current virus attacks or something else?

  • Thread starter Thread starter Yv
  • Start date Start date
Yv

Yv

TPer Emerita
Suspended / Banned
Messages
25,725
Name
Yvonne, pronounced Eve...
Edit My Images
Yes
My OH's laptop has gone a bit nacked. It started this afternoon and I cannot track down the problem.

1 - every so often Internet explorer pop up ads appear out of nowhere, despite having pop up controls turned on and never actually using IE anyway [runs firefox]

2 - when this happens, it turns down the 'wave' control in the sound control panel, thus muting the sound output.

so, what have I done so far?

1 - updated and scanned with Avast
2 - updated and scanned with Malwarebytes
3 - updated and scanned with Registry Mechanic

all to no avail.

Also tried a system restore, no luck, so disabled SR and ran all the above again. Still no joy.

If I uninstall IE, the pop ups stop, but the sound still turns itself off with no warning, which would indicate that whatever is causing it is still running in the background and doesnt affect firefox, only IE :shrug:

I have been to symantecs site to see what is current, but nothing I can see that totally fits the bill, although its totally feasible I have missed something.

so, as he is an avid iplayer user and is driving me mad with his cursing everytime the sound goes off, does anyone have any ideas? Any IT chaps heard about this, any clues?

ANY help would be really really appreciated please :)
 
download combofix and run it. I imagine that'll sort.

http://www.combofix.org/

While you are running combofix disconnect the computer from the net(work) completely. When it asks about a recovery console say no.

Combofix is like an atomic bomb for spyware. It's what we use in the office when all else fails; malwarebytes is usually so good that it cuts through 99% of trouble, but occasionally combofix is needed to run.

If it won't work in normal mode boot it in safe mode.
 
Can't offer any specific advise on this problem but have you tried re-starting the computer in safe mode and running the scans from there?
 
Have you checked what outgoing connections are running from your computer using something like the sysinternals tcpview?

It also has a miles more useful process explorer too.
 
ok, update, have run combofix and it found a log file it deleted - xpsp1hfm.log - but no idea if that is in anyway significant. :shrug:

kev - that will be the next step - so far been running an iplayer file for 10 mins now and it hasnt turned the sound off yet, which is about the longest its lasted since this afternoon, but hard to say its been cured or not.

francesca - no, you might have to explain that one a bit further. :thinking:

thankyou all three of you for input so far though, very much appreciated :thumbs:
 
My brother had something similar with the pop ups a while back that turned out to be his son having downloaded something that changed the default browser start page to some wallpapers site that sent ads to the machine...Once I had worked out how to change it back it stopped...

Might not be what you have though but it might be something like that rather than spyware infection possibly ?
 
:lol: bloody kids!! As childish as a fellas can be, no, its definately still on the old home pages. firefox is still on the bbc and IE on the default msn page, but thankyou for the thought :thumbs:

touch wood, it might be sorted, but I am whispering it..... so far so good... :exit:
 
Er - I'm a frayed knot! :(

Stickly little so and so has just popped up another pop up and shut the volume down again, in spite of a good old blast with Combofix!

Any more ideas please, folks?
 
They are utilities for finding problems, and often are a great help to me.
 
Thanks Francesca :thumbs:

That's tomorrow morning taken care of :D
 
Never a problem, I never let my computer defeat me.
 
Byker28i said:
It's malware, hacked into your browser.

Download the free version of MalwareBytes and run it. Brilliant program
http://www.malwarebytes.org/
Click to expand...

Go on, I really love thehelp, but reading the thread might help :lol:

robbino said:
Someone else also reported this on Majorgeeks and they pointed to the guide below to help identify the problem:

http://forums.majorgeeks.com/showthread.php?t=35407
Click to expand...

Ok, bearing in mind they want the logs form all those things, and MG tools aside, I have pretty much run all they want for XP, do you have the original link to the report, so I can track it to see what they come back with?



For further info, I have now run Malawarebytes, combofix and anti-virus under safe mode but still no joy. I have tried swapping avast for MSE, but again, no results returned. The attacks are strangely less frequent now, but still there. Interestingly, symantec are reporting a current virus that has similar results with the pop up ads, but the details don't fit this one.

Francesca, just reading up on those links, thanks for those.

My suspicion is its something new and given time, hours or days, the AV or Malawarebytes will update and deal with, and in truth, it is an annoyance atm rather than particularly destructive, but with no info as to what it might be, that cannot of course be take as read. :bang:
 
Yv said:
Ok, bearing in mind they want the logs form all those things, and MG tools aside, I have pretty much run all they want for XP, do you have the original link to the report, so I can track it to see what they come back with?
Click to expand...

sorry it was reported yesterday and they were only telling to do the items listed to help identify it ((link)

I found about the majorgeek link from a google search on "wave volume keeps going down"
 
Thanks for that, will bookmark it and see what he comes back with, if he ever gets his logs attached :lol:

I googled several things, but obviously not the right thing to get that :bonk: Going to try a few more search terms in a few mins
 
Yv said:
Go on, I really love thehelp, but reading the thread might help
Click to expand...

Did you edit the first post don't remember seeing you'd used malware yes before.

