#  >  > Computers Can Be Fun >  >  > Computer News >  >  I'm infected again

## Neo

Some nasty shit out there these days, I think I'm going to stay away from Google images from now on as I think a lot of the crap is hiding in jpg files... anyway.. 

I've got an infection, one of the ones that detects keywords and hyperlinks them to crap commercials and fake eastern euro porn to drag you further in. You know what I mean, it highlights the word in green like date london etc

I've done everything I can so far, cleared cookies, cache, Ccleaner, Avast, Malwarebytes, DrWeb CureIt, Spybot S&D, and it's still there and very well hidden, I'm also getting slowdown on the puter, which is very unusual and together it suggests there's more to this than just a few tacky links, suggestions please? (not you butterfly)

----------


## nigelandjan

what AV you using mate ??

----------


## Neo

Avast.. I'm happy with it though. I picked up a few bits with the S&D scan and one with DrWeb which are both usually very reliable, but this bug is still in there which suggests it's well engineered.

----------


## nigelandjan

sorry mate can,t help with that one I use Maccyfeeeeeeee  but you do need a good spec lappy to soak up the load it deals it ,,,,,,,,,,, I,m off this soon anyway I,ve had enuf of windows I got a Mac pro book on order ,gonna be all Appley soon  :Smile:

----------


## Sailing into trouble

MAc's do work great. At the moment Macs outsell any other brand of comp. At some point they will become targets. However the more people stick to Windows the more profitable target will remain the Windows format.

----------


## harrybarracuda

> Some nasty shit out there these days, I think I'm going to stay away from Google images from now on as I think a lot of the crap is hiding in jpg files... anyway.. 
> 
> I've got an infection, one of the ones that detects keywords and hyperlinks them to crap commercials and fake eastern euro porn to drag you further in. You know what I mean, it highlights the word in green like date london etc
> 
> I've done everything I can so far, cleared cookies, cache, Ccleaner, Avast, Malwarebytes, DrWeb CureIt, Spybot S&D, and it's still there and very well hidden, I'm also getting slowdown on the puter, which is very unusual and together it suggests there's more to this than just a few tacky links, suggestions please? (not you butterfly)


No good having AV if you install it on top of clever malware, which will quietly hook everything as it installs and hide itself.

You need to boot into a clean environment and scan it with nothing loaded into memory off the hard disk.

As it's Sunday tomorrow and you probably don't have to work, try going through one of these, and if you need a hand, just ask.

Link
Link
Link
Link
Link

----------


## Neo

Yes I've got a feeling it's going to have to be booted off a disc as you say... 
I'll have a look and see if I can rip something from those links.. the S&D one is $30  :Sad: 

Cheers

----------


## jizzybloke

If you do a full virus scan in safe mode, will that help?

I know feck all about computers so anything on here will probably come in handy for me at some point!

----------


## Neo

I don't know either, but I'll give it a try later when I log off.

----------


## nigelandjan

> anything on here will probably come in handy for me at some point!


 follow me Jizz and get a Mac

----------


## sabaii sabaii

> I've got an infection, one of the ones that detects keywords and hyperlinks them to crap commercials and fake eastern euro porn to drag you further in. You know what I mean, it highlights the word in green like date london etc


Have you tried using a different browser ?

----------


## Latindancer

When all else has failed, I've always had a great result from A-squared (free edition), which is now called Emsisoft. Boot up in safe mode and run it.

----------


## harrybarracuda

Safe mode is not the solution. You need to boot into a clean environment. Safe Mode is not necessarily clean, because it uses the bootloader and stuff on the infected disk to start itself up. If this has been hijacked it will merely hide itself while you run the scan.

You need to boot from a CD, and the links I provide are for downloads of ISO images which are simple to burn.

This is the best way to ensure you are scanning the disk from a clean environment.

Trust me, I'm a doctor.

