What could this be ???
What could this be ???
Hello every one =D
While in my university today It happened that a friend surfed the web on my laptop using IE, and I usually use firefox. I'm not sure what exactly happened (before that the browser was okay), minutes after I got back to my laptop, opened firefox and got a sum of firefox browsers open, each with almost 20 tabs; one of the tabs had some thing like a directory with many files listed... That was like crazy
Never mind, I rebooted, installed AVG in safe mode, then booted back into normal mode. Scan resulted in a Trojan horse and few tracking cookies (theoretically AVG cleaned those for me).
Still the problem resumed...when ever I open ff many browsers open !
My next step was to uninstall ff then install it again... still had the same problem.
Finally I decided to resort to process explorer, it is a powerful diagnostic tool, but I'm still discovering all the information that it shows. I managed to locate a process that I suspected its presence in the list "svchost.exe" which is located in system32 folder. To my surprise this was the first time I see all these in there, and the files where the same that I saw in one of the tabs
My first reaction was to delete the whole file, but keeping in mind system32 folder is a windows system folder, I don't want to screw things up on my device. So I deleted an empty folder in the list having the name "DRVSTORE" actually the color of the name (blue) attracted my attention and the fact that its empty.
Right now the issue resolved... but my question is:
What happened ?
Should I do a clean up for system32 ? What files do I delete ?
Do you think AVG free edition is sufficient to block such "thing" ?
Does any one recommend a better free antivirus ?
Sorry for the loooong post and thanks for your replies ^^
While in my university today It happened that a friend surfed the web on my laptop using IE, and I usually use firefox. I'm not sure what exactly happened (before that the browser was okay), minutes after I got back to my laptop, opened firefox and got a sum of firefox browsers open, each with almost 20 tabs; one of the tabs had some thing like a directory with many files listed... That was like crazy
Never mind, I rebooted, installed AVG in safe mode, then booted back into normal mode. Scan resulted in a Trojan horse and few tracking cookies (theoretically AVG cleaned those for me).
Still the problem resumed...when ever I open ff many browsers open !
My next step was to uninstall ff then install it again... still had the same problem.
Finally I decided to resort to process explorer, it is a powerful diagnostic tool, but I'm still discovering all the information that it shows. I managed to locate a process that I suspected its presence in the list "svchost.exe" which is located in system32 folder. To my surprise this was the first time I see all these in there, and the files where the same that I saw in one of the tabs
My first reaction was to delete the whole file, but keeping in mind system32 folder is a windows system folder, I don't want to screw things up on my device. So I deleted an empty folder in the list having the name "DRVSTORE" actually the color of the name (blue) attracted my attention and the fact that its empty.
Right now the issue resolved... but my question is:
What happened ?
Should I do a clean up for system32 ? What files do I delete ?
Do you think AVG free edition is sufficient to block such "thing" ?
Does any one recommend a better free antivirus ?
Sorry for the loooong post and thanks for your replies ^^
mahmoud_shihab@hotmail.com
I'm sure what my friend did was only surfing the web using IE, not more.Lundis wrote:Are you sure that your friend didn't edit your firefox shortcut to launch a script which in turn starts firefox? Check the shortcut (right-click - properties) or try starting firefox.exe from the firefox directory.
Now firefox is working normally, I open the browser, nothing weird is happening.
mahmoud_shihab@hotmail.com
yeah I know fixing this manually is cooler than using an aid, but I'm keeping the AV for reasons like if suspecting some thing I can scan it.ph0bYx wrote:Have you checked the startup services via msconfig?
And who needs AVs these days anyway, it's much more fun to do it manually. But if you don't like to do it manually or don't have time for it or whatever, try system restore it might work.
as for msconfig, I go to the services tab and hide all Microsoft services, all the running services I'm familiar with them (or at least they don't look weird to me) except for one service named pinger. In system32 folder there is an application named PING, but I can't find any relation between these two
mahmoud_shihab@hotmail.com
When using process explorer - right click on the process that interest you, and check out properties. In properties - check out the "threads" tab, you can see the components used by that process, then click on the button for Stack, this shows the componets used by that specific component in the stack. You can click on module, and that shows the path to that component.
You know that say, ping.exe is supposed to be in a certain directory right? So when you check out the components and the components inside the components - you are manually inspecting the process - as a AVP would. The basic rules of checking for file behavior, file location, and who called the process or its components - are being checked by you, instead of automated by a AVP.
Use both, process explorer and your exploration, and a AVP - this is where you can learn.
DNR
You know that say, ping.exe is supposed to be in a certain directory right? So when you check out the components and the components inside the components - you are manually inspecting the process - as a AVP would. The basic rules of checking for file behavior, file location, and who called the process or its components - are being checked by you, instead of automated by a AVP.
Use both, process explorer and your exploration, and a AVP - this is where you can learn.
DNR
-
He gives wisdom to the wise and knowledge to the discerning. He reveals deep and hidden things; he knows what lies in Darkness, and Light dwells with him.
He gives wisdom to the wise and knowledge to the discerning. He reveals deep and hidden things; he knows what lies in Darkness, and Light dwells with him.
Thanks for the reply DNR =)
The same thing happened with me today in university, firefox opens many tabs, and I cant control it
the link in the tabs is as follows:
I get a window that says: "can't open URL"
I realized one thing, that the files and folders in system32 can't be deleted.
what can I do about this ?
