Stuck in Adware Hall of Mirrors, Please Help
January 10, 2010 6:47 PM Subscribe
Another malware/adware problem - and this one is blocking me from getting to sites that might help.
Last night I stupidly clicked on a short-url video link in a Facebook email. I know, I know, but it was from a friend who just had a baby and I made the assumption it was a video of her and the baby, which I wanted to see. I no longer have the URL, having deleted the email as fast as I could.
Evidently not fast enough. Today I have a redirect problem, and also some popups.
I'm running FF 3.5.7 and Windows XP with Service Pack 3 on a five-year-old Dell Pentium 4.
I have Malwarebytes and have run it - it found several things but did not eliminate the problem. My last Malwarebytes update is from August 2009, though. And when I try to check for new updates, I get an error message that it could not check.
When I try to go to the website for malwarebytes for updates, my browser is redirected.
The same is true for any other spyware/malware/adware site I know of. The browser redirects to either an ad site, a FF block page, or a different site that is ostensibly selling adware protection, though not the one I was trying to access and certainly not one I trust.
So I feel stuck. I'm not sure how to get around the redirecting to get the updates I'm sure I need. I tried in IE too, and it acts the same way.
Thanks in advance for any help you can offer. Ugh.
Last night I stupidly clicked on a short-url video link in a Facebook email. I know, I know, but it was from a friend who just had a baby and I made the assumption it was a video of her and the baby, which I wanted to see. I no longer have the URL, having deleted the email as fast as I could.
Evidently not fast enough. Today I have a redirect problem, and also some popups.
I'm running FF 3.5.7 and Windows XP with Service Pack 3 on a five-year-old Dell Pentium 4.
I have Malwarebytes and have run it - it found several things but did not eliminate the problem. My last Malwarebytes update is from August 2009, though. And when I try to check for new updates, I get an error message that it could not check.
When I try to go to the website for malwarebytes for updates, my browser is redirected.
The same is true for any other spyware/malware/adware site I know of. The browser redirects to either an ad site, a FF block page, or a different site that is ostensibly selling adware protection, though not the one I was trying to access and certainly not one I trust.
So I feel stuck. I'm not sure how to get around the redirecting to get the updates I'm sure I need. I tried in IE too, and it acts the same way.
Thanks in advance for any help you can offer. Ugh.
Well, I can't claim to have direct knowledge of how malware redirects work, but I'd think it'd have to be done with the hosts file - that seems like the ony way IE and FF would be affected similarly.
Open up the file: C:\Windows\System32\drivers\etc\hosts and see if malwarebytes.org appears anywhere in the list of sites. If it''s there, delete that entire line and save the file, and then try using FF to open malwarebytes.org again.
In fact, the hosts file should be pretty empty by default. If there's a long list of sites you trust there, then something weird has happened.
posted by koeselitz at 7:02 PM on January 10, 2010
Open up the file: C:\Windows\System32\drivers\etc\hosts and see if malwarebytes.org appears anywhere in the list of sites. If it''s there, delete that entire line and save the file, and then try using FF to open malwarebytes.org again.
In fact, the hosts file should be pretty empty by default. If there's a long list of sites you trust there, then something weird has happened.
posted by koeselitz at 7:02 PM on January 10, 2010
You should probably just do what filthy light thief suggested - that seems like the safest route. No need to go poking around unless it's absolutely necessary.
posted by koeselitz at 7:03 PM on January 10, 2010
posted by koeselitz at 7:03 PM on January 10, 2010
Also, you can search through other search engines, if google searches are rerouted.
posted by filthy light thief at 7:07 PM on January 10, 2010
posted by filthy light thief at 7:07 PM on January 10, 2010
Response by poster: OK. I'll first try other search engines, since so far I have only been Google searching.
If it's helpful, the redirect generally points to: c.ppcxml.net
Thanks for the help so far...
posted by Miko at 7:12 PM on January 10, 2010
If it's helpful, the redirect generally points to: c.ppcxml.net
Thanks for the help so far...
posted by Miko at 7:12 PM on January 10, 2010
Response by poster: OK - I managed to use Bing and get to CNet to dl a new version of MBAM. Thanks. Will check in after the scan is complete.
posted by Miko at 7:35 PM on January 10, 2010
posted by Miko at 7:35 PM on January 10, 2010
Here is some information I got by googling c.ppcxml.net:
c.ppcxml.net is an reported attack site. Firefox does not recommend
you visit there
See Troubleshooting extensions and themes to remove the extension
Fri 01 of Jan, 2010 19:05 PST #
Steve
Firefox user
It's not fixed. Safe mode stops it..but how do I identify what the
problem APP is?
