IE popups from Firefox!

[ArmyofKirb]

Ok, I know this sounds weird, but it's true. I went to a some sites referred by asta-killer.com, and now I have these annoying IE popups, which are even more frustrating because I don't even use IE. Below is a list of things I've tried:

- Tried scanning for malware/spyware with AdAware SE and the most current definitions
- tried the same thing with Spybot
- Tried scanning using McAffee Virus Scan ver8.0i with the latest definitions
- tried uninstalling and re-installing firefox

I'm at a loss as to what to do next. Help! This f-ing ridiculous!

 

[DelJo63]

go to the FF:Tools menu->Options
click Web Features and the 'Allowed Sites' button.
delete everything you find

 

[ArmyofKirb]

OK here's an update:

I ran spybot again, and now 120+ spyware instances were detected! I cleared them out, and deleted the certificates that I didn't recognize, so we'll see if that takes care of it.

I'm beginning to think I have a virus that continually places more and more spyware on my computer. After running spybot and rebooting the computer, two new tracking cookies and MRU lists popped up in AdAware.

I've got free access to Symantec and McAffee products through my work, so I'm going to install Symantec too...this really sucks...

 

[ArmyofKirb]

I just checked Firefox again and the certificates I deleted are back!!!! ARRGGGGHHHH!!!!

 

[pkroks]

post a HiJack This Logfile, you could have spyware/malware/virus etc

 

[howard_hopkinso]

I just checked Firefox again and the certificates I deleted are back!!!! ARRGGGGHHHH!!!!

First go and have your computer scanned by the Trend Houscall online scanner.

Then, go and read these two threads by RBS. Follow all the instructions exactly.

How to remove Trojans and its ilk! and How to remove Begin2search / coolwebsearch and other nasties.

Then see How to post your Hijackthis log-file as an ATTACHMENT.

Regards Howard

 

[ArmyofKirb]

OK I'm in the process of getting HijackThis over to the affected computer. Check this crap out:

- Whatever is affecting the computer is using Windows Security center to disable my anti-virus and firewall...when the defenses are down in then downloads beaucup spyware/adware programs!
- I'm keeping task manager up to monitor CPU usage and it averages about 98%!

Thanks for all your help guys, I'm going to be back with another post soon.

 

[ArmyofKirb]

I'm posting under a new thread called: "I need help w/Hijack this results"

 

[howard_hopkinso]

Now that you`ve started this thread. May I suggest that you carry on posting in it, untill your problems are sorted out.

Regards Howard :grinthumb

 

[ArmyofKirb]

I need help w/Hijack this results

Attached is the .txt file of my Hijack this scan...

For Those to my situation here it is:

I have a virus/malware problem that periodically disables my anti-virus and firewall through Windows Security Center. Once disabled, whatever it is downloads ****eloads of adware/spyware.

I have ran AdAware, Spybot, and Estrust Pest Patrol. AdAware detects the least, but they all detect and delete stuff.

I ran McAffe Virus Scan Enterprise v8.0i twice now and have not detected any viruses.

 

[ArmyofKirb]

OK, sorry. I followed the Hijack this instructions that called for a new thread. I should have been thinking a bit more. You'll have to go to the new thread to see the .txt file, it won't let me upload it again.


Many Thanks,


Kirby

 

[DelJo63]

the tracking cookies are privacy issues, not adware per se.

install Spywareblaster to get control of the ActiveX

trun on the default Windows Firewall at least.

this will give you some measure of protecting IMMEDIATELY.

 

[ArmyofKirb]

It's a little more serious than simple tracking cookies or adware at this point. I have virus at this point. It actively attempts (and succeeds) at turning off windows firewall and McAfee VirusScan Enterprise 8.0i using Windows Security Manager. Once disabled, the virus then downloads tons upon tons of adware and spyware, slowing the computer to a crawl. Someone please help!

 

[DelJo63]

disconnect from the net, repair, reenable the firewall and then get back online.
The longer you're online the worse it gets. We all feel your pain - - once the horse is out of the barn, it's all heck getting control again.