The same thing happened with me today in university, firefox opens many tabs, and I cant control it
the link in the tabs is as follows:
Code: Select all
http://xn--a {tmv-rwa2gvfxanl9kfm7d9a325g/
I realized one thing, that the files and folders in system32 can't be deleted.
what can I do about this ?
mahmoud_shihab@hotmail.com
- bozotheclown138
- Fame ! Where are the chicks?!
- Posts: 172
- Joined: 07 Feb 2009, 17:00
- 15
- Contact:
well run a live cd and load windows hives and manualy delete them saicne your not runnig any files on windows, like one man here told me ERD commander 2005, also AVG is eh. avira is what i would consider the best mainly because i like playing wit hbackdoored or suspected backdoored files on my test computer and thats my failsafe if i cant find the backdoor, and malwarebytes is a good quick scan. but avira is what i consider best AV and if your willing to pay KAV or KIS is also very good/NOD32moudy wrote:Thanks for the reply DNR =)
The same thing happened with me today in university, firefox opens many tabs, and I cant control it
the link in the tabs is as follows:I get a window that says: "can't open URL"Code: Select all
http://xn--a {tmv-rwa2gvfxanl9kfm7d9a325g/
I realized one thing, that the files and folders in system32 can't be deleted.
what can I do about this ?
I think you are infected with adware so it opens ads in your internet browser.
I recommend cleaning your computer with SpyBot search and destroy it is free program , I have used it many times it is powerful and checks cookies and infected registery keys.
my advice is not using IE , unless it is the latest updated version also update it for newest patches.
IE6,IE7 are already dead and exploitable you can be easly infected or owned by remote code execution exploits by using old IE
offcial website
http://www.safer-networking.org/index2.html
I recommend cleaning your computer with SpyBot search and destroy it is free program , I have used it many times it is powerful and checks cookies and infected registery keys.
my advice is not using IE , unless it is the latest updated version also update it for newest patches.
IE6,IE7 are already dead and exploitable you can be easly infected or owned by remote code execution exploits by using old IE
offcial website
http://www.safer-networking.org/index2.html
thaks for the reply fellas
I will try booting up using a live disto first, then i will resort to spybot search software.
I want to know how much safe is it do delete files and folders from system32 folder, and how can i know what are the files needed by the system, and what are not ?
I will try booting up using a live disto first, then i will resort to spybot search software.
I want to know how much safe is it do delete files and folders from system32 folder, and how can i know what are the files needed by the system, and what are not ?
mahmoud_shihab@hotmail.com
- bozotheclown138
- Fame ! Where are the chicks?!
- Posts: 172
- Joined: 07 Feb 2009, 17:00
- 15
- Contact:
just out of curiosity why IE8 DNR? i thought youd be a firefox guy, and moudy in the system32 file i personally would just google anything that looks suspicious and just scan that file with a good AV, easy enough ya know?DNR wrote:radar is right on - adware infection and spybot S&D sounds good.
I use IE 8
DNR
well actually the whole files look suspicious to mebozotheclown138 wrote:just out of curiosity why IE8 DNR? i thought youd be a firefox guy, and moudy in the system32 file i personally would just google anything that looks suspicious and just scan that file with a good AV, easy enough ya know?DNR wrote:radar is right on - adware infection and spybot S&D sounds good.
I use IE 8
DNR
mahmoud_shihab@hotmail.com
- bozotheclown138
- Fame ! Where are the chicks?!
- Posts: 172
- Joined: 07 Feb 2009, 17:00
- 15
- Contact:
well besides having lived off the riches of stock in bill gate's company, I guess it was an old school teaching that you had to learn the software that most of your customer's use.
While I do appreciate the eliteness of running all open source software, most of the problems customer's pay you to fix are related to Windows and its applications. You can talk all day about how linux is so neat - but your customer doesn't fucking care - he wants his windows to work.
And BTW this is not a slam on MS software or OS, the problems are 95% caused by the user, not the software. So far in my life, I have had to tailor my studies and certs to what the company runs, Novell, Win98/XP, Solaris 4/5, IE 5.5,6,7 (no one using IE8 yet!) Cisco, EMC, Sun, juniper - I guess its motivated by money.
One problem with an infected computer - it can no longer be trusted - even after you 'cleaned' it. Protocol dictates a format and clean install.
DNR
While I do appreciate the eliteness of running all open source software, most of the problems customer's pay you to fix are related to Windows and its applications. You can talk all day about how linux is so neat - but your customer doesn't fucking care - he wants his windows to work.
And BTW this is not a slam on MS software or OS, the problems are 95% caused by the user, not the software. So far in my life, I have had to tailor my studies and certs to what the company runs, Novell, Win98/XP, Solaris 4/5, IE 5.5,6,7 (no one using IE8 yet!) Cisco, EMC, Sun, juniper - I guess its motivated by money.
One problem with an infected computer - it can no longer be trusted - even after you 'cleaned' it. Protocol dictates a format and clean install.
DNR
-
He gives wisdom to the wise and knowledge to the discerning. He reveals deep and hidden things; he knows what lies in Darkness, and Light dwells with him.
He gives wisdom to the wise and knowledge to the discerning. He reveals deep and hidden things; he knows what lies in Darkness, and Light dwells with him.