Need help debugging browser problem

[Bigus Dickus]

I've run one malware check program that came back negative, and keep Symantec running at full strength.

Problem - web browsers keep crashing. This has been happening recently with IE6, IE7.3, and the latest FireFox. IE displays three behaviors: (1) crash when opening a web page, either launching from scratch or following a link, by simply disappearing; (2) crashing with an error report notification; or (3) crashing with a runtime 217 error. FireFox exhibits the first two behaviors.

Doesn't seem to be any particular site doing this... it can happen pulling up the Google homepage, it can be fine for a given site all day and crash suddenly, or shut down following a link several times in a row and then the next time seems to work fine.

This is on WindowsXP Professional, SP2 with all the latest updates (actually added several of them after this behavior started to see if that helped). No other software I've run lately has seemed to have any unusual behavior (mostly office applications... one light game, and some CAD software).

As far as I can remember, no significant (or insignificant) software changes were made from before to after this started. However, we did travel with the computer on a 12 hour move (well boxed, factory packing, computer in car not on a truck).

Another possibly related problem is that three or four times now in the past week I've seen a BSOD - the first ever on XP for me (actually, don't recall many if any on Win2000 either). I jotted one of the dump codes down if that helps. I've also found the computer locked a couple of times and had to reboot (usually locked at a login screen after going to sleep).

I have searched for all of the programs running in task manager, and none seem to be sings of a virus, spyware, or other malicious thing.

Does this seem symptomatic of hardware or software? Suggestions? If software, how do I track what is happening when a browser shuts down? If hardware, any suspicions?

 

[hoom]

First thing, open the case & check that everything is properly plugged in, if something got partially dislodged by the move it'll be likely causing this.

 

[Snyder]

I've run one malware check program that came back negative, and keep Symantec running at full strength.

I don't mean to sound like YASB (Yet Another Symatec-Basher), but I wouldn't rule out the possibilitiy that the latter is your culprit.

 

[Bigus Dickus]

Yeah, lately I've began to wonder that too, both actively and passively. Maybe it let something through, not that it is supposed to be particularly effective against spyware anyway. Also, on restarts (I've been finding the computer frozen with black screen more often the last day or two) sometimes it seems like the CPU is just bogged down - even task manager may be nonresponsive. When that happens I've noticed rtvscan taking up some 20MB of memory resources and a significant amount of CPU resources. I've read something about an auto update to the corporate version (what I have) that might be responsible for this... I'm investigating that now.

In the meantime, I'll check to make sure everything is seated properly. I've seen hardware problems like bad memory behave as seemingly subtle software issues in the past, but this seemed to be so specific to web browsing at first that I didn't really give that proper attention. Now that there are more general lockus happening more frequently I think it's a good idea.

 

[hoom]

Gah! The number of problems I have at work due to Norton/Symantec...

 

[Bigus Dickus]

A little more information and an update:

The rtvscan thing didn't fix it. Apparently I didn't suffer from the forced update that caused the problem.

I removed and reseated memory, CPU, and all peripheral cards. This didn't seem to have any effect, although at first the computer recognized that the memory amount had changed to half what was installed but when I reseated memory again it went back to the full amount (I figure my first reseat just didn't seat good).

Last night I experienced for the first time a problem during the use of an application other than web browsing - I got a BSOD in excel. That's the only problem outside of web browsing that I've seen.

In web browsing, I'm still getting continuous problems - browser instantaneously closing when trying to load a page (even my home page - Google), browser closing with MS error report notification (do you want to send? type of thing), browser closing with runtime 217 error. Sometimes the browser seems frozen (and I've waited a long time to see if it would unfreeze) until I pull up taskmanager and miraculously it unfreezes.

Any more suggestions? I need to run a full Sybot S&D scan to make sure malware isn't responsible.

 

[zsouthboy]

Sounds like a memory problem, to be honest. Not like malware.

Be sure your sticks are getting adequate ventilation.

Try one stick, then add the other in, to see if that accounts for the issues.



Could be your board.

Could be a crappy driver somewhere.

Could be a corrupted registry.

There are tons of variables here, unfortunately.

 

[Bigus Dickus]

Dang.

I'll take one stick out and see if that changes anything after a day or two. If not, I'll try the other one. If nothing still, I'll try on in a different slot just to make sure.

Once I've ruled out (or in) hardware, I'll give an update.

 

[zsouthboy]

Random problems are the worst, eh?

It's bad enough when a customer tells you that their computer is running slow and crashes randomly; no big deal, it's the usual culprits, spyware, etc.

When our OWN box does something we don't expect, it's like... *blink* uh...

