Hi there

I had a nasty Hijacking of my IE yesterdaywith a lot of worms and Trojans and Spyware and other stuff. I am still not quite free from Nasty things. Just now I discovered that when I try to goto Google.com I am redirected to some Googl Porn Search Engine which looks very similar to Google.

I have somehow also lost the possibilty of sharing my Internet access with other computers on my home network. That is likely a different problem but Network Connection cannot enable shared acces because some resource is not installed. This is a change from former behaviour. I always used to use this computer for serving Internet access. Now I get some error 1060 The specifird service does not exist as an installed service.

I have included the HijackThis log file.

Logfile of HijackThis v1.99.1
Scan saved at 12:37:21, on 30.3.2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Documents and Settings\Reynir.MYXP\Desktop\4 spors listar\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hugason.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.info.apple.com/iTunes4/WW/win/019-0312.20050111.MmVrT/iTunesSetup.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotions/spywaredetector/WebAAS.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe

Thanks Trandill :confused:

1. When did you install the BulletProofSoft utility?

All of the "010" entries in your log indicate that the BPS program has gotten itself pretty well integrated into your network stack; it might be the root of the connection-sharing problem.


2. Your log indicates that your versions of Windows and Internet Explorer are not up to date. You should go to Microsoft's Windows Update site and install all of the current critcal fixes and updates. Don't install Service Pack 2 yet, but at least get Service Pack 1 and all related updates/fixes.


3. Aside from the numerous "010" entries, there is nothing else amiss in your log. In terms of the Google redirect- check your C:\WINDOWS\system32\drivers\etc\hosts file for any suspicious IP address-to-URL mapping entries.

A normal hosts file will contain only some comment lines (which begin with a "#") and the following IP->URL map line:

127.0.0.1 localhost

If there are further entries in the hosts file, they should probably be deleted.

1. When did you install the BulletProofSoft utility?

All of the "010" entries in your log indicate that the BPS program has gotten itself pretty well integrated into your network stack; it might be the root of the connection-sharing problem.
Reply:

Thanks for your answer, but problem is not solved yet. I had uninstalled this software from bulletproofsoft.com (010) and there was only one file left a dll file. It could not be deleted unless in Saf mode and by first moving it outside the folder and then rebooting and deleting. Now I get the response that it has broken my Internet connection doing that (see HijackThis log)

Furthemore there is no referense to any URL's in hosts file in etc other han localhost.

(I had not come to the point of upgrading Windows or Explorer yet)

My connection sharing problems stemed from lack of permission in my firewall program from Zone Labs

Do you have any more ideas to help? :eek: :o

Regards Trandill

Logfile of HijackThis v1.99.1
Scan saved at 08:01:19, on 31.3.2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\Documents and Settings\Reynir.MYXP\Desktop\4 spors listar\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hugason.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Broken Internet access because of LSP provider 'c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll' missing
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.info.apple.com/iTunes4/WW/win/019-0312.20050111.MmVrT/iTunesSetup.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotions/spywaredetector/WebAAS.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe

1. When did you install the BulletProofSoft utility?

All of the "010" entries in your log indicate that the BPS program has gotten itself pretty well integrated into your network stack; it might be the root of the connection-sharing problem.
Reply:

Thanks for your answer, but problem is not solved yet. I had uninstalled this software from bulletproofsoft.com (010) and there was only one file left a dll file. It could not be deleted unless in Saf mode and by first moving it outside the folder and then rebooting and deleting. Now I get the response that it has broken my Internet connection doing that (see HijackThis log)

Furthemore there is no referense to any URL's in hosts file in etc other han localhost.

(I had not come to the point of upgrading Windows or Explorer yet)

My connection sharing problems stemed from lack of permission in my firewall program from Zone Labs

Do you have any more ideas to help? :eek: :o

Regards Trandill

Logfile of HijackThis v1.99.1
Scan saved at 08:01:19, on 31.3.2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

(as above)


P.S.

I found this wonderfull solution to my LSP problem on the Internet. Only wanted to share it.

owen
D-A-L Moderator
Tech Rank 5/5 Join Date: Jun 2004
Posts: 4,502

Re: Hijack This Log

--------------------------------------------------------------------------------

Hello,
Please download LSPFix from here. (that is to say from : http://cexx.org/lspfix.exe)
Unzip it and run LSPFix.exe.

1) When LSPFix has started, put a checkmark in "I know what I am doing"
2) In the Keep column, select all apptoport.dll entries and click the arrow to move them into the remove column.
3) Click the Finish button to remove them.