 

[DelJo63]

attachment is a HOSTS file; rename and move to:
\windows\system32\drivers\etc\hosts
this will stop some things
(original is from Spybot if you've not used the Tools:Host file yet)

 

[RealBlackStuff]

Follow these instructions EXACTLY and put HijackThis in e.g C:\Program Files\HJT and NOT in Temp or on the Desktop!.
Read: How to remove Begin2Search/Coolwebsearch and Other Nasties

Then Read: How to post your Hijackthis log-files as an attachment.

 

[ArmyofKirb]

If this works RBS, I'll buy you a keg of Guiness

 

[RealBlackStuff]

While following that thread, make sure to look after these:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=searchfavweb&c=1c02&lc=0409
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=1c02&lc=0409
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=1c02&lc=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
R3 - Default URLSearchHook is missing
O9 - Extra button: Advisor - {5894DB8C-67C1-416F-95C0-AFAF266A4D16} - C:\Program Files\COMPAQ\Compaq Advisor\bin\rbaLauncher.exe (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=1c02&lc=0409
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

And remember, I don't like empty promises but I DO like FULL kegs!

 

[ArmyofKirb]

What do you mean by look after? Remove?

 

[howard_hopkinso]

RBS means let hijackthis fix them.

Regards Howard

 

[ArmyofKirb]

Roger. I managed to keep windows stable enough to install sygate firewall... It's containing the damage, blocking attempts to download more cr a p. I'm cautiously optimistic...I'll have another post soon. (By the way I'm using my roommate's computer to post here...)

 

[ArmyofKirb]

I followed the instructions RBS posted, and it looks better. I do have a question regarding a file that is continually being blocked by sygate. Here it is: NDIS User mode I/O Driver (ndsiuio.sys). Is it something I should punt? I'm going to post another HijackThis log file in few....


Thanks so much for everything,

Kirby

 

[ArmyofKirb]

Before I ran RBS's instructions, I installed Symantec Anti-virus and firewall, along with Sygate fireall. Now, the system loads to desktop, but is slow to respond to changes such as:

- opening firefox, then from that point navigating to and from any site
- slows/hangs when I try to uninstall anything to include the programs listed above

Plus I have questions about the following files that are currently being blocked by sygate:

svchost.exe
nwlinkipx.exe
tcpip6.sys
ndisuio.sys

I may have just solved my major problem by allowing the drivers, but let me know if this is correct...
Here's the file

 

[RealBlackStuff]

You run the top 2 crap bloatwares, Symantec AND McAfee!
No wonder your PC is sluggish!

Get rid of both of those lousy resource-hoggers and install the free AVG from http://free.grisoft.com instead.

Firefox always takes a few seconds the first time, after that it should FLY.

Run HJT and let it 'fix'
O23 - Service: CWShredder Service - Unknown owner - C:\Documents and Settings\Nathaniel-Batman\Desktop\CWS Shredder.exe (file missing)
That's all.

Let svchost.exe through.
Get rid of nwlinkipx.exe
If this file is here: windows\system32\drivers\tcpip6.sys it is OK. Delete if anywhere else.
Unless you have wireless webaccess, deactivate ndisuio.sys via the control panel, administration tools, services, and STOP Wireless Zero Configuration and set Startup type to Disabled.

 

[ArmyofKirb]

Thanks for you help...I was having a problem with no internet access, but I determined that it was a registry setting unique to my user account. I was a bit hasty in deleting the entire account, but I set up a new one and I have no problems w/ the internet now. When I got rid of the user acct, I think it cured the CWShredder entry.
I got rid of McAffee, but unless you think AVG is demonstrably better than Symantec I'll keep what I have. I have access to free Anti-virus programs (McAffee and Symantec) through my job (U.S. Army.)
I want to thank you again for getting me through that blasted trojan. I have never seen anything so persistent and insidious. Whoever wrote that 'stuff' should face swift and merciless justice.
As for the Guiness, I am checking on prices and methods to get it to you...Perhaps a shipping friendly six-pack would do? (Yeah, I'm cheap I know)
If there is anyway I can repay you in addition to the Guiness, let me know. You've earned my gratitude, thats for sure.

Kirb