Welcome! Log In Create A New Profile

Advanced

Unusual Subject

Posted by Anonymous User 
Anonymous User
Unusual Subject
March 01, 2010 09:34AM
This message will be of more interest to those users who download a lot. I recently found that something downloaded placed a item in my boot file that caused the computer to make a HelpAssistant User account in XP Pro. Although I always run virus protection and PeerBlock neither one can detect it or recognize that it is there. Even Malwarebytes will not detect it. If you look in your Document and Settings folder in the Users folder and find a HelpAssistant User that you did not create get ready for havoic because this thing will fill the drive in no time. Solution: Right click My Computer and select Manage. Open the Users folder listed on the left side and on the list of users right click on the HelpAssistant account and select Delete. Then put your XP cd in the drive and reboot, when it loads select R to open the console and when the console opens at the prompt which should say C:\WINDOWS> here you type fixmbr and although it will give you a long list of bad things that may happen, In my case I chose Y for yes to fix it anyway. Then it immediately tells you it fixed it. Now, you may or may not receive that long list of bad things that could happen, I receive them because I run two operating systems on the same drive. If you do the same then you will have to first select the drive that contains the XP Operating System (OS). Ok, the reason I posted this is because there are very few, if any, programs designed to stop this thing from entering a boot file. But, I did notice that when it inserts itself that a Baltimore Technologies IP will start hitting PeerBlock and when it is removed you will not see the listed again unless you download something they have attached this thing to. I hope this may help someone else because the first time I got it I spent days before finding what the problem was.
Re: Unusual Subject
March 01, 2010 07:02PM
avatar
No prob.. Thanks for the heads up.
Anonymous User
Re: Unusual Subject
March 13, 2010 04:52PM
as i tried to install peerblock (PB ) my peerguardian (PG) told me that PB is trying to connect to "Baltimore Technologies".

then i googled i found some users getting hit by Baltimore Technologies and some other companies.
they all claimed to be using PB.

so I'm wondering why PB is tryin to connect to Baltimore Technologies when I'm going to install it.



Edited 1 time(s). Last edit at 03/13/2010 04:52PM by christo27.
Re: Unusual Subject
March 14, 2010 11:53AM
PeerBlock does not connect to anywhere when installing.
Re: Unusual Subject
March 14, 2010 02:09PM
avatar
are you saying ANOTHER help assistant user? cause there is one by default in XP already




This is my Signature!
Re: Unusual Subject
March 14, 2010 06:25PM
avatar
"as i tried to install peerblock (PB ) my peerguardian (PG) told me that PB"

i hope this doesnt mean you were trying to install PB while you still had PG running, you can only have one or the other, if you want PB then you cant have PG and vice-versa. if you did install PB while you had PG then id suggest you un-install them both then re-install PB so as to get a clean install. make sure to restart your computer prior to re-installing PB so as to kill any and all PG processes, these two processes conflict with one another. i believe all of this information is contained in our "FAQ".




Life is like a box of chocolates................................umm chocolate, yummy grinning smiley



Edited 1 time(s). Last edit at 03/14/2010 06:26PM by brandonjm8.
Anonymous User
Re: Unusual Subject
March 15, 2010 09:10PM
i know about the fact of not havin both programs installed.
but it seemed curious to me that peerguardian told me peerblock is tryin to contact someone.

or is peerblock just performing sth like a check ?!
Re: Unusual Subject
March 15, 2010 11:28PM
avatar
christo27 Wrote:
-------------------------------------------------------
> but it seemed curious to me that peerguardian told
> me peerblock is tryin to contact someone.

what exactly do you mean by this statement? if you don't have PG anymore then how is it telling you anything? do you mean the phoenix labs website that maintained PG?

the only contact made on PB's behalf is to this website for version updates and updates for your lists, those could be from bluetack or iblocklist.com. PB won't contact anybody else ever, if it is then somethings gotten corrupted it appears.




Life is like a box of chocolates................................umm chocolate, yummy grinning smiley
Anonymous User
Re: Unusual Subject
April 19, 2010 02:13PM
RE christo27/brandonjm8
Leave user 'stupidity' issue out of this for a moment:

Ohkay, so the poster had PG2 still installed and running whilst downloading and then installing PB

During the install, the user happened to notice in the open and running PG2 screen that PB was connecting to BTI

User wants to know why, despite comments of not using things together, PB was listed in PG2 as connecting to BTI.