Then Boot into Safe Mode

Delete the following folder:
c:\program files\bulletproofsoft.com

Reboot and post a fresh Hijack This log

Now I got back my Internet connection. I still have this Googl problem.
How can I tackel that.

A fresh HijackThis log follows.

Logfile of HijackThis v1.99.1
Scan saved at 09:03:38, on 31.3.2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\Documents and Settings\Reynir.MYXP\Desktop\4 spors listar\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hugason.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.info.apple.com/iTunes4/WW/win/019-0312.20050111.MmVrT/iTunesSetup.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotions/spywaredetector/WebAAS.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe

Glad you found LSPFix; it's a handy little repair tool, yes?


Ok, let's work on the "Googl" bit.

1. First- some general clean up:

- Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up)

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

- For every user account listed under C:\Documents and Settings, delete the entire contents of these folders (but not the folders themselves):

Important: One of the normal steps in eliminating malicious programs is to entirely delete the contents of all Temp folders. Given that, if any data that you care about is living in those Temp folders, you need to move it to a safe location now, or it will be erased along with everything else!


1. Local Settings\Temp
2. Cookies
3. History
4. Local Settings\Temporary Internet Files\Content.IE5

- Delete the entire content of your C:\Windows\Temp folder.

Note- If you get any messages concerning the deletion of system files such as desktop.ini or index.dat, just choose to delete those files; they'll be automatically regenerated by Windows if needed. Windows will allow you to delete the versions of those files which exist in sub-folders within the main Temp/Temorary folders, but might not let you delete the versions of those files that exist in the main Temp folders themselves; this is normal and OK.

- Empty your Recycle Bin.

- Reboot normally.


2. To restore your default browser search settings:

Download IEFix.reg:

http://www.spywareinfo.com/downloads/tools/IEFIX.reg

Save the file to your desktop, close all browser windows, double click the file and answer 'yes' when asked to merge. Restart your computer when the operation completes.


3. Repost and tell us if the problem still persists.

Thanks, but this does not do the trick, sorry. I think I did everything you suggested.

I found out, on the other hand, that if I type in google.url on the Address bar I get to this Googl pseudo side named google.com.
There is obviously also some googl.com webside on the web but I dont know if they are responsible for this boring redirection. :confused:

You can see this file on hugason.com/googl

Regards and thanks Trandill

This is odd. The HijackThis logs of others with the "Googl" redirect problem all had indications of malicious infections, but as far as I can see, your log does not.

There are only 2 more things I can think of at the moment, although they're longshots at best:

1. Open a DOS window. type the following at the command prompt, and hit Enter:

ipconfig /flushdns


2. While still in the DOS window, enter the following command to start the Registry Editor utility:

regedit


In the Editor, hit F3 to open the search box and type in googl as your search criteria, make sure the "Keys", "Values", and "Data" boxes are all checked, and hit OK.

See what the search comes up with. If the search finds one instance of "Googl", there may be more; keep hitting F3 to continue searching until you get through the entire registry. For any instances of "Googl" found, write down the location of the entry or entries and pass that info on to us.

Sorry, this dooes not work either. I could flush DNS but there is no match for Googl or googl in the Registry.

Is it possible to trace where the IE goes when I type in google.com and hit Return? Would that help? :confused:

Regards Trandill

Ah well- as I said, I thought those suggestions would be longshots.... :(

In your first post you said that the "googl.com" site was a porn site, but when I go to googl.com it takes me to a page titled "Search Guide". The main page has links to a lot of topics (entertainment, travel, real estate, etc.), but definitely no porn.

I did some research on googl.com and its associated IPs, and although they are possibly in a bit of a legal tangle with the real Google, I found no mention of porn. The company involved seems to be (as someone from the real Google called it) "Typo Squatting" on Googl to send people who mis-type Google to their search page instead.

Just out of curiousity, can you determine the IP of the "porn" googl site?

