you be moved to security

Cheers.

cteno · 12 Aug 2014

ThrashZone said:

I requested you be moved to security

Well, that is the most terrifying post I have ever seen on an IT forum! Should I expect black helicopters, or just a uniformed SWAT team at the door?

Thanks again for all your help so far. I hope that this proves useful to other Windows users. Currently re-running all the cleanup scanners I can find. Fingers crossed.

ThrashZone · 12 Aug 2014

Hi sorry for the fright :)
Deploying a bunch of scanners isn't a good idea,
What you need is a specific scanner for the entries that the prior scanners found,

If I were to guess this would be a good one to use and post the scan results,
https://www.sevenforums.com/system-se...tect-work.html

How to run and post the scan results,
post-malware one problem remains: google.com redirect
There's also JRT on post #2 you can use and post here

cteno · 14 Aug 2014

ThrashZone said:

If I were to guess this would be a good one to use and post the scan results,
https://www.sevenforums.com/system-se...tect-work.html

Thanks for yet another good resource. Have been unable to attach scan results due to same crashing problem, so text is appended below. I deleted first two entries; others seem like legitimate parts of programs in regular use, downloaded from CNET.

Microsoft Safety Scanner says over 300 infected files. But repeated scans (8 hours each) stall at the same file: Windows\system32\drivers\tcpip.sys. I'll start a new thread on that.

~~~~~~~~~~~~~~~~

Saved date: 8/13/2014 6:40:55 AM
Files detected: 382
Files scanned: 8,564
Processes scanned: 54
Modules scanned: 740
ASEPs scanned: 475
Downloads scanned: 0
Deep analysis: 34/10
---------------------------------------------------------------------------------

Files

---------------------------------------------------------------------------------

File path: c:\users\a\appdata\local\cre\bhapnjfnhgjijlphlbjbhkjbinbmcmjn.crx
Publisher:
MD5: 3c7e36170b42468de615f31818826844
SHA-1: d5a6d9950054b6c4a266f8157cb1ae360b7c0350
Created: 6/9/2013 4:59:14 AM
Detections: 4
Determination: Adware
- NANO AntiVirus as Trojan.Win32.Conduit.ctbwbm (Undefined)
- Dr.Web as Adware.Conduit.33 (Adware)
- VIPRE Antivirus as Conduit Toolbar (Undefined)
- Panda Antivirus as PUP/Conduit.A (Adware)

---------------------------------------------------------------------------------

File path: c:\users\a\appdata\local\cre\nmaikkamgfhkjbadgihldfmkpngkhgbb.crx
Publisher:
MD5: c5488f61041999336c884c9eff32b20f
SHA-1: 18428bba4e2b7a3805c3190307bfe4756d394407
Created: 6/13/2013 10:53:06 AM
Detections: 5
Determination: Adware
- Dr.Web as Adware.Toolbar.206 (Adware)
- VIPRE Antivirus as Conduit Toolbar (Undefined)
- Reason Heuristics as PUP.Conduit.ChromePlugin.d (Adware)
- ESET NOD32 as Win32/Toolbar.Conduit.AH potentially unwanted application (Adware)
- Kaspersky as not-a-virus:WebToolbar.JS.Condonit (Adware)

---------------------------------------------------------------------------------

File path: c:\program files (x86)\geovisu suite\unins000.exe
Publisher:
MD5: 88d1cf0c90863379997a061bcf57b797
SHA-1: 4db64c608e5b2e88bf7e8bdeb760d15d62de79ec
Created: 2/20/2014 6:31:35 PM
Detections: 4
Determination: UndefinedMalware
- Quick Heal as Trojan.Agent.ATV (Undefined)
- Comodo Security as UnclassifiedMalware (Undefined)
- Emsisoft Anti-Malware as Trojan-Dropper.Agent!IK (Undefined)
- IKARUS anti.virus as Trojan-Dropper.Agent (Undefined)

---------------------------------------------------------------------------------

File path: c:\program files (x86)\free rar extract frog\freerarextractfrog.exe
Publisher:
Signer: Philipp B. Winterberg
MD5: a577c7ae58fd0758ddc9f6753f419b16
SHA-1: a780488377c9b6d756ae5c002c58ee0f950dbcda
Created: 6/23/2013 4:07:58 AM
Detections: 1
Determination: Adware
- Reason Heuristics as PUP.PhilippBWinterberg.S (Adware)

---------------------------------------------------------------------------------