 :Smile:

----------


## Neo

I tried safe mode last night and thought I'd trashed the computer for a while. 
Don't think I'll try that again, bad experience. I also uninstalled Spybot S&D, which I used to rate as anti-malware, but it's now very bloated and seems very intrusive to the general running configuration, you know something isn't right when it asks you 5 different ways "are you sure you want to un-install?" A security system with insecurity. 

I'll look at getting rid of this virus later today or tomorrow, I've got some work I need to finish on it first, just in case it gets trashed in the process. I'm tempted to move some of my user files to an external drive as back up, but then I risk moving the virus with it I guess. Anyway your help will be appreciated when I get around to it Harry.

----------


## bsnub

Malwarebytes is most excellent at solving these problems.

Malwarebytes Anti-Malware - Reviews and free Malwarebytes Anti-Malware downloads at CNET Downloads

----------


## sabaii sabaii

Maybe the virus is inside that "Don't Panic"  animated gif , as a pisstake

----------


## Neo

Mmmmm... how about you copy and paste it to your browser and see..?  :Very Happy:

----------


## sabaii sabaii

What exactly is happening in your browser ? 

Is your browser Firefox ?

Have you tried Chrome ?

Does this problem happen in the address bar or the google search or both ?

Have you looked if any add ons have been installed ?

Or Toolbars ?


I don't understand why Malwarebytes or Spybot are not picking it up ?

Look in your add/remove programs for any installed progs

Look at what apps and processes are working in Task Manager











































Have You tried turning it off then back on again ? :smiley laughing:

----------


## harrybarracuda

Computer says "No"....

 :Smile:

----------


## Mickmac

Correct me if I am wrong, but I always thought a virus could only be spread via an executable file. Or are there new improved models out there now ?

----------


## sabaii sabaii

Are the gay porn vids he downloads exe files ? :Smile:

----------


## harrybarracuda

Viruses are just a small portion of what is generally known as malware.

A lot of the shit that infects these days comes through visiting dodgy websites and clicking on pop-ups that deceive you into thinking they do something useful.

 :Smile:

----------


## Neo

I am going to get round to this soon, had some stuff to clear up and just making time to do it, as I need to take the puter away with me at the weekend.

----------


## Mickmac

I swear on my Mother's grave I do not know what type of file a gay porn vid is.

----------


## sabaii sabaii

^ hahahahaha

----------


## Neo

I just ran the Kaspersky recovery cd from the first link, How to Use the Kaspersky Rescue Disk to Clean Your Infected PC - Linux Geek 
Very easy to set up, but it didn't find anything and I still have the problem. 

Ok I'll run through some more...

----------


## Neo

Just tried f-secure Rescue CD again nothing. Although it did say one file was not scanned.. kind of odd. 

Think I'm going to have a closer look at recent installs and program files and see if I can find some more stuff to strip out, maybe I'll come across something in the process.

Very impressed with this ImgBurn http://www.imgburn.com/ to mount the ISO files, I use Daemon but thought I'd give it a go, no virtual mounting but very quick and thorough. .

----------


## harrybarracuda

OK so now tell us what Browser you are using.

Have you cleared out all the temp files? Have you looked to see what add-ons and toolbars you have installed?

----------


## Neo

FF5. I cleared the temp files, cookies, registry keys, etc with Ccleaner. 

I'm prety sure I got this virus when browsing images as I had several trojan alerts going off and then it was there, not even mucky pictures, mostly it's the most innocuous that are trojans. 

I've just got up and having a cuppa, so I'll have a look in a bit, I'll dust off IE8 and see if that has the same prob, maybe it is specific to the browser.

An odd thing with it is, at the moment I can see it's hyperlinking the word 'date' under my av on one of my posts, no doubt a link to a dubious dating site, but that is the only hyperlink on the page, it doesn't hyperlink any of the other 'date' words. 
It usually only highlights one word per screen, or two if the is a city name on there. If it was to highlight all the words of the same type then I'd be inclined to think it was some word recognition/adlink add on, but I've checked for something like that and can't find anything.

