Mozilla & LowerMyBills browser hijacking help

Discussion in 'Firefox' started by ringo, Dec 11, 2004.

  1. ringo

    ringo Guest

    On 12/2/04 I was still an IE user, I clicked on a link in a newsgroup to go
    to a website that just hit me with all kinds of popups. I had no firewall,
    popup blocker, nothing.

    It installed all kinds or crap, in my registry, startup, etc.

    It took 6+ hours that night plus somemore over the wkend to get rid of it
    all.

    I used 4 different programs: Adaware, Spybot search & distroy, Bazooka,
    Browser Hijack Recover(BHR), plus my own Startup deleting and file
    deleting.

    The last one (BHR) got rid of my remaining visible IE problems. That being
    each webpage I go to being load 2x and when I did a Google or Yahoo search
    I would also get a new IE window of some other search engine.

    Now I have a problem I do not have on IE or an older pc I have that I
    loaded Mozilla to see if it happens on that pc(it doesn't).

    My remaining problem is when in Mozilla I go to my Yahoo mail and open
    messages it brings up a new window of the site lowermybills.com(only this
    site NO others).

    Some URL examples are as follows:
    https://www.lowermybills.com/servlet/LMBServlet?the_action=NavigateHomeLoan
    sAppFirstStep&test_type=A&sourceid=10192417-10465906-
    8055522&TAG_ID=26314711025193470991102531280052

    https://www.lowermybills.com/servlet/LMBServlet?the_action=NavigateHomeLoan
    sAppFirstStep&test_type=A&sourceid=10192417-10465906-
    8055519&TAG_ID=10650111026871729451102687172945&jrunsessionid=1065011102687
    172945

    Under Tools / Page Info the referring URL is:
    http://ad.doubleclick.net/adi/N3285.yahoocom/B1231090.91;sz=728x90;dcopt=rc
    l;click=http://us.ard.yahoo.com/SIG=12492rljh/M=308859

    Sometimes the Lowermybills window tries to also load a popup which Mozilla
    stops.

    Again I don't have this problem when retrieving my Yahoo emails on IE, or
    an older pc that I installed Mozilla on to test Yahoo email using Mozilla.

    Anyone know how to stop this???

    TIA!

    I'm using Firefox Ver 1.0, Win ME.
    ringo, Dec 11, 2004
    #1
    1. Advertising

  2. ringo

    Tom Betz Guest

    Quoth ringo <> in news:Xns95BC7156637DCringoringocom@
    63.223.5.254:

    > My remaining problem is when in Mozilla I go to my Yahoo mail
    > and open messages it brings up a new window of the site
    > lowermybills.com(only this site NO others).


    You've probably still got the CoolSavings adware installed.

    See <http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453076021>.

    I wouldn't be surprised to discover you have others, as well.

    --
    George Bush's War of Choice on Iraq is a totally unnecessary war.
    Every life lost, every limb lost, every disfigurement, every
    disability caused there is more blood on George W. Bush's hands,
    and on the hands of everyone who voted for George W. Bush.
    The more you know, the less likely you were to vote for Bush.
    <http://shorterlink.com/?47TBP8>
    Feeling a draft? <http://shorterlink.com/?930B5U>
    For the facts on Iraq, see <http://optruth.org>.
    Tom Betz, Dec 12, 2004
    #2
    1. Advertising

  3. ringo

    ringo Guest

    Tom Betz <> wrote in
    news:Xns95BCEAF99E7D3greenriverordinance@166.84.1.69:

    > Quoth ringo <> in news:Xns95BC7156637DCringoringocom@
    > 63.223.5.254:
    >
    >> My remaining problem is when in Mozilla I go to my Yahoo mail
    >> and open messages it brings up a new window of the site
    >> lowermybills.com(only this site NO others).

    >
    > You've probably still got the CoolSavings adware installed.
    >
    > See <http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453076021>.
    >
    > I wouldn't be surprised to discover you have others, as well.
    >


    That sounds just like my problem, except the file cpnmgr.dll is not on my
    pc nor is any of those lines in my regedit.

    Thanks anyway.

    It's weird that it does it in Mozilla but not IE or is it since I'm still
    new to Mozilla??
    ringo, Dec 12, 2004
    #3
  4. ringo

    Tom Betz Guest

    Quoth ringo <> in news:Xns95BDB24C5987ringoringocom@
    63.223.5.251:

    > That sounds just like my problem, except the file cpnmgr.dll is
    > not on my pc nor is any of those lines in my regedit.


    Sucks.

    Here's another useful tool for you. It's freeware, I've found it
    very helpful in manually cleaning up stuff like this.

    <http://www.worldstart.com/weekly-download/programs/regcleaner.exe>

    You should look at the entries in the "Startup" tab and see what
    doesn't look like it should be there, and remove it.

    The advantage of RegCleaner is that it backs up entries you remove,
    so if you accidentally break something, it's easy to put back.

