We’d like to remind Forumites to please avoid political debate on the Forum.

This is to keep it a safe and useful space for MoneySaving discussions. Threads that are – or become – political in nature may be removed in line with the Forum’s rules. Thank you for your understanding.

📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!

Google misbehaving!!!!!!!!!!

1235

Comments

  • gatita
    gatita Posts: 1,283 Forumite
    Part of the Furniture 1,000 Posts Combo Breaker
    Anybody there?:wave:
    When man sacrifices the Love of POWER for the Power of Love, there will be peace on earth.
  • skiddy2k
    skiddy2k Posts: 1,627 Forumite
    Click Start>run... Type in regedit... click Edit>Find... type into there the !!!!!! site which keeps popping up (without the http://) and click "find next"... can you find it?

    If not, go onto this site: http://network-tools.com/
    ... click "Ping" and type in the !!!!!! site's name in the search field. click "Submit". on the bottom left, you'll have some numbers... copy the numbers which look similar to this: ###.###.###.### and paste them in the searchfield of Regedit (which you previously opened). search the numbers. Can you find them?

    If all else fails, try to do an online scan using Kaspersky... http://www.kaspersky.com/virusscanner
    Running out of ideas now!
  • GreenNotM
    GreenNotM Posts: 1,087 Forumite
    Hi Gatita... ur thread got a lil buried there.

    can you post the results of Start >> Run >> cmd ..in the command window type without the quotes " "'s "ipconfig /all"

    Right click in the command window and select Mark. Drag your mouse over the results of the above command from " Windows IP Configuration " to the end. When all selected - press the Return/Enter key.

    Then reply here by pressing Cltr + V to paste the info - thanks

    There are still a few more tools - root kit revealers and temp area removers to try.

    I would add also that some infections need tools running several times to remove them. And there is work to be done on your last HJT log ...
    Rich people save then spend.
    Poor people spend then save what's left.
  • alanclose
    alanclose Posts: 2,226 Forumite
    Have you tried removing google toolbar?
  • gatita
    gatita Posts: 1,283 Forumite
    Part of the Furniture 1,000 Posts Combo Breaker
    SHHHHHHHHHHHH
    we think that you have cracked it.:T When we clicked on that link(as we were going to copy and paste it as you said), when lo and behold it showed "page cannot be displayed":D . So it looks as though the dratted pest has been disposed of .HEHEHE. We spent the weeekend doing about 7 different scans with the various trogan/spyware etc that you pointed us to all in safe mode and system restore disabled, plus resetting our router ( messing up all our settings, including wireless, but thats another story!!!!).
    GreenNotM... you mentioned about the HJT log needing more work see the lastest scan log below.once again a million thanks to all of you that helped us.

    Logfile of HijackThis v1.99.1
    Scan saved at 22:23:31, on 26/02/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\Program Files\ProcessGuard\dcsuserprot.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\Program Files\MSN Messenger\usnsvc.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
    C:\Program Files\ProcessGuard\pgaccount.exe
    C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\DOCUME~1\Anna\LOCALS~1\Temp\Temporary Directory 6 for hijackthis.zip\HijackThis.exe
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://forums.moneysavingexpert.com/
    O2 - BHO: SuperAdBlockerBHO Class - !!00000000-6C30-11D8-9363-000AE6309654} - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABBHO.dll
    O2 - BHO: SSVHelper Class - !!761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: &Google - !!2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: Super Ad Blocker Toolbar - {B4B3001E-0F56-4E51-8250-BDE11547EC55} - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\sabtb.dll
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKLM\..\Run: [!1_pgaccount] "C:\Program Files\ProcessGuard\pgaccount.exe"
    O4 - HKCU\..\Run: [BgMonitor_!!79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - !!08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - !!08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: !!00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
    O16 - DPF: !!0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: !!74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2005111401/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: !!8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
    O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
    O18 - Protocol: livecall - !!828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - !!828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O20 - Winlogon Notify: SABWinLogon - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABWINLO.DLL
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
    O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
    O23 - Service: DiamondCS ProcessGuard Service v3.410 (DCSPGSRV) - DiamondCS - C:\Program Files\ProcessGuard\dcsuserprot.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Super Ad Blocker Service (SABSVC) - SuperAdBlocker.com - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE
    When man sacrifices the Love of POWER for the Power of Love, there will be peace on earth.
  • GreenNotM
    GreenNotM Posts: 1,087 Forumite
    Well you have certainly loaded up a few other tools...... ProcessGuard, SuperSdBlocker, but no Windows Defender or SpyBot now...
    Is it the Windows firewall you are using ? If so here are 2 good free ones - Kerio Personal Firewall and ZoneLabs, but only use 1 at a time.

    The following can go - if you want is but more of a tidy up. see reasons in blue.

    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe << this could be a MS Office language switching tool or a version of Coolwebsearch but as it is in the "correct" folder and you have Excel... Do you change languages in Office or XP ? It can be turned off via XP..


    O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
    O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) << as the files are missing remove or re-install

    O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab << see here for details, are you still updating drivers ? Active X controls need to be watched.