----------


## harrybarracuda

I'd say install IE9 but I'm guessing you're on XP.

Try Google Chrome.

----------


## harrybarracuda

Also, you may want to see what Browser Helper Objects you have installed.

Use something like this

----------


## Neo

Yes I'm on XP. I just fired up IE8 and didn't have the same problem there. 
Didn't have it up for long, and cleared cookies before closing it down again.
Perhaps not enough time for the virus to spread to IE or just that it is specific to FF. I think I'll take a browse through Mozilla files, plug ins etc again, but I might try to uninstall FF, give it a scan and then re-install. What do you think?

----------


## blue

it might hiding in  an extension -could try going to tools , add-ons  etc
and disable the lot ,then restart 
see if its still  a problem

----------


## Neo

Good call! I've just disabled all extensions and the hyperlinks have gone. 
Now to switch them on systematically to see which one is the problem.

----------


## Neo

Ok now we're really getting somewhere. It is, or it is in, the Shockwave Flash extension (10.3.181.14). I've disabled it and that has stopped the hyperlinks.
Now.. what to do, remove the file is obviously the best option but Shockwave is probably quite well embedded. 
I shall investigate...  :Very Happy:

----------


## Neo

Mmmm... sytem restore point done. 
It's not giving me the option to remove the add on via the FF browser. 
I'll hang fire and wait for suggestions.

----------


## Neo

Sod it I'll just take the whole lot out!
Ok.. I uninstlled the extension and reinstalled the new version
Shockwave Flash (10.3.181.34) and the hyperlinks are back, So I guess the virus is in the flash player program files...

----------


## Rural Surin

Try:
_Smithfraudfix_
_hijackthis_
....both highly recommended for nasty malware. Cleaning, maintenance, prevention, etc. Works well with most systems and browsers.

----------


## Neo

Uninstalled Flash player, rebooted, reinstalled Flash player.. hyperlinks are back. 

Ok stuck now, will wait for ideas.. meanwhile will try RS's scans.

----------


## Hampsha

CCleaner helps uninstall and delete any other files left behind. When you do uninstall something that might have a virus usually you have to turn system restore off then do it. After that I run the ccleaner and maybe even MS disk cleanup to get any possible crap left behind. When you are done you can turn system restore back on.

I've used real versions of windows and the paid versions of ESET NOD32 and never had a serious problem. I do tend to just reinstall windows if I have any type of problem. And I generally reinstall fairly often just in case there might be something I don't want going on going on.



=========

----------


## harrybarracuda

When you say "Hyperlinks", what is/are the underlying URL(s)?

----------


## Neo

Good thinking. 

http://www.textsrv.com
/click.php?v=R0I6OTQ0ODo0OmRhdGluZyBzaXRlOjFhNGNhM2  I5YjgwOTljOGY2NGFhYmNjNmNjODY3Zjc2OnotNS05MzQ2

http://www.textsrv.com/click.php?v=R...ei01LTkzNDY%3D

textsrv  no decent info on it so must be recent.. searching...

----------


## Neo

The url http://www.textsrv.com leads to a blank page.
Only one thread on it on the Kasperky forum a few days ago that's not resolved. 
Looks like I'll have to wait for a fix.

----------


## Neo

I'm away for three weeks from Sunday so I'll have to get back to this when I can, perhaps there will be a fix by then. Cheers for all your help, I'm sure we'll get it sorted in the end.  :Very Happy:

----------


## harrybarracuda

I'm still thinking BHO's. One of mine is Skype, which replaces phone numbers in web pages with Skype call links.