    Good luck.




    --
    George Bush's War of Choice on Iraq is a totally unnecessary war.
    Every life lost, every limb lost, every disfigurement, every
    disability caused there is more blood on George W. Bush's hands,
    and on the hands of everyone who voted for George W. Bush.
    The more you know, the less likely you were to vote for Bush.
    <http://shorterlink.com/?47TBP8>
    Feeling a draft? <http://shorterlink.com/?930B5U>
    For the facts on Iraq, see <http://optruth.org>.
    Tom Betz, Dec 12, 2004
    #4
  5. ringo

    Splibbilla Guest

    another page on site postd above.. lowermybills "june 2004"
    http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453084604

    --

    to OP:
    ad doubleclick should be in your hosts file.

    http://www.mvps.org/winhelp2002/hosts.htm
    says their zip is dec 12, but the actual file is dated "12-12-04" inside. Since the last few entries are new, it appears someone
    forgot to change the date *inside*. Either way, www.lowermybills.com doesn't showin text search. I added
    www.lowermybills.com to my hosts. And hopefully that's a desirable defense :)

    ---
    and ad doubleclick should be filtered out by proxomitron

    ---
    Lowermybills.. hmm...

    Ha! More telling than ironic:
    Google Lowermybills + spyware or similar
    found multiple usatoday articles. In two:
    http://www.usatoday.com/tech/news/computersecurity/2004-09-08-zombieinfect_x.htm
    text search found a Lowermybills ad! Ha.
    http://www.usatoday.com/tech/news/computersecurity/2004-10-07-ftc-spyware_x.htm
    Lowermybills text not found


    Googles show that Lowermybills problems date from (at least) 2001, but probably Lowermybills update their contagion
    occasionally.

    more... search...
    I didn't immeidately see anything about how to eradicate hte pest.

    --
    try HijackThis to spot suspicious registry entries.
    http://209.133.47.200/~merijn/files/HijackThis.exe
    current ver 1.98.0.2 and < 200kb

    --
    and people in
    microsoft.public.security
    alt.privacy.spyware
    might have answers.
    Splibbilla, Dec 13, 2004
    #5
  6. ringo

    ringo Guest

    > to OP:
    > ad doubleclick should be in your hosts file.
    >
    > http://www.mvps.org/winhelp2002/hosts.htm
    > says their zip is dec 12, but the actual file is dated "12-12-04"
    > inside. Since the last few entries are new, it appears someone forgot
    > to change the date *inside*. Either way, www.lowermybills.com doesn't
    > showin text search. I added www.lowermybills.com to my hosts. And
    > hopefully that's a desirable defense :)


    This HOST file stuff was new to me but I went to the above site and
    downloaded the HOST file and spent some time with it.

    The good:
    It stopped the LowerMyBills.com problem all together.

    The bad:
    (Through trial and error I discovered an issue I have when I am running
    alot of programs. I work from home on this pc so I from 830am-600pm I run
    alot of programs)
    When I go to some sites: like Yahoo, Ragingbull, & ESPN.com the msg
    "Transferring data from <website>" stayed in my status bar.

    examples: "Transferring data from pa.yahoo.com"
    "Transferring data from adsatt.espn.go.com"
    "Transferring data from hb.lycos.com"

    This msg would stay in the bottom left of the status bar while the dotting
    spinning circle in the upper right would keep spinning like when it's
    trying to find a site.

    This didn't effect anything except it was annoying to me. I even went to
    lunch and when I came back over 1/2 hr later it still had the msg and the
    circle spinning.

    I notice on the mvps.org site it mentions rare cases of slowing down the
    machine and gives a fix for W2 and XP but I'm on ME.

    I made a smaller version of the HOST file that only has the doubleclick
    section and is 4kb instead of 194kb and that still solved the lowermybills
    problem.

    I know I need a newer pc too. That is probably next year.

    Thanks again!!!

    I have another issue I'm gonna post in a separate message, see if you can
    handle that one. Search for my name: ringo
    ringo, Dec 13, 2004
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Brian H¹©

    Hijacking a thread

    Brian H¹©, Jul 6, 2003, in forum: Computer Support
    Replies:
    19
    Views:
    784
  2. Bob Brister

    Hijacking

    Bob Brister, May 22, 2004, in forum: Computer Support
    Replies:
    16
    Views:
    992
    St?phane
    Jun 9, 2004
  3. Replies:
    3
    Views:
    841
    no way
    Aug 2, 2004
  4. Broom Hilda

    Hijacking detected

    Broom Hilda, Oct 10, 2005, in forum: Computer Support
    Replies:
    6
    Views:
    4,306
    zarathustra
    Oct 14, 2005
  5. Toni from T.O.

    Modem hijacking/internet dumping

    Toni from T.O., Nov 2, 2005, in forum: Computer Security
    Replies:
    14
    Views:
    1,010
    Moe Trin
    Nov 5, 2005
Loading...

Share This Page