Search:  

 
theme to white backgroundlet page decide theme
HomeFind ServiceReviewsISP NewsFAQsForumsToolsDatabaseAbout 
 
   All ForumsHot TopicsGallery






how-to block ads


 
Forums » Up and Running » Security » Security » Google hijack?
Search Topic:
Uniqs:
1653		 Share Topic:
RSS topic:
toggle:
flat / full
normal / watch
Posting:
Post a:
Post a:
Links: ·Hijack This logs? ·Panda Free Tools ·Vundo Removal
Heavy Firewall activity (normal?) »
« Nachi the new champion bad boy  
AuthorAll Replies


exocet_cm
In memory of dadkins
Premium
join:2003-03-23
New Orleans, LA
clubs:
·Cox HSI
·Suddenlink
·Cingular Wireless
·AT&T Southeast
·Charter Pipeline

reply to LeeD300
Re: Google hijack?

Click for full size
Question (and maybe somebody can help me) why is the google IP address show up as sending an ICMP ping to his computer?

--
He that feeds a disease, feeds an enemy. Some diseases are starved. Starve your sins by fasting and humiliation. Either kill your sin, or your sin will kill you. - Thomas Watson Harmless as doves 131
to forum · permalink · · 2003-11-23 22:14:32 · Reply to this


exocet_cm
In memory of dadkins
Premium
join:2003-03-23
New Orleans, LA
clubs:
·Cox HSI
·Suddenlink
·Cingular Wireless
·AT&T Southeast
·Charter Pipeline

reply to LeeD300
Info: If it is a google IP and it is PORT 80, no need to worry. IE uses port 80 (so google IP on port 80 is you accessing google's website). Don't block port 80 either, IE won't work at all.

--
He that feeds a disease, feeds an enemy. Some diseases are starved. Starve your sins by fasting and humiliation. Either kill your sin, or your sin will kill you. - Thomas Watson Harmless as doves 131
to forum · permalink · · 2003-11-23 22:09:54 · Reply to this

LeeD300

join:2003-04-21
Santa Clara, CA		reply to LeeD300
I'm especially jumpy after about 2 weeks ago, I found somebody had created another log-on account on my computer.

My computer is only access by me, in my room, and when I'm not there, the door is locked.
--
LeeD300Z
to forum · permalink · · 2003-11-23 21:56:54 · Reply to this

LeeD300

join:2003-04-21
Santa Clara, CA

reply to exocet_cm
hmmm... That's good to know.

It seems to always access 80 S.Port, but a different D.Port on every access.

The strang thing is that I don't get this access every time, although the last 10 or so it's been every time.

The thing that really freaked me out was near the begining, It accessed a port that my firewall told me was frequently was "used by the popular remote control applicatio, Timbuktu." I thought, "Google or somebody's trying to access my computer with a remote control application!"

Thanks for the info. I still won't change anything on my side. I'll continue to monitor things here, use a different search engine (by the way it still does it after uninstalling Google) and wait for Google to respond to my email.
--
LeeD300Z
to forum · permalink · · 2003-11-23 21:54:08 · Reply to this


exocet_cm
In memory of dadkins
Premium
join:2003-03-23
New Orleans, LA
clubs:
·Cox HSI
·Suddenlink
·Cingular Wireless
·AT&T Southeast
·Charter Pipeline

1 edit		reply to LeeD300

I like pictures :)
Since I have had the google toolbar, I have been connected to a similar IP that is traced back to google. Sometimes ZAP will catch it, it is a connection to toolbarqueries.google.com. If I block that site (along with it's IP address) everytime I try and search google, it will display a blank page. I have to let that address through (along with it's IP address) or I get no search results. This is what is established with my computer. If you have visited google recently, it will also show up as being connected to your comp. What is the port number btw?