Which is why I'd take a look at this or this

----------


## sabaii sabaii

Try Revo uninstaller

It gets rid of all the registry files and more that add/remove program doesn't

Revo Uninstaller - Free software downloads and software reviews - CNET Downloads

----------


## harrybarracuda

> Try Revo uninstaller
> 
> It gets rid of all the registry files and more that add/remove program doesn't
> 
> Revo Uninstaller - Free software downloads and software reviews - CNET Downloads


Which program do you suspect?

 :Smile:

----------


## sabaii sabaii

Shockwave Player 

And if he re-ininstalls his browser, won't that sort it out

----------


## harrybarracuda

> Shockwave Player 
> 
> And if he re-ininstalls his browser, won't that sort it out


Does Revo uninstall Browser addons?

----------


## sabaii sabaii

I was thinking if he deleted his add ons first, then did a thorough uninstall and reinstall then he may be ok

I'm still using Aurora, had no problems whatsoever :Smile:

----------


## harrybarracuda

> I was thinking if he deleted his add ons first, then did a thorough uninstall and reinstall then he may be ok
> 
> I'm still using Aurora, had no problems whatsoever


My money is on a BHO.

----------


## tyme4a

I had same issue. The problem seemed to be a program on my pc called socialsay.  Don't know how it got there, but I deleted it and all seems fine now.

----------


## Neo

> I'm still thinking BHO's. One of mine is Skype, which replaces phone numbers in web pages with Skype call links.
> 
> Which is why I'd take a look at this or this


I ran the first one AVG in safe mode, it seemed to trip up for a while on the Mozilla files and then continued, but nothing detected. 




> I was thinking if he deleted his add ons first, then did a thorough uninstall and reinstall then he may be ok
> 
> I'm still using Aurora, had no problems whatsoever


I think I'll try removing Firefox and re-installing, won't get round to it until I come back in a few weeks. I can use Ccleaner to remove programs, it's very thorough. 

Just have to dust off the trusty old Dell and take that with me. Thanks again.

----------


## harrybarracuda

I'm using Aurora on both home and office PC's and it's such a vast improvement. Locked up a couple of times, but my PC's are fully loaded so that isn't a surprise.

Interesting that both socialstay and textsrv appear to be "legal" companies dealing in SMS marketing.

Do you have anything to do with that area of business?

----------


## Neo

textserv looks like a legal company.
textsrv is the one thats bugged my puter.

----------


## blue

I went back to ff 3.6
that Aurora , it would not let my Real player copy  youtube vids easily -which means I cannot get the mp3 off them .

i found the fastest, for me anyway  is -  opera next -

----------


## harrybarracuda

> textserv looks like a legal company.
> textsrv is the one thats bugged my puter.


Typo on my part.

It's a relatively new domain.

Domain Name: TEXTSRV.COM    Registrar: GODADDY.COM, INC.    Whois Server: whois.godaddy.com    Referral URL: Domain Names, Web Hosting and SSL Certificates - Go Daddy    Name Server: NS1.P02.DYNECT.NET    Name Server: NS2.P02.DYNECT.NET    Name Server: NS3.P02.DYNECT.NET    Name Server: NS4.P02.DYNECT.NET    Status: clientDeleteProhibited    Status: clientRenewProhibited    Status: clientTransferProhibited    Status: clientUpdateProhibited    Updated Date: 20-jun-2011    Creation Date: 20-jun-2011    Expiration Date: 20-jun-2012

----------


## harrybarracuda

> I went back to ff 3.6
> that Aurora , it would not let my Real player copy  youtube vids easily -which means I cannot get the mp3 off them .
> 
> i found the fastest, for me anyway  is -  opera next -


I was using videodownloadhelper - downloads and converts (although doesn't rip) - but it isn't supported in Aurora, which is no surprise.

----------


## Neo

It's gone! I uninstalled the flash extension, then uninstalled Firefox with all preferences, searched for other Mozilla files and removed them, then emptied the recycle bin. Rebooted and downloaded Firefox again, version 6 beta this time, installed the Flash plugin and it's gone. Hopefully for good.

