TechSpot

IE popups from Firefox!

By ArmyofKirb
Oct 24, 2005
  1. Ok, I know this sounds weird, but it's true. I went to a some sites referred by asta-killer.com, and now I have these annoying IE popups, which are even more frustrating because I don't even use IE. Below is a list of things I've tried:

    - Tried scanning for malware/spyware with AdAware SE and the most current definitions
    - tried the same thing with Spybot
    - Tried scanning using McAffee Virus Scan ver8.0i with the latest definitions
    - tried uninstalling and re-installing firefox

    I'm at a loss as to what to do next. Help! This f-ing ridiculous!
     
  2. jobeard

    jobeard TS Ambassador Posts: 9,319   +618

    go to the FF:Tools menu->Options
    click Web Features and the 'Allowed Sites' button.
    delete everything you find :)
     
  3. ArmyofKirb

    ArmyofKirb TS Enthusiast Topic Starter Posts: 70

    OK here's an update:

    I ran spybot again, and now 120+ spyware instances were detected! I cleared them out, and deleted the certificates that I didn't recognize, so we'll see if that takes care of it.

    I'm beginning to think I have a virus that continually places more and more spyware on my computer. After running spybot and rebooting the computer, two new tracking cookies and MRU lists popped up in AdAware.

    I've got free access to Symantec and McAffee products through my work, so I'm going to install Symantec too...this really sucks...
     
  4. ArmyofKirb

    ArmyofKirb TS Enthusiast Topic Starter Posts: 70

    I just checked Firefox again and the certificates I deleted are back!!!! ARRGGGGHHHH!!!!
     
  5. pkroks

    pkroks TS Rookie Posts: 259

    post a HiJack This Logfile, you could have spyware/malware/virus etc
     
  6. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

  7. ArmyofKirb

    ArmyofKirb TS Enthusiast Topic Starter Posts: 70

    OK I'm in the process of getting HijackThis over to the affected computer. Check this crap out:

    - Whatever is affecting the computer is using Windows Security center to disable my anti-virus and firewall...when the defenses are down in then downloads beaucup spyware/adware programs!
    - I'm keeping task manager up to monitor CPU usage and it averages about 98%!

    Thanks for all your help guys, I'm going to be back with another post soon.
     
  8. ArmyofKirb

    ArmyofKirb TS Enthusiast Topic Starter Posts: 70

    I'm posting under a new thread called: "I need help w/Hijack this results"
     
  9. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Now that you`ve started this thread. May I suggest that you carry on posting in it, untill your problems are sorted out.

    Regards Howard :grinthumb
     
  10. ArmyofKirb

    ArmyofKirb TS Enthusiast Topic Starter Posts: 70

    I need help w/Hijack this results

    Attached is the .txt file of my Hijack this scan...

    For Those to my situation here it is:

    I have a virus/malware problem that periodically disables my anti-virus and firewall through Windows Security Center. Once disabled, whatever it is downloads ****eloads of adware/spyware.

    I have ran AdAware, Spybot, and Estrust Pest Patrol. AdAware detects the least, but they all detect and delete stuff.

    I ran McAffe Virus Scan Enterprise v8.0i twice now and have not detected any viruses.
     

    Attached Files:

  11. ArmyofKirb

    ArmyofKirb TS Enthusiast Topic Starter Posts: 70

    OK, sorry. I followed the Hijack this instructions that called for a new thread. I should have been thinking a bit more. You'll have to go to the new thread to see the .txt file, it won't let me upload it again.


    Many Thanks,


    Kirby
     
  12. jobeard

    jobeard TS Ambassador Posts: 9,319   +618

    the tracking cookies are privacy issues, not adware per se.

    install Spywareblaster to get control of the ActiveX

    trun on the default Windows Firewall at least.

    this will give you some measure of protecting IMMEDIATELY.
     
  13. ArmyofKirb

    ArmyofKirb TS Enthusiast Topic Starter Posts: 70

    It's a little more serious than simple tracking cookies or adware at this point. I have virus at this point. It actively attempts (and succeeds) at turning off windows firewall and McAfee VirusScan Enterprise 8.0i using Windows Security Manager. Once disabled, the virus then downloads tons upon tons of adware and spyware, slowing the computer to a crawl. Someone please help!
     
  14. jobeard

    jobeard TS Ambassador Posts: 9,319   +618

    disconnect from the net, repair, reenable the firewall and then get back online.
    The longer you're online the worse it gets. We all feel your pain - - once the horse is out of the barn, it's all heck getting control again.
     