Then I get angry.
I threaten to replace it with a Dell.
I disconnect it from the wall, so it goes hungry.
Bastard.



Hope it goes well for you.

 

[Bigus Dickus]

Then I get angry.
I threaten to replace it with a Dell.
I disconnect it from the wall, so it goes hungry.
Bastard.

It is a Dell (work computer they allow me to keep at home). Maybe we've found the root of the problem, huh?

 

[Frank]

Try this:

- Remove anything Symantec.
- Install AVG (http://free.grisoft.com).
- Go to http://hijackthis.de, download it and have the log analyzed there.

 

[Bigus Dickus]

I can't unistall Symantec (well, I can, but I shouldn't). It's a corporate owned computer, and this is a corporate install version for which I get force fed updates. I can't even disable it (well, again, I could if I really wanted to, but it is clear that our IT dept doesn't want that).

The computer just happens to be located at home.

After some investigation, it looks like I have some form of Sasser variant worm infection. Definitely a worm (or virus? never know which to use) that targets lsass, but none of the automated Sasser removal tools I tried detected it (half a dozen or so). I can see a malicious LSASS process running that has marked itself as system critical, and I know it is running from the wrong directory.

I can kill the process with Process Explorer, but something called EXERT.exe starts up and apparently relaunches LSASS after a minute or so. I found a reg entry for LSASS in hkeylocal/software/ms/windows/currentversion/run, and I can delete it but it is there again after restart. I know LSASS resides in C:/Windows in packed form, but I don't know how to figure out which binary files are responsible for it. Likewise, I know that LSASS when running seems to reside somehow in my specific user folder, but I can't see it there either.

The worm seems to be named wAQdN, as that is the "owner" of the LSASS process. I couldn't find any reference to it on the internet, perhaps it is a randomly generated name. It also seems to be causing a general 'memory leak' by which I have way more memory commited than attributable to running processes. That might be the cause of my various crashes and such... not sure.

Are the hijackthis guys good at this kind of removal, or only browser hijackers and such? Or do you guys have another suggestion for how to proceed?

 

[Frank]

Are the hijackthis guys good at this kind of removal, or only browser hijackers and such? Or do you guys have another suggestion for how to proceed?

It's automated and free. Try it and see if it works.

 

[Bigus Dickus]

Oh- yeah, I tried the automated thing, which pointed out a few unnecessary startup processes and a couple of suspicious browser objects (nothing especially malign), along with a note that LSASS was running from the wrong directory (something I was suspicious of already).

It may have helped clean up a little, but it can't remove the LSASS worm residing on my system. I'll try the guys in the forum - they helped years ago with a bad browser hijacker, but I wasn't sure if they also kept up on viruses and worms.

Oh, and after running overnight my commit charge in memory was 1.4GB... I killed LSASS and it dropped to ~200MB, even though LSASS was only displaying 13MB of memory usage. There's the "leak." Hopefully its removal will also correct the 217/browser crashes, BSOD, and other problems I've seen.

 

[Bigus Dickus]

Well, the guys at hijackthis.de forums seem to have helped me get rid of the worm infection, but the tool that did so left my computer botched in a pretty serious way.

I can't launch many executables from "windows." i.e., I can't launch but a couple of applications through the start/programs path, or through desktop or quicklaunch icons. Adobe and a couple of others work, most either say "application not found" (happens with MS office programs too) or open the dialog box asking me what "program" I'd like to launch this "program" with. That's pretty weird... having windows ask me what I'd like to open notepad in. Erm... how 'bout notepad?

This extends to many builtin MS executables. Double clicking the date to bring up the calendar doesn't work; instead I get an error saying the system can't find run32.dll. Regedit, cmd, and other builtins don't work. Command.com from the run line, mercifully, does work (thank god MS had enough wisdom to keep a virtualNT-dos box in the package). From that command prompt I can navigate to folders and launch applications through their executables (like firefox, thankfully, so that I might be able to find a solution).

I posted the hkey_classes_root/exefile export to the hijackthis forum and was told all was as it should be. The advice I was given was to use system restore to get back to some previous point.

I'm not familiar with system restore at all. Will I lose data (files) that have been created or modified since the last restore point (do I need to back up stuff)? I'm not sure how far back that will go - I know that I was instructed to turn off system restore before I started the virus cleaning process.

Also, system restore doesn't work from start/programs. And the environment variables don't contain the path to where the executable, rstrui.exe, resides so I can't launch it from a generic command.com prompt... I need to navigate to the proper folder, but search doesn't work either. Argh. Anyone know where MS keeps rstrui.exe? Mind searching XP for it?

Any other suggestions as to what is going on with my machine? I think this is worse than the worm.