I use this one mostly for browsing and movies through the TV, so that shouldn't put too much demand on the beta, just got it back to looking just the way I like it. 

Cheers Blue and cheers Harry, you were both a great help.  :smilie_clap:

----------


## harrybarracuda

> It's gone! I uninstalled the flash extension, then uninstalled Firefox with all preferences, searched for other Mozilla files and removed them, then emptied the recycle bin. Rebooted and downloaded Firefox again, version 6 beta this time, installed the Flash plugin and it's gone. Hopefully for good.
> 
> Cheers Blue and cheers Harry, you were both a great help.


Good to get hold of something relatively new. If you get any ideas where you might have got this "socialstay" program from, please post them.

----------


## sabaii sabaii

Real Player is shite blue

Facebook fan page

*Realplayer is a shitty peice of shit.*

Join
WallInfoPhotosDiscussions




*Basic Info 
*


Name:Realplayer is a shitty peice of shit.Category:Internet & Technology - SoftwareDescription:RealPlayer  and it's parent company Real Networks are pieces of shit whose sole  purpose is to install bloatware on your PC that slows you down and  annoys the shit out of you with useless messages about updates and  offers.

Don't download this shit.

And don't tell me how to turn the annoyances off. It shouldn't be annoying in the first place, dick.

Yes, I spelled 'piece' wrong in the title but it was written in a fit OF RAGE.Privacy type:Open: All content is public.

----------


## harrybarracuda

I must admit I don't bother with RealPlayer. MPCStar and VLC do a much better job.

----------


## sabaii sabaii

Urban Dictionary is not so nice in it's definitions, of which there are many

Urban Dictionary: realplayer

And from Dirty Dog

https://teakdoor.com/computer-news/77...sive-shit.html (Real Player Intrusive Shit)

----------


## sabaii sabaii

T%his is the 3rd most popular download on cnet

It converts to mp3 and much more

YouTube Downloader - Free software downloads and software reviews - CNET Downloads


And works with Aurora

----------


## harrybarracuda

> T%his is the 3rd most popular download on cnet
> 
> It converts to mp3 and much more
> 
> YouTube Downloader - Free software downloads and software reviews - CNET Downloads
> 
> 
> And works with Aurora


Ta, I'll give it a shot.

Added: Or maybe not. I don't want a toolbar, or any other changes, and it doesn't let you turn them off.

Oh well.

----------


## blue

Guess that real player is not the king  its just that 
 its  now set up to go from youtube etc  to my ipod in about 4 clicks.

They always free youtube downloaders   on Giveaway of the day
must be less lazy and try one next time .

----------


## sabaii sabaii

> Added: Or maybe not. I don't want a toolbar, or any other changes, and it doesn't let you turn them off.


You can stop that, press cancel when you get to it and it will proceed but cancel the toolbar (sneaky I know). There's also a McAfee trial after that, which you just tick the box


I have it bloatware free

----------


## coonicker

Have you tried Sophos root kit? Sophos Anti-Rootkit scans, detects and removes any rootkit that is hidden on your computer using advanced rootkit detection technology. http://www.sophos.com/en-us/products...i-rootkit.aspx   I run this with malware bytes ,Avasti and Zone Alarm on my pc On my mac no problems ever  Re boot from genuine software be a good start

----------


## tamsin

I unwittingly downloaded a trojan from a, ahem, competitor's site, notorious for it's dodgy malware. Damn thing came in the form of a box containing the Windows shield logo demanding 59 quid before it would let me access anything. It was obviously Thai, good English, but not that good. I rebooted and did a full virus scan, took about an hour but got rid of the bastard.

Then had Avast Malicious url alerts on every Thai based website I visited, bar this one.

My gripe now is sodding Gmail. It times out before the log in box comes up, and that's in Chrome and IE too. My default is Firefox. And today, won't load Yahoo mail or shitty Hotmail. I mean, who uses Hotmail? Seriously? But even that crap client won't load. And don't get me started about Twitter. And yes, have Avast and run SP DAILY.

