Yesterday and today I got the annoying errorsafe popup again.
origin is gwonline.net (or your advertising agency) since I had no other sites open except for my company's homepage.
My company PC has the highest available security precautions, thus I don't want to have an IT guy shooting at me for visiting malware spreading sites
A trustworthy site like gwonline simply should not have it.

Pls admins, take care this is taken care of once and for all.

Can you post a screenshot the next time you get it (if you do?), please?

I also got it earlier today (no screenshot, sorry). I will try to get a screenshot if it occur again.

I would have to wait till it happens on my home PC.
I can't take screenshots on the office PC

http://img268.imageshack.us/img268/5016/errorsafe6ld.th.jpg (http://img268.imageshack.us/my.php?image=errorsafe6ld.jpg)

It's back... (and more aggressive than I remember it?)

(as I'm not actually on my own computer I'm using explorer where the owner normally uses firefox ...)

Still get it, but can't take a screenshot, and yes, it is more aggresive now.
All I can do is trigger this thing and than my AV software gives a warning...

This needs to be fixed asap !

That definately looks like malware. Its trying to pretend that its a official dialog so that you will install it. Have you tried "hijackthis"? To try and trace it down to remove it? There may even be programs out there that can monitor for it to trace its origin so that the offender can be reprimanded by gwonline for their actions.

Sounds like GWOnline are being ripped off by their hosting company.

Sounds like GWOnline are being ripped off by their hosting company.

Sounds like you do not know what you're talking about.

Sounds like GWOnline are being ripped off by their hosting company. Its more likely that it is a result from a compromised/on purpose add space purchaser than the hosting. Because not everyone is getting the errorsafe thing.

I just thought of something but do any of you getting errorsafe get a request for service and controller app (C:\<windowsDir>\system32\services.exe) trying to access the net or is allowed to access the net by default on the PC(s) its happening on?

Knock on wood...I havent encountered this yet...

Got it again today (twice). I only ever get it when visiting these forums, and it is really annoying. I am located in Sweden, if that helps at all.

Sorry for double posting, but the edit time had expired. Got it again, and this time I took a screenie

http://img97.imageshack.us/img97/820/sp32200606130909093kb.th.gif (http://img97.imageshack.us/my.php?image=sp32200606130909093kb.gif)


It is in Swedish (guess it detects country of origin), but what it says is:
OBSERVE: If your computer has malfunctions in the register database, it can cause unpredicted behaviour, lock-ups and computer crashes. To fix this malfunction may improve your computer's performance and prevent data loss. Do you wish to install Errorsafe and perform an free control of your computer? (reccommended). YES/NO

It also opens a small browser window at the lower right corner.

Of course, whatever you click (including the x), it will try to install Errorsafe. The only way to prevent it is to kill the browser through the task manager.

I posted a question to those getting it a few posts back but nobody answered so I don't know if it is just that the answer was no or it was missed. If anyone getting it could confirm the info it may help in diagnosing maybe. I every once in a while when using the forums here get a message from my firewall telling me service and controller app is trying to access "<some address>" and i thought maybe it is related.

Here is some things of interest. Hopefully they will be helpful.

http://www.symantec.com/avcenter/venc/data/errorsafe.html

http://forums.spybot.info/showthread.php?t=2096

Sort of funny (no, not really), but while I was reading this thread, I got this ad... :tongue:

I'm using Internet explorer and I had several other browser windows open at the same time. I am fairly certain that it came from/through the forums, however, as I tried Lensor's way of closing the window through the task manager. See, I tend to go to the forum index and from there use right-click->open in new window to view threads of interest. What happened when I closed the errorsafe ad was that all other forum windows closed, too, but not my email and another forum.

If it is of any interest, I - like Lensor - live in Sweden, and thus get the ad in Swedish. Oh, and it's happened once or twice before this week, I just didn't think about posting about it until I saw this thread.. :embarassed:

i dont have this problems at work/at home.

I just thought of something but do any of you getting errorsafe get a request for service and controller app (C:\<windowsDir>\system32\services.exe) trying to access the net or is allowed to access the net by default on the PC(s) its happening on?


I do not get this request. However, I imagine such a request would not be initiated unless I actually go ahead and install Errorsafe? (I have done a full system virus and malware scan and manually checked for Errorsafe files and registy keys and found nothing).

The problem is that there is a malicious popup trying to trick forum goers into installing it in the first place, and this I dont imagine have anything to do with the local computer (but may of course have to do with the browser used)..

I do not have any external ad providers, scan my system regularly and have both software and hardware firewalls, and it is only on gwonline.net this occurs (of the websites I frequent).

It can go weeks between every time I get this popup, but then it can show up several times in one day (as today). This leads me to believe that once in a while it sneaks into one of the rotating ads provided by Gwonline's ad providers.

It's in the commercials, since not everyone gets it.

I too get it when opening gwonline.net.
The commercial that's visible at that time is some kind of dating woman near you thingy.

And even if I close the popup (from the taskbar of course), it still starts to download.

And it's infected:

The Win32/SillyDl.AFX!Trojan was detected in C:\DOCUMENTS AND SETTINGS\USERNAME\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\MFLH2X4H\ERRORSAFESCANNERINSTALL _NL[1].EXE.
Machine: MachineName, User: UserName.
File Status: File was cured; system cure performed.

I do not get this request. However, I imagine such a request would not be initiated unless I actually go ahead and install Errorsafe? (I have done a full system virus and malware scan and manually checked for Errorsafe files and registy keys and found nothing).


