Pages: [1] 2 :: one page |
|
Author |
Thread Statistics | Show CCP posts - 0 post(s) |
lofty29
Infinitus Odium The Church.
|
Posted - 2007.08.27 21:12:00 -
[1]
So I've ballsed up my computer again
Not entirely sure what's happened this time, but all I know is that firefox is spamming me with popups to http://tprints.net/ads.html.
It told me to click an ad to stop the spam, didn't do jack, oh well. I uninstalled firefox, now I have a recurring error message reading that firefox cannot be located.
So, I did a virus scan with both Avast and Kaspersky online scanner. The avast one cleared my PC totally, and then the Kaspersky one didnt show anything up, as expected
Still, when I try to close the annoying error message, it just re-opens
Helllp ---
Project Mayhem 2 |
Derovius Vaden
|
Posted - 2007.08.27 21:15:00 -
[2]
Originally by: lofty29 So I've ballsed up my computer again
Not entirely sure what's happened this time, but all I know is that firefox is spamming me with popups to http://tprints.net/ads.html.
It told me to click an ad to stop the spam, didn't do jack, oh well. I uninstalled firefox, now I have a recurring error message reading that firefox cannot be located.
So, I did a virus scan with both Avast and Kaspersky online scanner. The avast one cleared my PC totally, and then the Kaspersky one didnt show anything up, as expected
Still, when I try to close the annoying error message, it just re-opens
Helllp
Wheres your security now DS, .
|
MassonA
Caldari coracao ardente Triumvirate.
|
Posted - 2007.08.27 21:17:00 -
[3]
Edited by: MassonA on 27/08/2007 21:17:32 without smacking, why do you hate firefox?
|
oDDiTy V2
Epic.
|
Posted - 2007.08.27 21:22:00 -
[4]
Originally by: Derovius Vaden
Originally by: lofty29 So I've ballsed up my computer again
Not entirely sure what's happened this time, but all I know is that firefox is spamming me with popups to http://tprints.net/ads.html.
It told me to click an ad to stop the spam, didn't do jack, oh well. I uninstalled firefox, now I have a recurring error message reading that firefox cannot be located.
So, I did a virus scan with both Avast and Kaspersky online scanner. The avast one cleared my PC totally, and then the Kaspersky one didnt show anything up, as expected
Still, when I try to close the annoying error message, it just re-opens
Helllp
Wheres your security now DS, .
Yeah you know because someone installing spyware on their comp clearly indicates vast security flaws in Firefox. Oh wait, no.
Um, can you stick a screenshot of whats going on somewhere? (And perhaps a screen of your processes tab in task manager). Wonder if you managed to install something during a **** spree?
|
lofty29
Infinitus Odium The Church.
|
Posted - 2007.08.27 21:37:00 -
[5]
Edited by: lofty29 on 27/08/2007 21:37:29 FAIL!
---
Project Mayhem 2 |
Dark Shikari
Caldari Imperium Technologies Firmus Ixion
|
Posted - 2007.08.27 21:53:00 -
[6]
Edited by: Dark Shikari on 27/08/2007 21:53:30
Originally by: Derovius Vaden Wheres your security now DS, .
Security cannot ever compensate for stupid users. This is a mistake that many people, companies, and organizations make; they think that by installing antivirus, antispyware, firewall, and other such software that they can make up for their users' ineptness.
23 Member
EVE Video makers: save EVE-files bandwidth! Use the H.264 AutoEncoder! |
lofty29
Infinitus Odium The Church.
|
Posted - 2007.08.27 21:54:00 -
[7]
Originally by: Dark Shikari Edited by: Dark Shikari on 27/08/2007 21:53:30
Originally by: Derovius Vaden Wheres your security now DS, .
Security cannot ever compensate for stupid users.
I dont know why I'm still friends with you ---
Project Mayhem 2 |
Sereifex Daku
|
Posted - 2007.08.27 21:57:00 -
[8]
Originally by: lofty29 So I've ballsed up my computer again
Not entirely sure what's happened this time, but all I know is that firefox is spamming me with popups to http://tprints.net/ads.html.