When I clean out Temporary Internet Files and then type in on the address bar google.com it delivers this in the Tempory Internet Files Folder:

http://hugason.com/googl/Temp.gif

I looked up this place in WHOIS and I found this:

---
WHOIS information for ******.***:

[whois.melbourneit.com]
Domain Name: M******.***
Domain ID: D7550290-BIZ
Sponsoring Registrar: DIRECT INFORMATION PVT. LTD., (D.B.A. DIRECTI.COM)
Sponsoring Registrar IANA ID: 303
Domain Status: ok
Registrant ID: DI_641436
Registrant Name: warrior
Registrant Organization: top
Registrant Address1: zabugorsk
Registrant City: Zadunaysk
Registrant Postal Code: 684217
Registrant Country: Bermuda
Registrant Country Code: BM
Registrant Phone Number: +286.654187
Registrant Email: ohuh@mail.ru
Administrative Contact ID: DI_641436
Administrative Contact Name: warrior
Administrative Contact Organization: top
Administrative Contact Address1: zabugorsk
Administrative Contact City: Zadunaysk
Administrative Contact Postal Code: 684217
Administrative Contact Country: Bermuda
Administrative Contact Country Code: BM
Administrative Contact Phone Number: +286.654187
Administrative Contact Email: ohuh@mail.ru
Billing Contact ID: DI_641436
Billing Contact Name: warrior
Billing Contact Organization: top
Billing Contact Address1: zabugorsk
Billing Contact City: Zadunaysk
Billing Contact Postal Code: 684217
Billing Contact Country: Bermuda
Billing Contact Country Code: BM
Billing Contact Phone Number: +286.654187
Billing Contact Email: ohuh@mail.ru
Technical Contact ID: DI_641436
Technical Contact Name: warrior
Technical Contact Organization: top
Technical Contact Address1: zabugorsk
Technical Contact City: Zadunaysk
Technical Contact Postal Code: 684217
Technical Contact Country: Bermuda
Technical Contact Country Code: BM
Technical Contact Phone Number: +286.654187
Technical Contact Email: ohuh@mail.ru
Name Server: NS5.ESTHOST.COM
Name Server: NS6.ESTHOST.COM
Created by Registrar: DIRECT INFORMATION PVT. LTD., (D.B.A. DIRECTI.COM)
Last Updated by Registrar: DIRECT INFORMATION PVT. LTD., (D.B.A. DIRECTI.COM)
Domain Registration Date: Sat Aug 14 04:54:10 GMT 2004
Domain Expiration Date: Sat Aug 13 23:59:59 GMT 2005
Domain Last Updated Date: Mon Feb 14 08:37:17 GMT 2005
----


Is it possible to shut out this side or sue them or something?

About Googl as a porn side. Try clicking on Images on the the main page.

Thanks Trandill

P.S.
I just found out a strange thing. When I search for ******.*** at Google I get no hit, but when I search for the same thing at Yahoo it finds Googl without problem.

Very odd!

The above Post to is a misunderstanding. Sorry.

Trandill

Those are lower case Q's, not G's; it's qooql, instead of googl, try doing some searching on your system for that.

Those are lower case Q's, not G's; it's qooql, instead of googl, try doing some searching on your system for that.

I have tried that of course. Nothing there. What about the firm *******.***?
Can it be held responible.

Regards Trandill

Yes, that could be the problem, have HJT fix this line and see if it helps:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hugason.com

Yes, that could be the problem, have HJT fix this line and see if it helps:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hugason.com

Sorry, that is my home page

Hi there

I finally found the solution. It was to simple to be true. Run Active Scan from www.pandasoftware.com

Here is the scan result. Some file here was the cause of my problem. I do not know wich one.