In my defence I'm on my iPhone :)
 
I don't have an idea on your specific problem, but I had a day yesterday of running all my security programs while watching the footy.

Anyway, I run

AdAware
Avast
Malwarebytes
Spybot S&D

Everything was OK apart from 18 problems found by AdAware. :eek: I know they may be searching for different things, but I was surprised that there were so many that all the others missed. :shrug:

I've been having intermittent dropping of my internet connection, and so far this hasn't happened for awhile, so hopefully AdAware has fixed my problem. Fingers crossed.

Try Adaware and see if it finds anything. Nothing to lose. ;)
 
When you've cleaned your pc, make all your user accounts 'limited' so you don't have admin rights. Viruses and malware are pretty much stopped almost completely with this simple practice. You then install software using 'run as' and enter an administrator account password.
 
Spookily, now posting from my phone because the laptop in question is running that exact scan!

Will report back soon i hope

blacksheep said:
Last time that I had a problem, the only program that worked for me was:
http://www.superantispyware.com/
There's a free download and I was just on the verge of a re-format before this saved me!
Click to expand...
 
:bang:

ok, superantispyware found 100 tracking cookies that nothing else had picked up on, some from the interim no doubt, but allowed it to deal with them - still no dice - 20 mins into a program, sound gone, IE pop up ad.

The utilities Francsca linked to show that IE establishes a connection at at that point, but I knew that anyway, and not sure what to do with the information in that stuff :thinking:

Anyway, I am now totally fed up with it, life is way too short. Will keep an eye on the majorgeeks thread on same subject, see if anything comes up and also been reading malwarebytes forums too so will monitor those for a day or two, run a scan on each daily, then if nothing has found it in the next few days will just format the machine. It doesnt run much software and its XP so easy enough to do and less frustating than this. I could keep installing and scanning stuff like adaware and spybot, but tbh, it really isnt worth the effort, it has had the very best thrown at it to no avail.


HUGE HUGE thanks to everyone that has contributed - if I can ever pursuade him that macbooks might just be worth the costly switch.... :lol:



edit: to add, I have of course told him not to do any internet banking or anything else critial or secure on it.
 
just found this thread where people are having the same problem as you are getting:

link

it seems to point to two files services.exe and smss.exe

the last poster in the above link said they managed to solve it by following this thread link
 
I think my advantage using those tools is that i took computing at college and did a lot of what i can only describe as tinkering in my own time so i have a very good know how and know what i'm looking at. to me, though i understand not everyone, its much easier and reliable to remove problems myself as i find to a certain point, Security Software to be a false scene of itself. I do like them and understand for a normal user they can be a godsend. I guess i just have to be difficult
 
chrisgeary said:
When you've cleaned your pc, make all your user accounts 'limited' so you don't have admin rights. Viruses and malware are pretty much stopped almost completely with this simple practice. You then install software using 'run as' and enter an administrator account password.
Click to expand...

This is an effective malware stopper, but in practise it becomes such a PITA after a few days. Some apps don't even play nice under limited profiles, and because of these things it's a practise I ended up ditching.

The Windows Vista /Windows 7 UAC principle, which virtualises file and registry key writes to system protected areas, is a much better implementation, and allows full compatibility without compromising security.
 
trencheel303 said:
This is an effective malware stopper, but in practise it becomes such a PITA after a few days. Some apps don't even play nice under limited profiles, and because of these things it's a practise I ended up ditching.

The Windows Vista /Windows 7 UAC principle, which virtualises file and registry key writes to system protected areas, is a much better implementation, and allows full compatibility without compromising security.
Click to expand...

True true. Most things seem to work normally though and Vista/7 at least makes it easier than XP where you had to explicitly 'run as' an installer. For many home users, removing admin rights will protect them from 99% of web and email borne threats or at least limit the damage to their logon session.
 
Once again, many thanks. For info, I think I have got the little blighter, thanks to majorgeeks - apparently it rewrites the MBR code, hides itself in there, so no matter ow hard you chase, it refires when machine is rebooted anyway.

There is now a fix on majorgeeks that I found via THIS thread, so huge thanks to the chaps over there too, even though I havent actually posted there.

As robbino has said, more people are getting it and some goggling in the last 24 hrs has found hundreds with identical problem, so be aware peeps.

Chris, as trencheel has said, its a bit impractical running it limited rights, but I see where you are coming from.
 
chrisgeary said:
It shouldn't be impractical at all unless you are installing software 20 times a day.
Click to expand...

sorry, I should have explained that, there is some software we run, related to work and warranty pocedures, that requires it to be admin account. Haven't used it at home since this attack, obviously, but as it does get used, [I am going to let him use machine normally for 48hrs before using the work stuff again just to besure the little b****r has really gone], but would be a pain having to do a few extra steps every time, especially as the thing is so badly written, that if you leave it inactive for 5 mins, it boots you out and you have to start again. Toilet breaks...coffee making...answering the phone.... :bang:



However, here is a question for you guys that has occured to me....if this thing is writing itself into the MBR files.... would [with the relevant risks accounted for of course] runing fixmbr via recovery console from a windows disc not sort it out? :thinking:
 
You must log in or register to reply here.
Back
Top