It told me to click an ad to stop the spam, didn't do jack, oh well. I uninstalled firefox, now I have a recurring error message reading that firefox cannot be located.
So, I did a virus scan with both Avast and Kaspersky online scanner. The avast one cleared my PC totally, and then the Kaspersky one didnt show anything up, as expected
Still, when I try to close the annoying error message, it just re-opens
Helllp
Aren't you the guy who claimed to get really good grades for GCSE without revising one bit? Yeah...right.
|
lofty29
Infinitus Odium The Church.
|
Posted - 2007.08.27 22:00:00 -
[9]
Originally by: Sereifex Daku
Originally by: lofty29 So I've ballsed up my computer again
Not entirely sure what's happened this time, but all I know is that firefox is spamming me with popups to http://tprints.net/ads.html.
It told me to click an ad to stop the spam, didn't do jack, oh well. I uninstalled firefox, now I have a recurring error message reading that firefox cannot be located.
So, I did a virus scan with both Avast and Kaspersky online scanner. The avast one cleared my PC totally, and then the Kaspersky one didnt show anything up, as expected
Still, when I try to close the annoying error message, it just re-opens
Helllp
Aren't you the guy who claimed to get really good grades for GCSE without revising one bit? Yeah...right.
Yea, but technology doesnt agree with me ---
Project Mayhem 2 |
Dark Shikari
Caldari Imperium Technologies Firmus Ixion
|
Posted - 2007.08.27 22:01:00 -
[10]
Originally by: lofty29
Originally by: Dark Shikari
Originally by: Derovius Vaden Wheres your security now DS, .
Security cannot ever compensate for stupid users.
I dont know why I'm still friends with you
Don't worry lofty, we still love you
23 Member
EVE Video makers: save EVE-files bandwidth! Use the H.264 AutoEncoder! |
|
oDDiTy V2
Epic.
|
Posted - 2007.08.27 22:05:00 -
[11]
Does it only happen with firefox?
I'd try uninstalling any extra firefox stuff like FlashGet/Yahoo toolbar/any addons you have in there to see if one of them may be causing it.
|
GPerson
Gallente The Scope
|
Posted - 2007.08.27 22:19:00 -
[12]
You might want to install another browser so you don't have to use IE. *cough* Opera *cough*
~~~Sig Stuffs Here~~~ I highly recommend drunken posting. This sig has been unhighjacked since 2005. |
Imperator Jora'h
|
Posted - 2007.08.27 22:24:00 -
[13]
Originally by: lofty29 It told me to click an ad to stop the spam, didn't do jack, oh well. I uninstalled firefox, now I have a recurring error message reading that firefox cannot be located.
So, I did a virus scan with both Avast and Kaspersky online scanner. The avast one cleared my PC totally, and then the Kaspersky one didnt show anything up, as expected
Still, when I try to close the annoying error message, it just re-opens
Helllp
Scanning with antivirus software to kill spyware is hit and miss. Generally dedicated anti-spyware is often the better route.
As for finding and removing it with Avast that can mean nothing. Some spyware is downright evil in its tenacity in staying put. Scanners will find it and say they remove it and it'll put itself back shortly after you are done (which sounds like the case with you).
Getting rid of some spyware once it has ahold on your system can a downright pain in the arse requiring numerous steps, registry hacking, safe booting, numerous scans and so on. I even had one that saw I was searching for what it was in a web browser and would redirect the browser so I could not find answers (I was grudgingly impressed by that trick although I wanted to strangle whoever programmed it).
Unfortunately you have not provided enough detail for us to figure what spyware you might have and a way to possibly resolve it.
You could always wipe your system and do a fresh install :).
|
Grez
Minmatar Sybrite Inc.
|
Posted - 2007.08.27 22:26:00 -
[14]
Regedit time! Stop the virus opening on boot :) ---
|
lofty29
Infinitus Odium The Church.
|
Posted - 2007.08.27 23:09:00 -
[15]
Originally by: Imperator Jora'h
EDIT: Clicking the Ad to stop the spam is about the WORST thing you could have done. That software they give you is often a wolf in sheep's clothing. It'll solve you one problem and give you ten new ones to worry about.