----------


## tamsin

> Real Player is shite blue
> 
> Facebook fan page
> 
> *Realplayer is a shitty peice of shit.*
> 
> JoinWallInfoPhotosDiscussions
> 
> 
> ...



Agreed. VLC.

----------


## Bangyai

> Guess that real player is not the king its just that 
> its now set up to go from youtube etc to my ipod in about 4 clicks.
> 
> They always free youtube downloaders on Giveaway of the day
> must be less lazy and try one next time .


I use real player too and never had any problem with it. No pop ups no updates no offers....zilch . Maybe I accidently installed it correctly ?

On a different note I spent most of Friday night and Saturday morning trying to hunt down and fix a nasty piece of Malware known as

Personal Protector.........   which poses as an anti virus program. In fact its just a virus that fucks your computer and holds you to ransome trying to extort money from you to fix your computer.

Malware bytes and AVG were disabled by it so I had to scour the net looking for a fix. Plenty of advice out there but some of it out of date so you have to try all the fixes until you find one that works.

Got there in the end but it was a boring slog.

----------


## Neo

Winamp for music and internet streams, VLC for video.

----------


## harrybarracuda

> Personal Protector.........   which poses as an anti virus program. In fact its just a virus that fucks your computer and holds you to ransome trying to extort money from you to fix your computer.
> 
> Malware bytes and AVG were disabled by it so I had to scour the net looking for a fix. Plenty of advice out there but some of it out of date so you have to try all the fixes until you find one that works.


Chicken and Egg and all that.... how did it get onto your PC past AVG in the first place?

Did you click "OK" on a pop up?

----------


## Bangyai

> Originally Posted by Bangyai
> 
> 
> Personal Protector......... which poses as an anti virus program. In fact its just a virus that fucks your computer and holds you to ransome trying to extort money from you to fix your computer.
> 
> Malware bytes and AVG were disabled by it so I had to scour the net looking for a fix. Plenty of advice out there but some of it out of date so you have to try all the fixes until you find one that works.
> 
> 
> Chicken and Egg and all that.... how did it get onto your PC past AVG in the first place?
> ...


Good question to which I don't know the answer. I reckon I picked it up whilst looking at free online gaming sites and as you say, might have let it in myself.
A bit like a girl you pick up for a one night stand who you can't get to leave after breakfast.

Once I got the better of the situation I uninstalled AVG then reinstalled it but for some reason it would not instal properly so I've switched to Avast. Also got Malware bites as there is no conflict between the two.

Still, it was a learning curve. During the hunt for the file containing the virus I had to go deep into a lot of files and was surprised at the amount of detritus still lying about from stuff I thought I'd deleted ages ago that C cleaner etc had missed. I manualy deleted a lot of dead or dormant files and folders and things have never been better ........  touch wood  ( conveniently above my temple )  :Smile:

----------


## Jesus Jones

Neo.. Did u sort your comp out?  Sounds the same problem i'm having on my samsung netbook.

----------


## Sailing into trouble

I use a MAc now so I don't have to worry much, yet. However my Mrs laptop is so heavily infected the only thing that will keep the bugs down on that is a liberal spying of garden Raid!

----------


## Neo

> Neo.. Did u sort your comp out?  Sounds the same problem i'm having on my samsung netbook.


Yes take a look at post #59. Switch off all the Firefox plug ins (alt>tools>add ons)then turn them on one by one to find out which one has the virus, take note of the plug in and version (if that is the problem) disable/uninstall it, uninstall Firefox, delete all Mozilla program folders and *clear the recycle bin* ( I use CCleaner for that and clear Mozilla cookies temp files etc with it). Reboot, dust off Windows, reinstall FF latest version and you should be good to go. A lot of hassle, as you have to set up your browser again, but it was the only way I could get rid of it.

----------

