We’d like to remind Forumites to please avoid political debate on the Forum.

This is to keep it a safe and useful space for MoneySaving discussions. Threads that are – or become – political in nature may be removed in line with the Forum’s rules. Thank you for your understanding.

📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!

Google misbehaving!!!!!!!!!!

1356

Comments

  • VeePee
    VeePee Posts: 137 Forumite
    just try panda antivirus
  • GreenNotM
    GreenNotM Posts: 1,087 Forumite
    Hi Gatita

    Thanks for posting the log no need to remove the SDhelper line it is from Spybot, but you have left out the few lines from the top of the log.

    I have to ask do you use winrar.exe for archiving or zipping files ?
    If not and with the symptons you describe then you may have a CSW CoolWebSearch infection ...

    will add more I just hit the wrong button ....
    Rich people save then spend.
    Poor people spend then save what's left.
  • TheFlyingGerbil
    TheFlyingGerbil Posts: 576 Forumite
    are the other sites this happens on popular sites? I know a lot of !!!!!! sites register common mis-spellings of famous site names and then redirect you to their own naughty sites as this has happend to me a few times.

    Joe
  • GreenNotM
    GreenNotM Posts: 1,087 Forumite
    If you do not use Winrar.exe then ...

    Download the cwshredder.exe from here http://www.trendmicro.com/cwshredder/

    Read about it here http://www.intermute.com/cwshredder/learn_more_cwshredder.html

    After downloading the CWShredder.exe file,
    reboot to safe mode, F8 etc
    Double-click CWShredder.exe icon to display the CWShredder window.
    Click the Fix button.
    CWShredder will systematically scan your system for each variation of CoolWebSearch and, upon finding one or more, will remove it from your PC. When the scan is complete, click Next and Exit to close CWShredder.
    Reboot ...

    HTH if it doesn't then it may be ....
    Rich people save then spend.
    Poor people spend then save what's left.
  • gatita
    gatita Posts: 1,283 Forumite
    Part of the Furniture 1,000 Posts Combo Breaker
    Hi GreenNotM, I downloaded the CWShredder and ran it as you said in Safe Mode. It found one, CWS.FindOnline it got rid of it.

    I have just tried to click on the original link I posted on here:
    www.living-in-the-sun.info but it STILL goes to a !!!!!! page :mad:
    What on EARTH could be causing it I wonder?
    Thank you all for your help.............. anymore ideas?
    When man sacrifices the Love of POWER for the Power of Love, there will be peace on earth.
  • GreenNotM
    GreenNotM Posts: 1,087 Forumite
    Run CWShredder again - if it finds the same one again, you will need to turn off system restore - see below
    1. Log on as Administrator. or admin account
    2. Right-click the My Computer icon on the desktop and click Properties.
    3. Click the System Restore tab.
    4. Select Turn off System Restore.
    5. Click Apply > Yes > OK.
    6. Continue with the scan/clean process. Files under the _Restore folder can now be deleted.
    7. Re-enable System Restore by clearing Turn off System Restore.
    Then run CWShredder again reboot and run CWShredder again - then check the web page again. Then repost a FULL HJT log if you still have problems - there are still a few tools left to try.
    Rich people save then spend.
    Poor people spend then save what's left.
  • GreenNotM
    GreenNotM Posts: 1,087 Forumite
    here is what trendmocro say about removing that variant ,, http://www.trendmicro.com/vinfo/grayware/ve_graywareDetails.asp?GNAME=SPYW%5FSTARTPAGE%2EJ&VSect=Sn
    trendmicro wrote:
    Resetting Internet Explorer Home Page and Search Page
    This procedure restores the Internet Explorer home page and search page to the default settings.
    1. Close all Internet Explorer windows.
    2. Open Control Panel. Click Start>Settings>Control Panel.
    3. Double-click the Internet Options icon.
    4. In the Internet Properties window, click the Programs tab.
    5. Click the Reset Web Settings… button.
    6. Select Also reset my home page. Click Yes.
    7. Click OK.
    Additional Windows ME/XP Cleaning Instructions
    Users running Windows ME and XP must disable System Restore to allow full scanning of infected systems.
    Rich people save then spend.
    Poor people spend then save what's left.
  • gatita
    gatita Posts: 1,283 Forumite
    Part of the Furniture 1,000 Posts Combo Breaker
    Hello Again GreenNotM,
    Have done all you suggested, and the shredder reports nothing found................BUT when I click on that blasted link the !!!!!! page still appears. Could it be that the actual link of that particular page is corrupt, or highjacked? I am probably talking nonsense, but it seems to be only happening on that one link now?