When I said clicking it did nothing, what I mean it it wasn't even a link ---
Project Mayhem 2 |
Rolly Polly
|
Posted - 2007.08.27 23:10:00 -
[16]
Two instances of lsass? My interest is piqued.
|
Sleepkevert
Paradox v2.0 Interstellar Alcohol Conglomerate
|
Posted - 2007.08.27 23:27:00 -
[17]
You can always try to run Spybot It gets a lot of spyware, no guarantee that it will get this one tough. I'v seen spyware that isn't detected by any virus / spyware removing tool.
If it still isn't gone, posting an HijackThis log might help a LOT (Program download here)
Sign my sig |
Imperator Jora'h
|
Posted - 2007.08.28 00:03:00 -
[18]
Originally by: Sleepkevert You can always try to run Spybot It gets a lot of spyware, no guarantee that it will get this one tough.
I've found SpyBot and AdAware to be of dubious use. They certainly do not hurt and catch many things but some of the spyware makers know full well that since this software is free it is quite common and specifically program around it. Either it won't be found or if found seems like it is removed and comes back and so on.
Not saying do not use this stuff. It does not hurt and it is free and it might very well get whatever this is. Just understand it is not a cure-all.
|
Derovius Vaden
|
Posted - 2007.08.28 00:13:00 -
[19]
Have you tried the old bait and switch? Next time the error pops up, keep it open and explore to the location its looking for. When there, make a text file with the name of whatever it wants, leave it empty, and rename it to the normal file extension the error wants. Sometimes its enough to confuse it into thinking its working.
|
Fink Angel
Caldari The Merry Men
|
Posted - 2007.08.28 00:25:00 -
[20]
... or put tsprints.net into your hosts file and point it at 127.0.0.1
|
|
lofty29
Infinitus Odium The Church.
|
Posted - 2007.08.28 00:38:00 -
[21]
Originally by: Derovius Vaden
Have you tried the old bait and switch? Next time the error pops up, keep it open and explore to the location its looking for. When there, make a text file with the name of whatever it wants, leave it empty, and rename it to the normal file extension the error wants. Sometimes its enough to confuse it into thinking its working.
What it's doing is spamming my default web browser, by opening http://whatever with a simple command it would seem.
Can the poster just above explain howso I would do that? ---
Project Mayhem 2 |
Imperator Jora'h
|
Posted - 2007.08.28 00:53:00 -
[22]
Edited by: Imperator Jora''h on 28/08/2007 00:54:24
Originally by: Fink Angel ... or put tsprints.net into your hosts file and point it at 127.0.0.1
Not sure this will help. He'll still get the popup but just redirected essentially nowhere. Might save him from more nastiness that may be present at that site but the annoyance remains.
Lofty:
- Hit CTRL-ALT-DEL - Select the "Processes" tab - Open a browser (assuming you can still access IE at least) - Go to Google and start typing in the names of items you see in the Processes list (one at a time) and search on that - A variety of web page links appear that will tell you what that process does - Rinse and repeat till you have accounted for all of them - Presumably one (or more) processes will either list as something you do NOT want running or will come up with no answer at all. END these processes using the End Process button in the lower right corner.
Hopefully the process will stay stopped. There is a chance the nastiness may restart. Sometimes the bad guy changes the process name each time (to avoid simple detection by scanners). One time it'll be E23JBS.EXE and next time it will be J_32JBZ.EXE. These will rarely get a hit on a search.
Also run AdAware and SpyBot (be sure their definition files are updated). Clean whatever they find. Restart your computer and run again. Now make note of what seems to come back despite being cleaned. Let us know what those are to help further or hit the web and find your own solutions as you like.
|
lofty29
Infinitus Odium The Church.
|
Posted - 2007.08.28 01:03:00 -
[23]
Originally by: Imperator Jora'h Lofty:
Guides
Part one - I've done that and everything is legit. Either I know what it is or it's a microsoft application.
B. I ran Avast twice after reboots, nothing returned, and SpyBot twice, nothing returned...
---
Project Mayhem 2 |
Sleepkevert
Paradox v2.0 Interstellar Alcohol Conglomerate
|
Posted - 2007.08.28 01:10:00 -
[24]
Still, try posting an HijackThis log. It might help a lot, since we might be able to point out exe files that are at a place they are not suppose to be.