Bottom line: is this an error or was it actually connecting to the specified site for some reason.

_______________________===========================______________________

OP: Sounds like an MBR attack.
Just to elaborate on this, the common source for this is a fake AV.
DO NOT EVER SCAN FOR VIRI ON A WEB SITE
Do not click on any message at all, EVER, that says a web page FOUND a virus.
The X and cancel keys both reload the message.
Those pop-ups that state your infected and to scan, the ok will download and automatically setup a pre-launch install of the fake AV. You can't get rid of it without an MBR rebuild.


Quick way to save yourself if you come across this:
Hit CTRL+SHIFT+ESC
On the Process tab right click on your web browser and click end process tree
On reload of your browser chose to NOT restore a previous session if it offers.
Download and run CCleaner. Remove ALL (sorry, that's life) files from your web browser from the programs cleaning menu. That will dump the cache, history, and any possible related file you may have where that bugger could be hiding.

If you already have the virus and can't get rid of it the way the poster states, or it keeps coming back, try heading over to the forums page of Hijack This. There are many specific listings of how to use HJT to remove the auto-reload of the installer and kill this thing off.

If all else fails:
You have a hardware infection: one that attacked the drive controller (that green board on the bottom of your drive).

You'll need to use a special program such as GParted that supports some low-level options and zap out 100% of the disk, plus some controller reflashes. Call a professional (use a local guy, not a big-boxer), he may even be able to safely save some stuff for you and are a little more, 'quite' as to what they find, for those of you who are naughty.
Anonymous User
Re: Unusual Subject
May 06, 2010 06:25PM
lostinlodos, wow u got it.

[q]
Ohkay, so the poster had PG2 still installed and running whilst downloading and then installing PB

During the install, the user happened to notice in the open and running PG2 screen that PB was connecting to BTI

User wants to know why, despite comments of not using things together, PB was listed in PG2 as connecting to BTI.
[/q]

i was gettin afraid of noone understanding me ....
Re: Unusual Subject
May 07, 2010 09:21AM
avatar
christo27 Wrote:
-------------------------------------------------------
> During the install, the user happened to notice in
> the open and running PG2 screen that PB was
> connecting to BTI
>
> User wants to know why, despite comments of not
> using things together, PB was listed in PG2 as
> connecting to BTI.

I'm afraid I can't reproduce this issue.  Running TCPView during PeerBlock install, I don't see the Installer attempting to access any IP addresses whatsoever.  And as for PeerBlock itself, all I can see on its first run is it contacting our PeerBlock server to check for updates, contacting iblocklist.com to acquire a list-update mirror-server, then contacting whichever mirror-server it was pointed towards.  This is with the latest Beta (r335) installer on Win7 x64, though I don't know of anything in this space that we'd be doing differently on XP or in previous versions.

Can you reproduce this issue?  If so, could you give step-by-step instructions so that we can attempt to do so as well?  Also, a screenshot or history export showing the block could be handy...

Thanks,

        ---  Mark  ---




Lead developer of PeerBlock
Anonymous User
Re: Unusual Subject
May 14, 2010 04:56PM
EDIT:
Update on BTech. I figured it out using a combination of Google Cache and Way-Back. BTech DID/WAS host to P2P and Adware listings for a VERY brief period. Could be that you had mirrored list links, rather than direct links!? Bottom line, they're P2P friendly.


Sorry for the delay in getting back, I can't reproduce it either (using a v-machine and screwing the install in every way I can think of).

Sorry I can't be of help. christo27: Can you dump your history to a file and post it? That may be helpful. All I can say about Baltimore Technologies is that they're a security firm, and they can't keep an owner for very long. My guess is that some list you have was temporally held by them, or one of the list defaulters was served by them at that point in time.

I see nothing to worry about in any logs about them anywhere in regard to privacy or security in any aspect.



Edited 1 time(s). Last edit at 05/21/2010 03:57PM by lostinlodos.
Sorry, only registered users may post in this forum.

Click here to login