    You may want to read Tony Klein’s article 'How Did I Get Infected In The First Place'
    http://forums.spywareinfo.com/index.php?showtopic=60955......

    You may also want to run a RootKit revealer just in case you have something hidden away ... https://europe.f-secure.com/exclude/blacklight/index.shtml

    Download the Graphical User Version and save it to c:\blacklight\
    Double-click blbeta.exe to run the program
    Click : Scan
    A list of all items found is created
    If anything is found then look in the BlackLight folder and named fsbl.xxxxxxx.log (xxxxxxx are numbers) will be the report.
    Open the file and post the contents here.

    And finally the other PC ??
    Rich people save then spend.
    Poor people spend then save what's left.
  • gatita
    gatita Posts: 1,283 Forumite
    Part of the Furniture 1,000 Posts Combo Breaker
    Hello GreenNotM:p
    I have run the RootKit.nothing found thank goodness:o
    Yes we do have Spybot installed.and we have been using Windows Firewall, and also we thought:cool: that the router had its own built-in firewall? but we will download ZoneLabs. I have also got rid of the things you pointed out in the HighJack log.

    I have the horrible suspicion the reason we got infected was through an 'open' connection on our router:eek: The thing is we found it IMPOSSIBLE to 'lock' it, we spent HOURS trying to, the Sweex router has to be the most difficult to configure of all of them! or we are total idiots! (DON'T answer that:D so..........we have decided to spash out and buy a new one, a WWQ77393 :: Linksys Wireless-G ADSL Home Gateway Router HOPEFULLY this will be easier, should arrive this afternoon.
    Again thank you, you have been an:A
    When man sacrifices the Love of POWER for the Power of Love, there will be peace on earth.
  • gatita
    gatita Posts: 1,283 Forumite
    Part of the Furniture 1,000 Posts Combo Breaker
    Guess what:o when I tried to do a Disk-Cleanup it just hangs/freezes, I googled and found this below, but am unsure if I have done it correctly as it doesn't seem to have worked. Oh dear! will my PC problems never end:p

    Disk Cleanup Freeze?

    This tutorial has been test to work on WinXP Pro and Home only. That doesn't mean it won't work in other WinOS. Just that it's not been tested in others. It's a very common problem that many newbies almost always ignore to correct; that when you try to the Disk Cleanup tool, it may stop responding and you may receive the following message:
    Disk Cleanup is calculating how much space you will be able to free on (C:).
    This may take a few minutes to complete.
    Scanning: Compress old files
    This problem happens when there is an incorrect entry in the registry that is used by the Disk Cleanup utility to locate compressed files. In my view, I've noticed it happening to clean formatted computers as well, so I would suppose that the problem in the registry too is probably a faulty of M$ programming.
    But here is a good little trick to follow if this happens to you:
    1. Create a registry file by "right clicking" on the desktop > New > Text Document.
    2. Name it anything you want with .reg extension. For example: diskcleanup.reg
    3. Right click this file > Edit.
    4. Type in the following code, then save and close:
    Windows Registry Editor Version 5.00

    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Compress old files]
    When man sacrifices the Love of POWER for the Power of Love, there will be peace on earth.
  • GreenNotM
    GreenNotM Posts: 1,087 Forumite
    Use the MS Guided method - best to avoid reg edits ..... http://support.microsoft.com/?kbid=823302
    Rich people save then spend.
    Poor people spend then save what's left.
  • GreenNotM
    GreenNotM Posts: 1,087 Forumite
    or the MS manual method

    Manual step to remove temporary files

    To manually resolve this problem, delete all the files in the current user's Temp folder, and then delete all the user's temporary Internet files. To do this, follow these steps:
    1.Click Start, click Run, type %temp%, and then click OK to open the Temp folder.
    2.In the Temp folder, click Select All on the Edit menu, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.
    3.Click Start, click Control Panel, and then double-click Internet Options.
    4.On the General tab, click Delete Files.
    5.Click to select the Delete all offline content check box, and then click OK.
    6.Click Start, and then click My Computer.
    7.Right-click the drive that you want to clean, and then click Properties.
    8.Click Disk Cleanup to run the Disk Cleanup tool again.


    from above URL

    maybe worth running "chkdsk /f /r" Start >> run >> "cmd" >> "chkdsk /f /r" ... you may need to reboot and this will run in a blue screen on restarting
    Rich people save then spend.
    Poor people spend then save what's left.
This discussion has been closed.
Meet your Ambassadors

🚀 Getting Started

Hi new member!

Our Getting Started Guide will help you get the most out of the Forum

Categories

  • All Categories
  • 352.1K Banking & Borrowing
  • 253.5K Reduce Debt & Boost Income
  • 454.2K Spending & Discounts
  • 245.1K Work, Benefits & Business
  • 600.7K Mortgages, Homes & Bills
  • 177.5K Life & Family
  • 258.9K Travel & Transport
  • 1.5M Hobbies & Leisure
  • 16.2K Discuss & Feedback
  • 37.6K Read-Only Boards

Is this how you want to be seen?

We see you are using a default avatar. It takes only a few seconds to pick a picture.