Sign my sig |
lofty29
Infinitus Odium The Church.
|
Posted - 2007.08.28 01:11:00 -
[25]
Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 01:42:37, on 28/08/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal
Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\system32\PGPserv.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\BT Home Hub\Wireless Configuration\WirelessDaemon.exe C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\Config\lsass.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\WINDOWS\System32\svchost.exe C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winsup.exe C:\WINDOWS\system32\cmd.exe C:\Program Files\MSN Messenger\usnsvc.exe C:\Program Files\Teamspeak2_RC2MK2\TeamSpeak.exe C:\Program Files\Mozilla Firefox\doopidoo.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Config\lsass.exe O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll O3 - Toolbar: FlashGet - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\Program Files\FlashGet\fgiebar.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - Global Startup: sleep.exe O4 - Global Startup: winsup.exe O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN ---
Project Mayhem 2 |
Imperator Jora'h
|
Posted - 2007.08.28 01:13:00 -
[26]
Originally by: lofty29
Originally by: Imperator Jora'h Lofty:
Guides
Part one - I've done that and everything is legit. Either I know what it is or it's a microsoft application.
B. I ran Avast twice after reboots, nothing returned, and SpyBot twice, nothing returned...
Have you tried re-installing the latest version of Firefox? No idea if it will help but worth a try.
Oh yeah, run an IPCONFIG.
- START>RUN - Type CMD in the box and click OK - At the prompt type IPCONFIG /ALL - Look at the IP addresses and see if anything looks fishy. Particularly the DNS addresses. Usually all the addresses will look similar for a home account (ignore the subnet address).
I had a client once where the spyware altered their DNS address. Essentially every time they browsed they went to the bad guy's server to resolve the address and their server would then spit back whatever it saw fit. This can also be used as a Man-in-the-Middle attack which can compromise passwords and such.
Just casting stones here...hard to say from where I sit but things worth trying nonetheless.
|
Sleepkevert
Paradox v2.0 Interstellar Alcohol Conglomerate
|
Posted - 2007.08.28 01:14:00 -
[27]
Originally by: lofty29 C:\Program Files\Mozilla Firefox\doopidoo.exe
} Hmm, care to explain? (also, it seems cut of, can you post the rest in another post, so far nothing out of the ordinary next to this, except for the pesky yahoo toolbar =/)
Sign my sig |
Blue Binary
|
Posted - 2007.08.28 01:16:00 -
[28]
I take it this your HijackThis log.
"C:\Program Files\Mozilla Firefox\doopidoo.exe" sounds a bit suspicious to me... try uninstalling Firefox, delete the directory, then run a registry cleaner.
That forum is your best hope though. ____________ Blue Binary |
Imperator Jora'h
|
Posted - 2007.08.28 01:19:00 -
[29]
Originally by: lofty29 Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 01:42:37, on 28/08/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal
Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\system32\PGPserv.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\BT Home Hub\Wireless Configuration\WirelessDaemon.exe C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\Config\lsass.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\WINDOWS\System32\svchost.exe C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winsup.exe C:\WINDOWS\system32\cmd.exe C:\Program Files\MSN Messenger\usnsvc.exe C:\Program Files\Teamspeak2_RC2MK2\TeamSpeak.exe C:\Program Files\Mozilla Firefox\doopidoo.exe <---- What is this? Thought you uninstalled Firefox. Does not return a result in Google C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
See bold item above ^^
|
lofty29
Infinitus Odium The Church.
|
Posted - 2007.08.28 01:31:00 -
[30]
Originally by: Sleepkevert Try to rename it, or even better, quaranteen it, and see what it does. Also, try kill both of the processes in task manger. One should popup an error showing that you can not shut this down due to it being an essential system process, the other should be killed.
How do I go about quaranteening it? I don't like renaming windows files anymore
Also, both got the popup stating that The task is system-critical and cannot be ended. ---
Project Mayhem 2 |
|
|
|
|
Pages: [1] 2 :: one page |
First page | Previous page | Next page | Last page |