Sign in with
Sign up | Sign in
Your question

Browser problems with XP Pro SP2

Last response: in Windows XP
Share
July 2, 2010 12:31:19 PM

It all started about a week ago when i upgraded at home from cable modem + router to a Cisco combo provided by the ISP - Cisco EPC2425. We have 5 PC's running locally - 2 physical and 3 wireless, and out of them my PC is the one with the problem, the rest are just fine - i'm typing this from one of the laptops.
I run XP Pro SP2 Version 2002. The PC is a E6300 with 2x2GB of DDR2 800 ram, motherboard is Gigabyte EP31-DS3L, and video is a Leadtek 8600GT.
I use the same software for close to 2yrs now - only difference is the AV which has been Kaspersky 2010 for 3months.
I use the XP firewall.
As browsers i use the latest Firefox with NoScript and the latest Opera.

The problem was that soon after we put in the new combo my browsers died. Pidgin has issues, Opera actually manages to check a page.
I have tried repairing the connection, uninstalling the connection, uninstalling the LAN, disabling noscript, changing my DNS - it is taken automatically from the router and the router has DHCP and i'm not really sure that i managed to change it either, and even reinstalling the OS. Reinstalling the OS seemed to fix the problem, i did not have it for almost 5 days, but all of the sudden, it's back, and it wasn't simply in full effect, it was gradual. It started as pages taking longer to load, having to refresh constantly to get them to work and after a restart, they stopped working altogether, yet Opera is still working - not sure for how long though.
MMO's work, WoW and EVE have no issues on the affected PC.

I'll try to be a bit more clear. Router was installed, my browsers died, everything that would require a DNS died, and so did pidgin - i use google and MSN on it.
I reinstalled the OS, and it worked fine for 5 days, than it started again. Current status is MSN not functioning, Firefox not functioning, google talk functioning 50% of times, and Opera still functioning - not sure for how long.

PS: No, i did not have norton installed.
July 2, 2010 12:34:21 PM

I forgot to mention, i have installed VMWare and will install the same XP Pro SP2 kit on that image, to see if i can access browsers through the virtual network like that.
I have thought initially that my router was the issue but it was replaced - wireless would not work on it, and the problem persisted, so now i think that something is probably at fault on my PC.
I suspect it can't be port 80 being blocked, as i would not have browser access at all.
July 2, 2010 2:19:48 PM

First you should update XP to SP3, then head over to MS Update and run the patches there. May not fix anything, but it may.
Related resources
July 2, 2010 2:25:43 PM

I did install SP3 before and it just broke something, system was way more sluggish after.
I'd rather sit on SP2 and keep updates to date - i know they are discontinuing support so thinking of switching to 7.
July 2, 2010 2:34:25 PM

Boot into safe mode with networking. Do you have the same problem there?

Download and run combofix.
www.combofix.org/
July 2, 2010 2:56:12 PM

Restarted in safe mode with networking.

No, both firefox and Opera work very well.

Do i still run combofix ?

LE: ComboFix has detected the presence of rootkit activity and needs to reboot the machine.
Doesn't seem to have restarted in safe mode, but it restarted and is trying to complete it's stages.
Got an error out of the blue ''The drive is not ready for use; it's door may be open. Please check drive and make sure that a disk is inserted and that the drive door is closed''. I assume it's referring to the DVD unit, it is closed and there is no disk inside.
July 2, 2010 3:11:15 PM

WoW, seems to be working now. It's trying to load some Youtube, and before it was like watching youtube in safemode, with no buttons or logo's or anything, not everything loaded.

For the stupid - like myself, can you explain what just happened ?
July 2, 2010 3:29:42 PM

Did combofix complete all the processes?

And everything is running well now?
July 2, 2010 3:35:37 PM

Yes afaik - don't know how many were supposed to be, and everything is running fine now.
I have been reading about rootkits, software is not my strongpoint and in the last few yrs i've become even more daft, but do you think the problem could return ?
July 2, 2010 3:35:38 PM

Combofix is a powerful tool that scans for malware and automatically removes and repairs. When it's done, it creates a .txt log file that shows any and all changes it made. To see the specifics, you can check that log.
July 2, 2010 3:38:48 PM

Good to hear.

As long as you have a good Anti Virus software installed, and keep it updated, you should be fine. You shouldn't have any further issues. Kaspersky is pretty good.
July 2, 2010 3:43:04 PM

I think i found out where i got it from. I used torrents in the last week and i took the precaution to delete all of the recently downloaded files - good think i have a NEW folder.
Is there any way for me to scan for them ?
And i had Kaspersky trial, will probably switch to NOD32.
July 2, 2010 3:50:19 PM

any scan for what?
July 2, 2010 3:55:25 PM

Whatever it is that affected me ... the rootkit.
July 2, 2010 4:06:39 PM

Combofix removed the rootkit that was infecting your system. Your AV should keep more from getting in. If your system starts to act funny, you can always do a scan with combofix or malwarebytes.

