We’d like to remind Forumites to please avoid political debate on the Forum.
This is to keep it a safe and useful space for MoneySaving discussions. Threads that are – or become – political in nature may be removed in line with the Forum’s rules. Thank you for your understanding.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
The Forum now has a brand new text editor, adding a bunch of handy features to use when creating posts. Read more in our how-to guide
Google misbehaving!!!!!!!!!!
Comments
-
GreenNotM.........Have you given up on me?:rolleyes: have rebooted the router, but still no luck at getting rid of the pest.When man sacrifices the Love of POWER for the Power of Love, there will be peace on earth.0
-
Hi Gatita
I did do a response yesterday - but as I click post - it disappeared. And I was off out again - I am in all evening if you make it back ..... You have your DNS servers set to some Russian DNS hacker servers which is causing your problem ... will post a fix after some cutting and pasting ....Rich people save then spend.
Poor people spend then save what's left.0 -
Gitata the following has worked to remove "Wareout" infectons from previous posters and a thanks to Browntoa and Alfonso - I have added a few belt and braces steps...
Firstly copy Hijackthis.exe to it's own directory again.
It may be easy to print these instruction as you need to turn your router off.
Step 1 (copied form an earlier post in a thread by alfonso for the same infection)
Please download FixWareout from either of these links: Save it to your desktop and close ALL Internet Explorer windows and any Windows Explorer windows which may be open (failure to close these may affect the removal process).
Turn your router off to take your home network off the Internet
Double click Fixwareout.exe and run it.
Click Next, then Install.
Then make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts.
When asked to reboot your computer, please do so.
Your system may take longer than usual to load; this is normal.
Afterwards, HijackThis will launch. Please click Scan, and check the following items(if there) and any other 017 entries that may have appeared.
O17 - HKLM\System\CCS\Services\Tcpip\..\!!17311B88-08E8-4715-A03D-5B8435D5D4FB}: NameServer = 85.255.114.29,85.255.112.109
O17 - HKLM\System\CCS\Services\Tcpip\..\{A634DE9D-852F-4F2A-8F74-051BFD2894F4}: NameServer = 85.255.114.29,85.255.112.109
O17 - HKLM\System\CCS\Services\Tcpip\..\{E909F3BC-CB57-4BCE-A957-226B1434AF07}: NameServer = 85.255.114.29,85.255.112.109
O17 - HKLM\System\CCS\Services\Tcpip\..\{EB678D80-E67B-4BE8-8A44-D98E74B94A01}: NameServer = 85.255.114.29,85.255.112.109
O17 - HKLM\System\CCS\Services\Tcpip\..\{F2CF3831-4D03-45D0-8A6A-9B2DEFE9282E}: NameServer = 85.255.114.29,85.255.112.109
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.29 85.255.112.109
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.29 85.255.112.109 <<<< All Russian servers
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll << a type of reporting tool best get rid of
Click fix checked
Step 2
Before doing this write down all the settings. Note that not all system/setups even have these settings, While some connection service's will require them.
These instruction's are basically for home users.
Now lets check some settings on your system.
Enter your Control Panel and double-click on Network Connections
Then right click on your Default Connection
Usually Local Area Connection for Cable and DSL
Left click on Properties
Double-Click on the Internet Protocol (TCP/IP) item
Select the radio dial that says Obtain DNS Servers Automatically
Note: Do this for all Network Connections
Press OK twice to get out of the properties screen, NOT cancel.
Reboot if it asked
Step 3
Click Start | Run and type CMD and click OK.
At the Dos Prompt Screen, type in cd\ and hit enter.
Now type in ipconfig /flushdns and click enter! (notice the space in the middle)
Then close the command prompt.
Step 4
Reboot when finished and post the following in your next reply please:
1. Fresh HijackThis log.
2. C:\fixwareout\report.txt
3. Any more symptons you have with the pc and laptop - it nat be worth doing the above on both computers.
4 Confirm that your firewall is running and your Anti-virus is uptodate.
Ant porblems just say how far you get with the above...Rich people save then spend.
Poor people spend then save what's left.0 -
Hi again GreenNotM
First of all an enormous thank you for all the time and trouble you have gone to in helping me I appreciate it very much.
Well......I have followed all your new instructions, and removed everything that you had listed. BUT I just thought I would cHeck by clicking on the wretched link but it STILL it goes to the !!!!!! site. below is a copy of the latest HIJack report and the Fixware report.
Logfile of HijackThis v1.99.1
Scan saved at 21:44:37, on 22/02/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\notepad.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Rob\Desktop\downloads\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://forums.moneysavingexpert.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: SSVHelper Class - !!761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program
Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program
files\google\googletoolbar2.dll
O3 - Toolbar: &Google - !!2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program
files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Yahoo! Search - [URL="file:///C:\Program"]file:///C:\Program[/URL]
Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - [URL="file:///C:\Program"]file:///C:\Program[/URL]
Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - [URL="file:///C:\Program"]file:///C:\Program[/URL]
Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - [URL="file:///C:\Program"]file:///C:\Program[/URL] Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - !!08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - !!08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: !!00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) -
http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: !!0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) -
http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: !!74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
http://a840.g.akamai.net/7/840/537/2005111401/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: !!8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) -
http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) -
http://driveragent.com/files/driveragent.cab
O18 - Protocol: livecall - !!828030A1-22C1-4009-854F-8E305202313F} -
C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - !!828030A1-22C1-4009-854F-8E305202313F} -
C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} -
C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} -
C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program
Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil
Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil
Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil
Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd -
C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program
Files\Google\Common\Google Updater\GoogleUpdaterService.exe
Fixwareout Last edited 2/11/2007
Post this report in the forums please
...