Incident Status Location

Adware:Adware/CWS.Aboutblank No disinfected C:\Documents and Settings\Reynir\Local Settings\Temp\sp.html
Virus:W32/Netsky.P.worm Disinfected Personal Folders\Deleted Items\Re: Hi\priv.zip[data.rtf .scr]
Virus:W32/Bagle.pwdzip Disinfected Personal Folders\Deleted Items\:)\AttachedDocument.zip
Virus:W32/Bagle.pwdzip Disinfected Personal Folders\Deleted Items\:-)\Message.zip
Virus:W32/Bagle.pwdzip Disinfected Personal Folders\Deleted Items\:)\AttachedDocument.zip
Virus:W32/Bagle.C.worm Disinfected Personal Folders\Inbox\Greet the day\dcccbaca.zip[dmaiaupl.exe]
Virus:W32/Bagle.D.worm Disinfected Personal Folders\Inbox\Accounts department\dcbaabbba.zip[fwdyvwps.exe]
Virus:W32/Bagle.E.worm Disinfected Personal Folders\Inbox\Price list\cdaa.zip[nhphgvoh.exe]
Virus:Trj/Citifraud.A Disinfected Personal Folders\Inbox\HSBC BANK: ACCOUNT UPDATE [Fri, 08 Oct 2004 14:25:52 -0700]\MSG_HTML.TXT
Virus:W32/Bagle.pwdzip Disinfected Personal Folders\Deleted Items\:)\AttachedDocument.zip
Virus:W32/Bagle.pwdzip Disinfected Personal Folders\Deleted Items\:-)\Message.zip
Virus:W32/Bagle.pwdzip Disinfected Personal Folders\Deleted Items\:)\AttachedDocument.zip
Virus:W32/Bagle.C.worm Disinfected Personal Folders\Inbox\Greet the day\dcccbaca.zip[dmaiaupl.exe]
Virus:W32/Bagle.D.worm Disinfected Personal Folders\Inbox\Accounts department\dcbaabbba.zip[fwdyvwps.exe]
Virus:W32/Bagle.E.worm Disinfected Personal Folders\Inbox\Price list\cdaa.zip[nhphgvoh.exe]
Virus:Trj/Citifraud.A Disinfected Personal Folders\Inbox\HSBC BANK: ACCOUNT UPDATE [Fri, 08 Oct 2004 14:25:52 -0700]\MSG_HTML.TXT
Virus:Trj/Downloader.WT Disinfected C:\Documents and Settings\Reynir.MYXP\Desktop\4 spors listar\backups\backup-20050329-080518-140.inf
Virus:Trj/Downloader.WT Disinfected C:\Documents and Settings\Reynir.MYXP\Desktop\4 spors listar\backups\backup-20050329-080518-327.inf
Adware:Adware/PurityScan No disinfected C:\Documents and Settings\Reynir.MYXP\Desktop\4 spors listar\backups\backup-20050329-080519-408.inf
Adware:Adware/Minibug No disinfected C:\Program Files\AIM\Sysfiles\WxBug.EXE
Adware:Adware/Minibug No disinfected C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll
Virus:W32/Gaobot.ALK.worm Disinfected C:\WINDOWS\system32\TFTP3528
Virus:W32/Sdbot.CID.worm Disinfected C:\WINDOWS\system32\TFTP2296
Virus:Trj/Downloader.ASM Disinfected C:\WINDOWS\system32\usbn.exe
Virus:Bck/Small.HN Disinfected C:\WINDOWS\system32\thun32.dll
Virus:Trj/Downloader.WT Disinfected C:\WINDOWS\LastGood\Downloaded Program Files\eied.inf
Virus:Trj/Downloader.WT Disinfected C:\WINDOWS\LastGood\Downloaded Program Files\start85.inf
Adware:Adware/PurityScan No disinfected C:\WINDOWS\LastGood\Downloaded Program Files\start.INF

An infection that redirects URLs but doesn't show up in a HJT scan? That's not good.
Glad you were able to get rid of it, although I can't tell you which of the infected entities was responsible.

About Googl as a porn side. Try clicking on Images on the the main page.

There is no Images choice on the googl page I'm looking at. :?::?:


As far as seeking legal retribution- that could be a long and frustrating process; the address/contact info in their WHOIS record is bogus...

An infection that redirects URLs but doesn't show up in a HJT scan? That's not good.
Glad you were able to get rid of it, although I can't tell you which of the infected entities was responsible.

There is no Images choice on the googl page I'm looking at. :?::?:

..

Try MI******.*** and up comes the Googl homepage. There is a choice above the input field named Images and another named News and still more choises alll leading to a porn or Rape side. If you click on them they will even Hijack your browser!! They just did with my Mozilla?? What is going on here.

Maybe I will have to run ActiveScan again.

Regards Trandill

Sorry, but given the content on the websites we're getting in to, I've had to edit some of the links in our discussion here.

Going to www.my*****.*** and to www.googl.com bring up entirely different pages for me. Yes- the my*****.*** site does bring up the porn links as you said, but simply going to "www.googl.com" does not.

It seems that we're getting off of (or perhaps more deeply into) the original question, so I should advise the following:

Please don't post any further references to the "my*****.***" site/URL. They will be immediately deleted, as that site contains content that is entirely inappropriate here.

Ok, I'd like to try to help. I have built a program that will help to identify the problem. If you go to: http://www.aftermath.net/~coma/ModScan.zip, download that, install it... and then run it. When you run it, it will create a log file, on the root directory of the c drive (c:\tppscan.log). The first time you run it, run it with no web browser open. Then, close out of it, and rename the log (c:\tppscan.log) to something else (say: c:\firstscan.log). Then open your browser, and if it's been hijacked, run the program again. It will create another log (c:\tppscan.log). Then, either post the 2 logs (identify which one was first and which was second) Or, send them both to me in an e-mail as they will most likely be pretty large (text wise). I'll sift through them and see what If I can find anything.

Oops: just realized it's been fixed! Nevermind!

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.