    High Jack Log done today:

    Logfile of HijackThis v1.99.1
    Scan saved at 12:16:42, on 21/02/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\Program Files\MSN Messenger\usnsvc.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\DOCUME~1\Anna\LOCALS~1\Temp\Temporary Directory 4 for hijackthis.zip\HijackThis.exe
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://forums.moneysavingexpert.com/
    O2 - BHO: SSVHelper Class - !!761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: &Google - !!2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKCU\..\Run: [BgMonitor_!!79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - !!08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - !!08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
    O16 - DPF: !!00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
    O16 - DPF: !!0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: !!74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2005111401/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: !!8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
    O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\!!17311B88-08E8-4715-A03D-5B8435D5D4FB}: NameServer = 85.255.114.29,85.255.112.109
    O17 - HKLM\System\CCS\Services\Tcpip\..\{A634DE9D-852F-4F2A-8F74-051BFD2894F4}: NameServer = 85.255.114.29,85.255.112.109
    O17 - HKLM\System\CCS\Services\Tcpip\..\{E909F3BC-CB57-4BCE-A957-226B1434AF07}: NameServer = 85.255.114.29,85.255.112.109
    O17 - HKLM\System\CCS\Services\Tcpip\..\{EB678D80-E67B-4BE8-8A44-D98E74B94A01}: NameServer = 85.255.114.29,85.255.112.109
    O17 - HKLM\System\CCS\Services\Tcpip\..\{F2CF3831-4D03-45D0-8A6A-9B2DEFE9282E}: NameServer = 85.255.114.29,85.255.112.109
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.29 85.255.112.109
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.29 85.255.112.109
    O18 - Protocol: livecall - !!828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - !!828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
    O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    When man sacrifices the Love of POWER for the Power of Love, there will be peace on earth.
  • GreenNotM
    GreenNotM Posts: 1,087 Forumite
    It is ur browser being hijacked - just need to ask have you completely rebooted the pc and your router ? Sorry I am just going out .... some things seemed to have changed in the log ...
    Rich people save then spend.
    Poor people spend then save what's left.
  • gatita
    gatita Posts: 1,283 Forumite
    Part of the Furniture 1,000 Posts Combo Breaker
    Sorry for not clarifying the high Jack Log............... the first log I posted was from my laptop, today's was from the main PC. Just to add I have carried out all the measures you suggested on both machines!
    I did reboot the PC but not the router, but will do it now.
    Bye for now:o
    When man sacrifices the Love of POWER for the Power of Love, there will be peace on earth.
This discussion has been closed.
Meet your Ambassadors

🚀 Getting Started

Hi new member!

Our Getting Started Guide will help you get the most out of the Forum

Categories

  • All Categories
  • 352.1K Banking & Borrowing
  • 253.5K Reduce Debt & Boost Income
  • 454.2K Spending & Discounts
  • 245.1K Work, Benefits & Business
  • 600.7K Mortgages, Homes & Bills
  • 177.5K Life & Family
  • 258.9K Travel & Transport
  • 1.5M Hobbies & Leisure
  • 16.2K Discuss & Feedback
  • 37.6K Read-Only Boards

Is this how you want to be seen?

We see you are using a default avatar. It takes only a few seconds to pick a picture.
Update Your Picture