»»»»»Prerun check
»»»»» System restarted
»»»»» Postrun check
HKLM\SOFTWARE\~\Winlogon\ "system"=""
....
....
»»»»» Misc files.
....
»»»»» Checking for older varients.
....
Search five digit cs, dm, kd, jb, other, files.
The following files NEED TO BE SUBMITTED to one of the following URL'S for further
inspection.
Click browse, find the file then click submit.
http://www.virustotal.com/flash/index_en.html
Or http://virusscan.jotti.org/
»»»»» Other
»»»»» Current runs
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it
»»»»» End report »»»»»
All this was done with the router switched off and on both computers. both of these reports are from the PC(the laptop did not have any of those link numbers in the Hijack report). All anti-virus and firewall is up to date and running.
Thank you so much once again. You must be sick to death of me by now.
:mad: When man sacrifices the Love of POWER for the Power of Love, there will be peace on earth.0 -
Download, install, restart, update and run
SuperAntiSpyware http://www.superantispyware.com/downloadfile.html?productid=SUPERANTISPYWAREFREE
and/or
AVG AntiSpyeare http://www.ewido.net/en/download/
Or you can do a SystemRestore to a date prior to you having the problem.0 -
I've had a problem in the past where I've typed in an address slightly wrong and instead of just saying that the domain does not exist it just goes to a random website. However it comes and goes so I wonder if it's something to do with Windows Updates?0
-
Skiddy...........I have downloaded the antispyware programme and...................................... it FOUND 2 TROGANS!!!!!!!!!!!
trojan. DNSChanger-Codec and another one
Trojan.downloader- Fake/Codec
so so fingers and everything else crossed maybe we have cracked it! I will post news tomorrow as I am so tired must go to bed.
Thank you.;)When man sacrifices the Love of POWER for the Power of Love, there will be peace on earth.0 -
Hi Gatita
Unusual that ewido/avs antispyware did not pick that up in http://forums.moneysavingexpert.com/showpost.html?p=1354146&postcount=2 / When you ran it. Where was the infection (folder) ? If it was in Anna temp files it may need to be run logged in as Rob and anyother accounts set up on the pc/laptop.
Perhaps it is time to add http://www.superantispyware.com/downloadfile.html?productid=SUPERANTISPYWAREFREE to that thread.
Here is an article on one of your infections, Potential trojan redirects users to malicious websites
If you check for the wrong url mis-directing (!!!!!!-site for non reg addresses) before rebooting then you will get redirected - please run the following to reset your DNS (DNS = Domain Name System = the sytem where by internet names are translated in to ip addresses)
Step 1
Enter your Control Panel and double-click on Network Connections
Then right click on your Default Connection
Usually Local Area Connection for Cable and DSL
Left click on Properties
Double-Click on the Internet Protocol (TCP/IP) item
Select the radio dial that says Obtain DNS Servers Automatically
Note: Do this for all Network Connections
Press OK twice to get out of the properties screen, NOT cancel.
Reboot if it asked
Step 2
Click Start | Run and type CMD and click OK.
At the Dos Prompt Screen, type in cd\ and hit enter.
Now type in ipconfig /flushdns and click enter! (notice the space in the middle)
Then close the command prompt.
Step 3
Reboot - do not test for mis-direction before you reboot ....
You may need to run ccleaner logged in as Anna and as Rob.
After this I am out all day again ... well not able to get onto MSE...:rolleyes:
Rich people save then spend.
Poor people spend then save what's left.0 -
alanrowell wrote:I've had a problem in the past where I've typed in an address slightly wrong and instead of just saying that the domain does not exist it just goes to a random website. However it comes and goes so I wonder if it's something to do with Windows Updates?
Hi Alan
Some people reg mis-spellings of pop sites and do re-directs see www.gogle.co.uk for a harmless example
See who reg'ed it here http://whois.domaintools.com/gogle.co.uk
Gatita has a trojan/malware infection that is pointing their DNS servers to Russian based servers that are used for phishng and the spreading of more trojans/bot armies/spyware/etc ..
O17 - HKLM\System\CCS\Services\Tcpip\..\!!17311B88-08E8-4715-A03D-5B8435D5D4FB}: NameServer = 85.255.114.29,85.255.112.109 <<< is the give away entry in the HJT log. Why these servers are not closed or blocked by all ISP's, But as you can see by the thread removing the infection is a process of elimination. Seem Gatita's computers were possibly infected by downloading codecs to view videos .... :eek: Rich people save then spend.
Poor people spend then save what's left.0 -
Me again!!
Thank you GreenNotM,
We have done every single thing you suggested on both computers.......but no luck We then decided to do a System Restore.......... guess what, it doesn't work! we checked to see if was 'enabled' it was, so the virus trojan must have got to that too:mad:
Is there anything more we can do, or does it mean a complete re-install of XP? :eek:When man sacrifices the Love of POWER for the Power of Love, there will be peace on earth.0
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 353.5K Banking & Borrowing
- 254.1K Reduce Debt & Boost Income
- 455K Spending & Discounts
- 246.5K Work, Benefits & Business
- 602.9K Mortgages, Homes & Bills
- 178K Life & Family
- 260.5K Travel & Transport
- 1.5M Hobbies & Leisure
- 16K Discuss & Feedback
- 37.7K Read-Only Boards