Post by John JonesOK I have had a bad day, my apologies.
My problems began when my W7 HP 64bit Samsung 2011 laptop seized up.
I managed to see that the culprits were a) Skype (which I dont use)
taking 50% of my CPU, and b) Firefox which had 262 Gb of my RAM up its
back.
So I kill -2'd firefox.
Which really screwed things up.
Every time I launched the beast it fouled my entire computer.
So I have now uninstalled it and migrated to google chrome, which I dont
like.
Would it be safe to re-install Firefox, although it does seem to have
become bloatware?
Do you think it likely that the registry or system is somehow corrupted?
Really odd things were happening including not being able to launch
control panel, all the icons being blank, windows explorer falling over,
and a white screen of death. Even the bog-this button took a long time
to stop the works.
And I know this is a FAQ but there really seems to be very few trusty
browsers out there these days - what is the word on the street? Do I
have to go MS? (you do need a back-up do you not - lack of internet is a
kind of asphyxiation).
Cheers
JJ
Here is a Skype URI exploit.
https://www.exploit-db.com/exploits/11694
How that works, is you visit a webpage with Firefox,
and the webpage has the equivalent of skype://somebody
and the URI "somebody" and all the parameters on that
line, are sent to Skype. Skype is supposed to "vet" the
command and filter off things which might be an exploit.
If you're not using Skype, and have no plans for Skype,
you would uninstall it, so it will no longer intercept
"Skype:" and "Skype-Plugin" calls.
That's potentially part of your problem.
*******
The problem with antivirus scanners, is they don't trigger
on every possible kind of "bad behavior". If you scanned
the machine right now, you might not find a thing.
However, if you reinstalled Firefox, you'd want to make
sure the previous copy of Firefox is uninstalled first.
*Then*, look for "profiles.ini" and get the profile name
(ABCD1234.default or similar). The profile name is randomly
generated at install time, so I cannot tell you what your
profile folder name looks like. Both Firefox and Thunderbird
use similar profiles.ini files - make sure you're reading
the one for Firefox. The profile folder is right below
that file.
There are *two* profile folders with that same name. One
is larger than the other. Both could be removed as part of
your cleaning.
*******
If, whatever attacked your machine left a "tag team partner"
in the machine, it could be a Startup Item, a scheduled task,
or similar. This is additional work to uninstall.
You could start with an on-demand Malwarebytes scan. They
have a paid and a trial version of "real time protector"
which is overkill, and they'd really like to sell you a
copy. The trick then, is getting the on-demand scanner,
and not getting the trial one (tricked into a commercial
solicitation).
It's possible the Malwarebytes might pick it up, as Malwarebytes
is not a "standard AV". It has a tiny bit of heuristic
detection, looking for hooked subsystems.
*******
Maybe there's nothing on your machine, and I'm being a looney
at your expense.
What bothers me about your report, is both Firefox and Skype
being "busy busy" at the same time, and especially, when you
"don't use Skype". These are bad symptoms to me.
Microsoft offers an offline scanner now. Kaspersky has one.
Bitdefender has one. But the problem with these, is what
they choose to flag and what they treat as "grayware".
My batting average on these things is pretty poor, and
if you want real cleaning help, there are forums like
Bleepingcomputer, where they give you a series of
scanning tasks to perform. (Things like HijackThis
or equivalent.) They can then craft custom cleaning
scripts to be fed to a second tool, and that removes
the "pointy bits" of an exploit. But may leave residues
in the Registry that "trigger" an AV to display
a notification, but don't necessarily mean a pest
is still present.
So yeah, you could have a project on your hands. I'm not
good enough at this stuff to tell you how bad the
situation is. (As long as the extensions on files
are not changing by themselves {Ransomware], you'll
likely be OK.) The only style of malware that is
really deadly, is Sality, which cannot be repaired
by the staff at Bleepingcomputer, as it does too much
damage. Most pests are reversible, because they're
intended for commercial gain via click-fraud or similar
and the computer needs to be in a runnable state for
them to make money.
*******
Do your best to clean the machine, before reinstalling Firefox.
I you have no plans to use Skype, remove it. Or at least
upgrade to a version that has the security issue fixed.
Ideally, there's no excuse for accepting URIs at all,
those calls simply should not be possible. This is
called an "attack surface" when moron companies do this.
It's adding a feature that can *only* have negative consequences,
as has just been demonstrated on your computer. It's just
as clever as adding javascript to PDF files (requiring the
user to disable javascript usage in their PDF reader).
Paul