A few good AVs are:
Avast 5.0
www.avast.com/
Avira
www.avira.com/
or Microsoft Security Essentials
www.microsoft.com/security_essentials/
July 3, 2010 7:42:10 AM

It has worked only temporarily, this morning the problem returned with a vengeance.
I ran again ComboFix and it found the rootkit again.
I assume this is the part from the log that refers to it :
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A2CBD30]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xb80ecfc3
\Driver\ACPI -> ACPI.sys @ 0xb7f59cb8
\Driver\atapi -> 0x8a2cbd30
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80582414
ParseProcedure -> ntkrnlpa.exe @ 0x80581554
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80582414
ParseProcedure -> ntkrnlpa.exe @ 0x80581554
NDIS: Realtek PCIe GBE Family Controller -> SendCompleteHandler -> NDIS.sys @ 0xb7de0ba0
PacketIndicateHandler -> NDIS.sys @ 0xb7dedb21
SendHandler -> NDIS.sys @ 0xb7dcb87b
Warning: possible MBR rootkit infection !
user & kernel MBR OK

I have no ideea what is causing it or where the source is.

LE: I installed Avira and am scanning for rootkits.
July 3, 2010 8:28:39 AM

It started again. :( 

Trying UnHackMe. It didn't find a rootkit, but it did find at the same location this catchme.sys, downloaded from the net - in the temp folder. It is reported as Kernel Auto Boot and of the type Drivers.

Did not fix it.
LE: Spoke too soon, simply laggy and less responsive pc while booting up everything, seems to work now well.
July 3, 2010 11:41:55 AM

You can try downloading sophos, and running that. It's designed for rootkits.
http://www.sophos.com/products/free-tools/sophos-anti-r...

If the rootkit is in the MBR, you can re-write that. Boot off the XP disc. Use the R option to get into the repair console. The Admin password is blank by default, so just hit enter when prompted. At the command line, type fixmbr and hit enter. It will re-write the MBR, and hopefully overwrite any rootkit infection/damage.
July 3, 2010 12:12:31 PM

So far it works ok - after 1 restart.
I will continue monitoring it and than will try that if it doesn't work.
What i don't get is the behaviour of this thing.
Why did it block my browser access and draw my attention to it's presence instead of just lying silent ?
July 3, 2010 12:52:21 PM

If these scanners can't remove all of the infection, the options are limited. You can remove the hard drive, put it in another PC as a slave, and scan it. With this method, no files or programs are in use. About the only other option, is to back up your files, and format the hard drive. Unfortunately, rootkits are one of the hardest infections to remove.

Malware can do all sorts of things when they dig into a system. I won't claim to know why each does what they do. It's a good thing they do show symptoms though. That way we have an idea to look for them.
July 4, 2010 7:23:24 AM

Well, my HDD sitation is like this. I have 2 HDD's, a 120GB PATA which has 2 partitions, one for the OS and one that i use as a buffer for things i download - torrents generally and vids, and a 250GB SATA drive that i use for storing stuff with 1 big partition.
I have looked through the ComboFix log and it appears to me that it says only that HDD0 is infected, does ComboFix scan all of the HDD's MBR's ?
Also, i haven't done this in ages, but starting up the install of XP, deleting all partitions on the 120gb drive, restarting the install and making new partitions will clear my MBR ?
July 4, 2010 9:58:19 AM

Yes, combofix should scan the MBR. However, if this software can't remove all of the infection, then you'll need to format and reinstall windows.
July 4, 2010 10:19:08 AM

But doing the install like i said above, will work ?; will it erase the MBR ?
July 4, 2010 8:47:40 PM

Yes, that would delete the MBR. If you were going to delete the partitions, you should probably do a full format too.
July 5, 2010 9:04:12 AM

I got rid of the virus, but now i have another big problem, the PC will only see 448mb of ram. I do not have onboard video and i have 4gb of ram on this thing. I did a 2nd reinstall and the problem persisted, after a bit of digging i think it's probably the BIOS's fault.
Also, the graphics are 'stuck' on 4 bits, and 640x480 - yes ... it is extremely annoying.

PS: I reset CMOS and nothing.
I changed the memory from the primary slots to the secondary slots and now it seems to be working .... time to fix the graphics.
July 5, 2010 10:01:01 AM

For the graphics problem, that should be resolved by installing the graphics driver.


What is showing 448mb of RAM?
start-->right click on my computer-->properties-->how much RAM does it show?
July 5, 2010 12:28:26 PM

start-->right click on my computer-->properties-->how much RAM does it show?

Pretty much this is showing 448MB of ram.
I moved the ram modules in between primary and secondary slots and it recognizes now the full ammount.
July 5, 2010 7:51:39 PM

Good to hear.
!