  15. jobeard

    jobeard TS Ambassador Posts: 9,319   +618

    attachment is a HOSTS file; rename and move to:
    \windows\system32\drivers\etc\hosts
    this will stop some things
    (original is from Spybot if you've not used the Tools:Host file yet)
     
  16. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503

  17. ArmyofKirb

    ArmyofKirb TS Enthusiast Topic Starter Posts: 70

    If this works RBS, I'll buy you a keg of Guiness
     
  18. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503

    While following that thread, make sure to look after these:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=searchfavweb&c=1c02&lc=0409
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=1c02&lc=0409
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=1c02&lc=0409
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
    R3 - Default URLSearchHook is missing
    O9 - Extra button: Advisor - {5894DB8C-67C1-416F-95C0-AFAF266A4D16} - C:\Program Files\COMPAQ\Compaq Advisor\bin\rbaLauncher.exe (file missing) (HKCU)
    O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=1c02&lc=0409
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

    And remember, I don't like empty promises but I DO like FULL kegs!
     
  19. ArmyofKirb

    ArmyofKirb TS Enthusiast Topic Starter Posts: 70

    What do you mean by look after? Remove?
     
  20. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    RBS means let hijackthis fix them.

    Regards Howard :)
     
  21. ArmyofKirb

    ArmyofKirb TS Enthusiast Topic Starter Posts: 70

    Roger. I managed to keep windows stable enough to install sygate firewall... It's containing the damage, blocking attempts to download more cr a p. I'm cautiously optimistic...I'll have another post soon. (By the way I'm using my roommate's computer to post here...)
     
  22. ArmyofKirb

    ArmyofKirb TS Enthusiast Topic Starter Posts: 70

    I followed the instructions RBS posted, and it looks better. I do have a question regarding a file that is continually being blocked by sygate. Here it is: NDIS User mode I/O Driver (ndsiuio.sys). Is it something I should punt? I'm going to post another HijackThis log file in few....


    Thanks so much for everything,

    Kirby
     
  23. ArmyofKirb

    ArmyofKirb TS Enthusiast Topic Starter Posts: 70

    Before I ran RBS's instructions, I installed Symantec Anti-virus and firewall, along with Sygate fireall. Now, the system loads to desktop, but is slow to respond to changes such as:

    - opening firefox, then from that point navigating to and from any site
    - slows/hangs when I try to uninstall anything to include the programs listed above

    Plus I have questions about the following files that are currently being blocked by sygate:

    svchost.exe
    nwlinkipx.exe
    tcpip6.sys
    ndisuio.sys

    I may have just solved my major problem by allowing the drivers, but let me know if this is correct...
    Here's the file
     
  24. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503

    You run the top 2 crap bloatwares, Symantec AND McAfee!
    No wonder your PC is sluggish!

    Get rid of both of those lousy resource-hoggers and install the free AVG from http://free.grisoft.com instead.

    Firefox always takes a few seconds the first time, after that it should FLY.

    Run HJT and let it 'fix'
    O23 - Service: CWShredder Service - Unknown owner - C:\Documents and Settings\Nathaniel-Batman\Desktop\CWS Shredder.exe (file missing)
    That's all.

    Let svchost.exe through.
    Get rid of nwlinkipx.exe
    If this file is here: windows\system32\drivers\tcpip6.sys it is OK. Delete if anywhere else.
    Unless you have wireless webaccess, deactivate ndisuio.sys via the control panel, administration tools, services, and STOP Wireless Zero Configuration and set Startup type to Disabled.
     
  25. ArmyofKirb

    ArmyofKirb TS Enthusiast Topic Starter Posts: 70

    Thanks for you help...I was having a problem with no internet access, but I determined that it was a registry setting unique to my user account. I was a bit hasty in deleting the entire account, but I set up a new one and I have no problems w/ the internet now. When I got rid of the user acct, I think it cured the CWShredder entry.
    I got rid of McAffee, but unless you think AVG is demonstrably better than Symantec I'll keep what I have. I have access to free Anti-virus programs (McAffee and Symantec) through my job (U.S. Army.)
    I want to thank you again for getting me through that blasted trojan. I have never seen anything so persistent and insidious. Whoever wrote that 'stuff' should face swift and merciless justice.
    As for the Guiness, I am checking on prices and methods to get it to you...Perhaps a shipping friendly six-pack would do? (Yeah, I'm cheap I know)
    If there is anyway I can repay you in addition to the Guiness, let me know. You've earned my gratitude, thats for sure.

    Kirb
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...