Fri 01 of Jan, 2010 21:59 PST #
Firefox4life78
48 posts
If safe mode stops the problem, you can troubleshoot which extension
or plug in is causing the problem. Go to the Test for faulty extension
and Disable all extensions at Troubleshooting extensions and themes .
Make sure you follow all the steps with the two parts.
posted by Obscure Reference at 7:39 PM on January 10, 2010
c.ppcxml.net is an reported attack site. Firefox does not recommend
you visit there
See Troubleshooting extensions and themes to remove the extension
Fri 01 of Jan, 2010 19:05 PST #
Steve
Firefox user
It's not fixed. Safe mode stops it..but how do I identify what the
problem APP is?
Fri 01 of Jan, 2010 21:59 PST #
Firefox4life78
48 posts
If safe mode stops the problem, you can troubleshoot which extension
or plug in is causing the problem. Go to the Test for faulty extension
and Disable all extensions at Troubleshooting extensions and themes .
Make sure you follow all the steps with the two parts.
posted by Obscure Reference at 7:39 PM on January 10, 2010
If you can't download an up-to-date copy of MalwareBytes, you could try and get a copy of SuperAntiSpyWare. I'd use Firefox to try and download something like Google's Chrome browser, and then see if you couldn't use that to download it?
posted by PeterMcDermott at 7:49 PM on January 10, 2010
posted by PeterMcDermott at 7:49 PM on January 10, 2010
Oops. Too late. I bet MalwareBytes fixes it though. It's never failed me yet.
posted by PeterMcDermott at 7:51 PM on January 10, 2010
posted by PeterMcDermott at 7:51 PM on January 10, 2010
Even though Malwarebytes will probably fix your immediate problems, you might have some nasty infection lurking deeper in your hard drive.
I would recomend going to a forum that specialized in analyzing Hijackthis logs. The people at Bleepingcomputer.com were incrediably helpful and patient last time I had an infection. They will take you through a complete malware removal process that is much more intensive than one scan from any anti virus software.
posted by afu at 2:02 AM on January 11, 2010
I would recomend going to a forum that specialized in analyzing Hijackthis logs. The people at Bleepingcomputer.com were incrediably helpful and patient last time I had an infection. They will take you through a complete malware removal process that is much more intensive than one scan from any anti virus software.
posted by afu at 2:02 AM on January 11, 2010
Probably a stupid question, but, have you tried a system restore to a pre-infection date?
posted by mreleganza at 3:11 AM on January 11, 2010
posted by mreleganza at 3:11 AM on January 11, 2010
mreleganza: He's on Windows XP. To the best of my knowledge, there's no such thing as a system restore for Windows XP. Maybe I'm wrong.
posted by koeselitz at 3:58 AM on January 11, 2010
posted by koeselitz at 3:58 AM on January 11, 2010
XP has system restore and checkpointing.
The solution, in the short run, is to figure out which firefox extensions you need to get rid of and do so. Then, at least, you have a functioning browser to seek more help elsewhere.
posted by Obscure Reference at 5:05 AM on January 11, 2010
The solution, in the short run, is to figure out which firefox extensions you need to get rid of and do so. Then, at least, you have a functioning browser to seek more help elsewhere.
posted by Obscure Reference at 5:05 AM on January 11, 2010
The best and most exciting new infections will spread to your restore points, usually quietly. Very thrilling stuff.
Normally I wipe these things out with a combination whammy of Bit Defender Live Rescue Disc, Kaspersky Rescue Disc, a portable version of malware bytes and/or spybot, and sometimes revo to clear the startup entries.
The trick is that MOST of the exciting new breeds of infections will "call home" upon every clean boot, downloading new versions of themselves and/or morphing their locations each boot. (ergo you may clear it with a bootable live disc only to reinfect upon reboot because the AV software doesn't clear it from startup...)
posted by TomMelee at 5:44 AM on January 11, 2010
Normally I wipe these things out with a combination whammy of Bit Defender Live Rescue Disc, Kaspersky Rescue Disc, a portable version of malware bytes and/or spybot, and sometimes revo to clear the startup entries.
The trick is that MOST of the exciting new breeds of infections will "call home" upon every clean boot, downloading new versions of themselves and/or morphing their locations each boot. (ergo you may clear it with a bootable live disc only to reinfect upon reboot because the AV software doesn't clear it from startup...)
posted by TomMelee at 5:44 AM on January 11, 2010
Response by poster: Thanks to all for your help. Much to my relief, I guess I don't have one of the exciting new infections. A friend gave me a linkless link to MBAM, which helped me get the latest version, which seems to have wiped out this more garden-variety infestation. Thanks for the brainstorming and help, though!
posted by Miko at 8:13 PM on January 11, 2010
posted by Miko at 8:13 PM on January 11, 2010
This thread is closed to new comments.
posted by filthy light thief at 7:02 PM on January 10, 2010