--
He that feeds a disease, feeds an enemy. Some diseases are starved. Starve your sins by fasting and humiliation. Either kill your sin, or your sin will kill you. - Thomas Watson Harmless as doves 131
to forum · permalink · · 2003-11-23 21:40:49 · Reply to this

LeeD300

join:2003-04-21
Santa Clara, CA

1 edit		reply to Zupe

QHosts search		 

Autofill

Credit Card

More

Options
said by Zupe See Profile:
In the meantime, check your C:\Windows\Help directory for a file called Hosts, and if you find it there, delete it. Also try downloading and running the QHosts removal tool from Symantec here: »www.symantec.com/avcenter/FixQhost.exe

Finally, can you download and run the program Hijack This from here: »www.spywareinfo.com/~merijn/file···this.zip
So, I've done all the above, and nothing. I've attached the Qhosts search, and found no hosts directory in my help directory.

My toolbar settings are above. Nothing special.
--
LeeD300Z
to forum · permalink · · 2003-11-23 20:45:36 · Reply to this


Keizer
I'M Your Huckleberry
Premium,MVM
join:2003-01-20		reply to LeeD300
How is your google tool bar set up?

Keizer
to forum · permalink · · 2003-11-23 20:25:57 · Reply to this

LeeD300

join:2003-04-21
Santa Clara, CA

reply to Keizer
Yes I do have the toolbar.

I'm also thinking similar, but I don't think it's the toolbar it'self though.

Also, if I try to go to www.google.com, I get the same response.

I didn't start getting this unill reciently. Not sure if it's related (don't think so), but a few days ago I upgraded from McAfee Firewall 4 to Firewall 5.
--
LeeD300Z
to forum · permalink · · 2003-11-23 20:20:07 · Reply to this


Keizer
I'M Your Huckleberry
Premium,MVM
join:2003-01-20

reply to exocet_cm
said by exocet_cm See Profile:
Do you have the google toolbar installed on your computer?

--
He that feeds a disease, feeds an enemy. Some diseases are starved. Starve your sins by fasting and humiliation. Either kill your sin, or your sin will kill you. - Thomas Watson Harmless as doves 131
I was wondering the same thing.....it might be making phone calls!

Keizer
to forum · permalink · · 2003-11-23 20:14:26 · Reply to this


exocet_cm
In memory of dadkins
Premium
join:2003-03-23
New Orleans, LA
clubs:
·Cox HSI
·Suddenlink
·Cingular Wireless
·AT&T Southeast
·Charter Pipeline

reply to LeeD300
Do you have the google toolbar installed on your computer?

--
He that feeds a disease, feeds an enemy. Some diseases are starved. Starve your sins by fasting and humiliation. Either kill your sin, or your sin will kill you. - Thomas Watson Harmless as doves 131
to forum · permalink · · 2003-11-23 20:11:05 · Reply to this

LeeD300

join:2003-04-21
Santa Clara, CA

2 edits		reply to LeeD300
* Thanks for the help!!

Logfile of HijackThis v1.97.7
Scan saved at 4:50:20 PM, on 11/23/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\E_S00RP2.EXE
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\GEARSEC.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\PROGRA~1\AT&TGL~1\NetCfgSv.EXE
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\Sony Handheld\AlarmApp.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\WINDOWS\System32\taskmgr.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\WINZIP\wzqkpick.exe
C:\Documents and Settings\My Documents\XP Software\- Security\Hijack this\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = »www.emachines.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo 825] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P22 "EPSON Stylus Photo 825" /O6 "USB001" /M "Stylus Photo 825"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [VirusScanMSC] "C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe" /EMBEDDING
O4 - HKLM\..\Run: [taskmanager] c:\windows\taskmgr.com
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
O4 - HKCU\..\Run: [EPSON Stylus Photo 825] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /A "C:\WINDOWS\System32\E_S1C08.tmp"
O4 - Startup: Alarm Manager.LNK = C:\Program Files\Sony Handheld\AlarmApp.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O9 - Extra button: iSiloX Clipper (HKCU)
O9 - Extra 'Tools' menuitem: iSiloX Clipper... (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - »www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - »download.microsoft.com/download/···9VCM.CAB
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - »download.mcafee.com/molbin/share···sctl.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - »f1.pg.photos.yahoo.com/ocx/us/ye···_9us.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - »download.macromedia.com/pub/shoc···lash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D15F707F-CCD3-47EF-86BD-6BA48E220401}: Domain = attbi.com
--
LeeD300Z
to forum · permalink · · 2003-11-23 19:52:51 · Reply to this