File path: c:\program files (x86)\common files\dvdvideosoft\lib\msvcr100.dll
Publisher: Microsoft Corporation
Signer: DVDVideoSoft Ltd.
MD5: d6b98c9543a91a81b339602c50c2965e
SHA-1: 2c84c670aa82a9e77371d576b66358a83eaa1ca5
Created: 3/6/2014 8:15:20 PM
Detections: 4
Determination: Adware
- Trend Micro House Call as TROJ_GEN.F47V0924 (Undefined)
- Antiy Labs AVL as AdWare/Win32.D365.gen (Adware)
- Kingsoft AntiVirus as Win32.Troj.D365.a.(kcloud) (Undefined)
- IKARUS anti.virus as not-a-virus:AdWare.Win32.D365 (Adware)

---------------------------------------------------------------------------------

File path: c:\program files (x86)\common files\dvdvideosoft\bin\msvcr100.dll
Publisher: Microsoft Corporation
Signer: DVDVideoSoft Ltd.
MD5: d6b98c9543a91a81b339602c50c2965e
SHA-1: 2c84c670aa82a9e77371d576b66358a83eaa1ca5
Created: 3/6/2014 8:15:20 PM
Detections: 4
Determination: Adware
- Trend Micro House Call as TROJ_GEN.F47V0924 (Undefined)
- Antiy Labs AVL as AdWare/Win32.D365.gen (Adware)
- Kingsoft AntiVirus as Win32.Troj.D365.a.(kcloud) (Undefined)
- IKARUS anti.virus as not-a-virus:AdWare.Win32.D365 (Adware)

andrew129260 · 14 Aug 2014

Please read this entirely before we begin malware removal:

Before we start with malware assistance, I want to inform you of a few things:

1.) I am not a recognized malware removal expert. I do not have a certification from a malware removal school. Having said that, I have removed a lot of malware with PCs and have years of experience.
But just like no antivirus program is 100% effective, neither am I. My goal is to simply clean up your PC from any malware, and assist you in any way possible to help you secure your PC.

2.) Sevenforums (This forum)and I will NOT be held responsible for anything that might go wrong with your pc.

3.) You agree to follow all directions given, until I advise that your pc is clean and you are free of threats. You will not abandon the thread.

The most important rule of all:

4.) YOU WILL NOT INSTALL/change/modify OR ADD ANYTHING TO YOUR SYSTEM UNTIL MALWARE REMOVAL IS COMPLETE. No files or programs or anything of the sort.

Do you agree to these terms?

If yes, reply with a Yes. If not, please state so and I will flag an official malware remover, or I will recommend another place for malware removal assistance.

cteno · 15 Aug 2014

Much obliged for this reply, offer and cautions, andrew129260. (And the moral is: backup, backup, backup! Which, fortunately, I do daily.)

I'm posting a question in case anyone else might find it useful:

andrew129260 said:

3.) You agree to follow all directions given, until I advise that your pc is clean and you are free of threats. You will not abandon the thread.
4.) YOU WILL NOT INSTALL/change/modify OR ADD ANYTHING TO YOUR SYSTEM UNTIL MALWARE REMOVAL IS COMPLETE. No files or programs or anything of the sort.

Since this PC is normally in use from early morning until late evening, I'd need to reschedule some work and other activities. (There's a laptop here for emergency e-mail access, but it doesn't have all the software for real work.) Can you please give some idea of how many hours or days a PC typically needs to be out of use for one of these pro-grade cleanups?

Thanks very much.

andrew129260 · 16 Aug 2014

cteno said:

Since this PC is normally in use from early morning until late evening, I'd need to reschedule some work and other activities. (There's a laptop here for emergency e-mail access, but it doesn't have all the software for real work.) Can you please give some idea of how many hours or days a PC typically needs to be out of use for one of these pro-grade cleanups?

Thanks very much.

It all depends on what we find, I am on at least once every 2 days, so I would say at the most a week. But frankly it all depends on if the instructions I give our followed, all questions asked are answered, and the nature of the threat and what I find.