Is service and controllers app set to ask or block? If its set to allow and has anything to do with the popup then you would get the popup. I have my firewall set to ask me to give permission for that file. Occationally when browsing the forum I will get my firewall asking me if I want to allow it to access. I of course deny it access. But it only happens when browsing the forum here and not during any other course of activity or use of my pc or browsing of other sites. Thus I thought perhaps it pay have something to do with errorsafe's popup.

Is service and controllers app set to ask or block? If its set to allow and has anything to do with the popup then you would get the popup. I have my firewall set to ask me to give permission for that file. Occationally when browsing the forum I will get my firewall asking me if I want to allow it to access. I of course deny it access. But it only happens when browsing the forum here and not during any other course of activity or use of my pc or browsing of other sites. Thus I thought perhaps it pay have something to do with errorsafe's popup.


OK, I see what you mean now. I did not have a specific rule for this on my firewall, but have created one now (However my firewall is set to ask for all connections, and I havent been asked in the past). We will see if I get the warning if it happens again. Anyway, if the errorsafe popup (or the services connection attempt) only occurs on the Gwonline forums, there is a problem with this site (or its ad providers).



[EDIT] OK, continued to surf the forum after making this rule (ask for connection by services and applications, ie services.exe) and.... got the errorsafe popup within 5 minutes. No warning from the firewall. :undecided:

I didn't get it for about 2 weeks now. Maybe it's related to localized ads ?
I (German) get German ads sometimes when viewing gwonline .
So maybe Lensors prob is related to a localized Swedish ad ?

I do however think gwonline should take care their adprovider doesn't allow malware containing ads.

OK, I see what you mean now. I did not have a specific rule for this on my firewall, but have created one now (However my firewall is set to ask for all connections, and I havent been asked in the past). We will see if I get the warning if it happens again. Anyway, if the errorsafe popup (or the services connection attempt) only occurs on the Gwonline forums, there is a problem with this site (or its ad providers).



[EDIT] OK, continued to surf the forum after making this rule (ask for connection by services and applications, ie services.exe) and.... got the errorsafe popup within 5 minutes. No warning from the firewall. :undecided:
Let me know if the rule makes a difference. If you still get the popup then its not related to service and control app request most likely. I've never had anything that needed service and control app to access the net. Same goes for ntoskrnl. I tend to take any useage attempts of those two to be unwanted activity.


I didn't get it for about 2 weeks now. Maybe it's related to localized ads ?
I (German) get German ads sometimes when viewing gwonline .
So maybe Lensors prob is related to a localized Swedish ad ?

I do however think gwonline should take care their adprovider doesn't allow malware containing ads.

Yes this appears to be only effecting certain users so it is likely connected to one maybe a few add providers.

Let me know if the rule makes a difference. If you still get the popup then its not related to service and control app request most likely. I've never had anything that needed service and control app to access the net. Same goes for ntoskrnl. I tend to take any useage attempts of those two to be unwanted activity.

It did not, as I got the errorsafe popup after I implemented the rule. (and no connection warning from the firewall)

Got it again just now, and this time it closed down the actual forum browser window. :shocked: Guess they (the corrupted ad makers) have added this "feature" to make it harder to take screenshots to identify the culprit ads. (as you can see on my screenshot a page back, the ad shoots as a white square, so I guess this was the next logical step..).

However, I did catch that the ad at the moment was a blue "date women close to you" thing, if that helps at all.

If this is not resolved, I seriously urge Gwonline to change ad provider. As this is the only site I (and many others) get this problem, there must be other ad-providers out there who do not come with this extra "bonus".

This kind of thing should not be ignored (not saying that it is).

But it seems as if the ad-provider is dubious.

It did not, as I got the errorsafe popup after I implemented the rule. (and no connection warning from the firewall)

Got it again just now, and this time it closed down the actual forum browser window. :shocked: Guess they (the corrupted ad makers) have added this "feature" to make it harder to take screenshots to identify the culprit ads. (as you can see on my screenshot a page back, the ad shoots as a white square, so I guess this was the next logical step..).

However, I did catch that the ad at the moment was a blue "date women close to you" thing, if that helps at all.

If this is not resolved, I seriously urge Gwonline to change ad provider. As this is the only site I (and many others) get this problem, there must be other ad-providers out there who do not come with this extra "bonus".

Ok good thats one possible connection eliminated. Thus we now look at what adds are showing when its gotten. If possible the next time anyone gets it if you could look and see what adds are on the page this could be used to track the culprit.

errorsafe is back again :cry: got hit with it twice now since yesterday, i rage quitted on the first one and took screenshots of the 2nd time since you want a screenshot :laugh:

this one shows the full screen blue thing :angry:
http://img87.imageshack.us/img87/4967/thepersonthatmadetheadvertfore.jpg

this one shows the advert on the page that i was looking at when it happened (if thats any help)
http://img214.imageshack.us/img214/4741/gotitviewingthispage9dt.jpg
i think it was workhomecenter.com because that was taking its time transferring data at the bottom of the screen

:smiley:

http://www.symantec.com/avcenter/venc/data/errorsafe.html

i havnt downloaded it and have checked (Thanks Ashberry :smiley:), its just that the ad is so annoying because while im reading a topic it just decides to boot me out of the entire browser when i close the nagging pop up 16 times :undecided: whoever made that advert should be shot in the groin with a M61 Vulcan... :angry:

and i got it again with this advert, they are all white boxes, lol
http://img90.imageshack.us/img90/8589/andagain2ct.jpg


im thinking of becoming a pal just to stop it, lol

Should be stopped now