LeeD300

join:2003-04-21
Santa Clara, CA

reply to LeeD300
Click for full size
Google hijack?
Also, I've run Ad-ware and Spybot, but nothing.
--
LeeD300Z
to forum · permalink · · 2003-11-23 19:39:41 · Reply to this


Zupe
Premium,MVM
join:2001-11-29
New York, NY
clubs:

2 edits		reply to LeeD300
I can't view the larger version of your screenshot, probably because the file name is so long. Can you try renaming it to something shorter and uploading it again?

What exactly do you mean by "Google trying to access your computer"?

In the meantime, check your C:\Windows\Help directory for a file called Hosts, and if you find it there, delete it. Also try downloading and running the QHosts removal tool from Symantec here: »www.symantec.com/avcenter/FixQhost.exe

Finally, can you download and run the program Hijack This from here: »www.spywareinfo.com/~merijn/file···this.zip

On the opening screen, click the scan button, then choose save log file, save it somewhere, open the log file with a text editor and copy and paste the contents here.
--
Brain: Pinky, are you pondering what I'm pondering?
Pinky: I think so, Brain, but "Snowball for Windows"?
to forum · permalink · · 2003-11-23 19:24:33 · Reply to this

LeeD300

join:2003-04-21
Santa Clara, CA

1 edit
Click for full size
Google attack!
(112303Firewallviolationaccesscomputerthroughremotecontrol.JPG)
Simply doing a search in Google's toolbar (IE6) has cause a IP address to access my computer.

This has already happened a few times. Sometimes things are fine, while others it seems like Google is trying to access my computer.

Each time that I do search in the Google, and this happens, IE window shows an error and nothing is searched in Google.

Anybody else having this problem? I've already emailed Google.
--
LeeD300Z
to forum · permalink · · 2003-11-23 18:46:39 · Reply to this
Forums » Up and Running » Security » SecurityHeavy Firewall activity (normal?) »
« Nachi the new champion bad boy  

Sunday, 29-Nov 10:22:10 Terms of Use | Privacy Policy | Hosting by www.nac.net - DSL,Hosting & Co-lo | feedback | contact
over 10 years online! © 1999-2009 dslreports.com.
page compression OFF
Most commented news this week
· [122] Time Warner Cable Fires Broadside At Broadcasters
· [112] New AT&T Ad Campaign Hits Back At Verizon
· [96] Apple Joins AT&T Verizon Snark Fest
· [87] New Bill Takes Aim At Higher Verizon ETFs
· [80] TiVo Sees Record Customer Losses
· [75] Weekend Open Thread
· [74] Verizon CEO: Hulu Will Be Dead Soon
· [69] In-Flight Internet Headed For Bumpy Landing?
· [62] Thanksgiving Open Thread
· [40] EFF Wages War On Fine Print
Most people now reading
· Windows 7 boot manager editing questions [Microsoft Help]
· Evading throttling with uTP / uTorrent 1.9a [TekSavvy]
· Anyone have a problem [Software]
· ToC 4th boss - Preliminary Strategy for Twin Valkyr [World of Warcraft]
· Backstab vs screws (not which to use) [Home Repair & Improvement]
· What is the spell hit cap for a lvl 80 full arcane spec mage [World of Warcraft]
· Maximizing Rogue DPS for 3.1 [World of Warcraft]
· [Snow Leopard] NFS Mounts - no more Directory Utility [All Things Macintosh]
· AV-Comp. Retrospective/Proactive Test 11/2009 released [Security]